# help please!



## wiwazevedo (Feb 20, 2008)

i lent the laptop to a friend
and it came back all messed up
no admin rights
heres the hijack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:16 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINNT\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Router\Router.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\mrofinu.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF968951185EFC41280C9D7DBE80DC744B6CDE39577AF10FB68AD6
O4 - HKLM\..\Run: [a8a28f57] rundll32.exe "C:\WINNT\system32\trrwylbi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [desktop_light.pxx] "C:\Program Files\Tavultesoft\Keyman Desktop Light 7.0\kmshell.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://messaging.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - http://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cab
O20 - AppInit_DLLs: C:\WINNT\system32\skuns.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINNT\system32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\profsyx.html

--
End of file - 7822 bytes



thanx guys


----------



## ceewi1 (Feb 20, 2008)

Your system is quite badly infected.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Please download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to *C:\SDFix*

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in *Safe Mode* (tap F8 just before Windows starts to load and select Safe Mode from the list).
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Please post
The ComboFix log
The SDFix log
A new HijackThis log


----------



## wiwazevedo (Feb 20, 2008)

Here is the combofix log:


ComboFix 08-02-20.2 - Eli 2008-02-20  3:00:30.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.424 [GMT -8:00]
Running from: C:\Documents and Settings\Eli\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINNT\system32\ljjki.dll
C:\WINNT\system32\pmnmjgf.dll
C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Eli\Application Data\WinTouch
C:\Documents and Settings\Eli\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Eli\err.log
C:\onoes.exe
C:\Program Files\inetget2
C:\Program Files\Insider
C:\Program Files\ISM2
C:\Program Files\ISM2\adhydraupd.exe
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\Messenger\profsyx.html
C:\Program Files\outlook
C:\Program Files\outlook\outlook.exe
C:\Program Files\outlook\p.zip
C:\Program Files\outlook\v.tmp
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\svhost
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Program Files\WinAble
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fCOe
C:\Temp\fCOe\tOasF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINNT\b103.exe
C:\WINNT\b116.exe
C:\WINNT\b122.exe
C:\WINNT\b138.exe
C:\WINNT\b143.exe
C:\WINNT\b147.exe
C:\WINNT\b151.exe
C:\WINNT\b153.exe
C:\WINNT\cookies.ini
C:\WINNT\cs_cache.ini
C:\WINNT\Fonts\a.zip
C:\WINNT\mrofinu1188.exe
C:\WINNT\stem~1
C:\WINNT\system32\atmtd.dll._
C:\WINNT\system32\bronto.dll
C:\WINNT\system32\bszip.dll
C:\WINNT\system32\cmd.com
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\ehxuslxp.ini
C:\WINNT\system32\hkhdafli.ini
C:\WINNT\system32\iblywrrt.ini
C:\WINNT\system32\ikjjl.bak1
C:\WINNT\system32\ikjjl.bak2
C:\WINNT\system32\ikjjl.ini
C:\WINNT\system32\khfebay.dll
C:\WINNT\system32\lfjtvxxu.ini
C:\WINNT\system32\ljjki.dll
C:\WINNT\system32\lrjqslbu.dll
C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\msdtexch.dll
C:\WINNT\system32\msftedswc.dll
C:\WINNT\system32\mskvtns.dll
C:\WINNT\system32\netstat.com
C:\WINNT\system32\ngefidyd.ini
C:\WINNT\system32\nGpxx18
C:\WINNT\system32\nGpxx18\nGpxx182328.exe
C:\WINNT\system32\nmullsqt.dll
C:\WINNT\system32\nvs2.inf
C:\WINNT\system32\o09PrEz
C:\WINNT\system32\oTt02e
C:\WINNT\system32\oTt02e\oTt02e1065.exe
C:\WINNT\system32\pac.txt
C:\WINNT\system32\packet.dll
C:\WINNT\system32\ping.com
C:\WINNT\system32\pmnmjgf.dll
C:\WINNT\system32\protector.exe
C:\WINNT\system32\qbrjelci.dll
C:\WINNT\system32\regedit.com
C:\WINNT\system32\S1
C:\WINNT\system32\S2
C:\WINNT\system32\S4
C:\WINNT\system32\S6
C:\WINNT\system32\S7
C:\WINNT\system32\taskkill.com
C:\WINNT\system32\tasklist.com
C:\WINNT\system32\tracert.com
C:\WINNT\system32\trrwylbi.dll
C:\WINNT\system32\updppjai.dll
C:\WINNT\system32\vefstfde.dll
C:\WINNT\system32\vrenhr.dat
C:\WINNT\system32\vrenhr_nav.dat
C:\WINNT\system32\vrenhr_navps.dat
C:\WINNT\system32\win
C:\WINNT\system32\wnscpsv32.exe
C:\WINNT\system32\wpcap.dll
C:\WINNT\system32\ystem~1
C:\WINNT\system32\ystem~1\?ystem\
C:\WINNT\wr.txt
C:\WINNT\Fonts\'

----- BITS: Possible infected sites -----

hxxp://resources.zune.net
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NTIO256
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\ApiMon
-------\nm
-------\ntio256


(((((((((((((((((((((((((   Files Created from 2008-01-20 to 2008-02-20  )))))))))))))))))))))))))))))))
.

2008-02-19 21:41 . 2008-02-19 21:41	<DIR>	d--------	C:\Program Files\Trend Micro
2008-02-17 16:53 . 2008-02-17 16:53	<DIR>	d--------	C:\Program Files\xInsIDE
2008-02-16 16:49 . 2008-02-16 16:50	<DIR>	d--------	C:\Program Files\Any Video Converter Professional
2008-02-16 16:49 . 2008-02-16 17:56	<DIR>	d--------	C:\Documents and Settings\Eli\Application Data\Any Video Converter Professional
2008-02-16 16:17 . 2008-02-16 16:17	147,456	--a------	C:\WINNT\system32\vbzip10.dll
2008-02-16 11:28 . 2008-02-16 11:28	<DIR>	d--------	C:\Program Files\Any Video Converter
2008-02-16 11:28 . 2008-02-16 12:33	<DIR>	d--------	C:\Documents and Settings\Eli\Application Data\Any Video Converter
2008-02-14 22:09 . 2008-02-14 22:09	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Tavultesoft
2008-02-14 22:04 . 2008-02-14 22:04	<DIR>	d--------	C:\Program Files\Common Files\Tavultesoft
2008-02-14 22:03 . 2008-02-14 22:04	<DIR>	d--------	C:\Program Files\Tavultesoft
2008-02-14 22:01 . 2008-02-14 22:02	<DIR>	d--------	C:\Program Files\Microsoft Silverlight
2008-02-14 21:35 . 2008-02-14 21:38	<DIR>	d--------	C:\Program Files\AIM Invader
2008-02-11 20:43 . 2008-02-11 20:43	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\acccore
2008-02-11 19:56 . 2008-02-13 07:45	1,374	--a------	C:\WINNT\imsins.BAK
2008-02-09 03:34 . 2008-02-15 18:54	54,156	--ah-----	C:\WINNT\QTFont.qfn
2008-02-09 03:34 . 2008-02-09 03:34	1,409	--a------	C:\WINNT\QTFont.for
2008-02-05 07:46 . 2008-02-05 07:46	<DIR>	d--------	C:\windows
2008-02-05 01:37 . 2008-02-17 20:44	<DIR>	d--------	C:\Program Files\Counter-Strike 1.6
2008-01-31 23:00 . 2008-01-31 23:02	<DIR>	d--------	C:\Program Files\AIM6

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 17:41	---------	d-----w	C:\Documents and Settings\Eli\Application Data\LimeWire
2008-02-16 07:44	---------	d-----w	C:\Program Files\Zune
2008-02-12 12:38	---------	d-----w	C:\Program Files\AIM
2008-02-12 12:28	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-02-11 22:37	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-02-03 17:09	---------	d-----w	C:\Program Files\Bulent's Screen Recorder 4
2008-02-01 07:01	---------	d-----w	C:\Program Files\Viewpoint
2008-02-01 07:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-01 07:00	---------	d-----w	C:\Program Files\Common Files\AOL
2008-02-01 07:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL
2008-01-27 01:15	---------	d-----w	C:\Documents and Settings\Eli\Application Data\Apple Computer
2008-01-13 21:46	165	----a-w	C:\Program Files\fun_maze_cbble.txt
2008-01-12 10:53	518,204	----a-w	C:\Program Files\fun_maze_cbble.bsp
2007-12-26 08:55	0	---ha-w	C:\WINNT\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-26 08:55	0	---ha-w	C:\WINNT\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2006-07-01 21:38	70,920	----a-w	C:\Documents and Settings\Eli\Application Data\GDIPFONTCACHEV1.DAT
2006-06-17 05:59	70,920	----a-w	C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2006-06-09 04:12	70,920	----a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-01-10 22:35	69,984	----a-w	C:\Documents and Settings\All Users\Application Data\GDIPFONTCACHEV1.DAT
2004-08-04 08:56	561,179	----a-w	C:\Program Files\Common Files\dao360.dll
1998-04-27 07:00	570,128	----a-w	C:\Program Files\Common Files\DAO350.DLL
2004-02-29 01:42	32	--sha-w	C:\WINNT\{5A1DE60E-63D4-411F-819C-8A27E968C34B}.dat
2004-02-29 01:44	32	--sha-w	C:\WINNT\{77F34DDC-BE64-4C66-968A-710FD450DF9B}.dat
2004-02-29 01:42	32	--sha-w	C:\WINNT\{9383845D-FCDF-4F3E-B9ED-6D7A80014D9B}.dat
2004-02-29 01:43	32	--sha-w	C:\WINNT\{9AB54738-7DF1-4C00-9904-724052B1CBA3}.dat
2004-02-29 01:42	32	--sha-w	C:\WINNT\{B473FFAC-ADCC-4471-ACAB-22211CD3B66C}.dat
2004-02-29 01:44	32	--sha-w	C:\WINNT\{B83C3FD1-AF69-4C98-860F-8B93571A7A20}.dat
2007-10-19 13:26	8,434	--sha-w	C:\WINNT\system32\rrrqr.bak1
2007-10-19 22:11	6,717	--sha-w	C:\WINNT\system32\rrrqr.bak2
2007-10-20 09:38	7,666	--sha-w	C:\WINNT\system32\rrrqr.ini2
2004-02-29 01:44	32	--sha-w	C:\WINNT\system32\{4ED47025-B944-4999-B941-BA0A8CCD7C5C}.dat
2004-02-29 01:42	32	--sha-w	C:\WINNT\system32\{9D4A8C51-12B5-4B1B-B280-4A82ADDC6A20}.dat
2004-02-29 01:43	32	--sha-w	C:\WINNT\system32\{B4E78FFD-5507-47A5-AABD-7063002FED4B}.dat
2004-02-29 01:42	32	--sha-w	C:\WINNT\system32\{BFE21B32-E04B-47C5-B65E-E7678177DA9D}.dat
2004-02-29 01:44	32	--sha-w	C:\WINNT\system32\{C3FFBBD3-535C-4BB1-B187-47AD9BAC05D8}.dat
2004-02-29 01:42	32	--sha-w	C:\WINNT\system32\{FAF8EF9A-AE41-4381-8369-AB595EC8BC08}.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
			C:\Program Files\ISM\BndDrive7.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-29 15:10 68856]
"desktop_light.pxx"="C:\Program Files\Tavultesoft\Keyman Desktop Light 7.0\kmshell.exe" [2007-11-27 14:49 1288048]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-17 16:53 53248]
"Router"="C:\Program Files\Router\Router.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjhf]
jkkjjhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrr]
C:\WINNT\system32\rqrrr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINNT\System32\LgNotify.dll 2003-02-28 14:01 110592 C:\WINNT\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages	REG_MULTI_SZ   	scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINNT\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINNT\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINNT\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
backup=C:\WINNT\pss\autos.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu.lnk
backup=C:\WINNT\pss\eFax Tray Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINNT\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINNT\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINNT\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=C:\WINNT\pss\Live Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RingCentral Call Controller.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RingCentral Call Controller.lnk
backup=C:\WINNT\pss\RingCentral Call Controller.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINNT\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^infos.exe]
path=C:\Documents and Settings\Eli\Start Menu\Programs\Startup\infos.exe
backup=C:\WINNT\pss\infos.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Eli\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINNT\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-03 16:50 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSystemCare]
C:\Program Files\AVSystemCare\pgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-06-04 18:05 116328 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClientGW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
--a------ 2007-11-18 15:59 16384 C:\WINNT\devadwp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eSnips]
C:\PROGRA~1\eSnips\ClientGW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
--a------ 2003-11-05 10:23 303180 C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a------ 2002-08-14 15:21 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
C:\WINNT\system32\cnsqknxo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-10-02 12:19 118784 C:\WINNT\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-01-30 18:55 196608 C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
--a------ 2003-01-30 18:55 311296 C:\WINNT\system32\hphmon03.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINNT\System32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplorer]
C:\WINNT\system32\iexplorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-10-02 12:37 155648 C:\WINNT\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-28 08:14 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjodxn]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwxbkua]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msia]
C:\WINNT\system32\YSTEM~1\tracert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-06-25 21:00 771440 C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.0.3.16\InstallStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Projector Manager]
C:\Program Files\InFocus\Projector Manager\Projmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
C:\Program Files\QdrModule\QdrModule9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
C:\Program Files\QdrPack\QdrPack9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qekyamxdvg]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 08:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMBooster.Net]
C:\Program Files\RAMBooster.Net\RAMBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCHotKey]
--a------ 2006-05-02 16:48 14848 C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Eli\Application Data\Microsoft\Windows\rayiou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Simple Star PhotoShow Media Manager]
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smwenmxamy]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
C:\Program Files\SpywareBot\SpywareBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]
C:\WINNT\_system32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Valve\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-03-29 15:10 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2003-01-02 18:11 577536 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2003-01-02 18:12 126976 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufhmbhqg]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
C:\WINNT\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINNT\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdyjrdxxusfhk]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\whttqurheltf]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
C:\WINNT\wupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 17:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
C:\winstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Documents and Settings\Eli\Application Data\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpknfgqwxj]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrraekunyuaj]
C:\WINNT\System32\hcjmbhjp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPIAgent5"=2 (0x2)
"SAVScan"=3 (0x3)
"gusvc"=2 (0x2)
"SQLAgent$PARAMOUNT"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$PARAMOUNT"=2 (0x2)
"iPod Service"=3 (0x3)
"Speed Disk service"=2 (0x2)
"NProtectService"=2 (0x2)
"GhostStartService"=2 (0x2)

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2002-08-14 15:11]
R1 oreans32;oreans32;C:\WINNT\system32\drivers\oreans32.sys [2006-09-07 16:52]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINNT\system32\DRIVERS\zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:\WINNT\system32\ZuneBusEnum.exe [2007-11-15 21:51]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINNT\system32\drivers\hphius09.sys [2003-01-30 18:55]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Bots\GameGuard\dump_wmimmc.sys []
S3 IFCUSB;IFCUSB;C:\WINNT\system32\drivers\IFCUSB.SYS [2001-05-22 21:55]
S3 NPDriver;Norton Unerase Protection Driver;C:\WINNT\System32\Drivers\NPDRIVER.SYS [2002-08-14 06:03]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:\WINNT\system32\ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 MSSQL$PARAMOUNT;MSSQL$PARAMOUNT;C:\Program Files\Microsoft SQL Server\MSSQL$PARAMOUNT\Binn\sqlservr.exe [2002-12-17 17:26]
S4 SQLAgent$PARAMOUNT;SQLAgent$PARAMOUNT;C:\Program Files\Microsoft SQL Server\MSSQL$PARAMOUNT\Binn\sqlagent.EXE [2002-12-17 17:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 20:45:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-20 11:48:39 C:\WINNT\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-12 04:00:00 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - Eli.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-02 01:30:00 C:\WINNT\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-02-20 11:00:00 C:\WINNT\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
"2008-02-16 00:00:00 C:\WINNT\Tasks\{271C803A-1298-428D-ADB0-440CC94F98D3}_ASOUSASTU_Annette Sousa.job"
- C:\WINNT\system32\mobsync.exeL /Schedule=
"2008-02-20 00:00:00 C:\WINNT\Tasks\{2D186DD2-FA0F-48F7-A7DD-1473C92EB67A}_ASOUSASTU_Annette Sousa.job"
- C:\WINNT\system32\mobsync.exeL /Schedule=
"2008-02-19 17:00:00 C:\WINNT\Tasks\{A7FD14B9-2705-4CE2-A53C-23060B45984D}_ASOUSASTU_Annette Sousa.job"
- C:\WINNT\system32\mobsync.exeL /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 04:00:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
.
**************************************************************************
.
Completion time: 2008-02-20  4:07:01 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-20 12:06:56
.
2008-02-14 20:25:36	--- E O F ---


----------



## wiwazevedo (Feb 20, 2008)

Here is the SDFix log:



*SDFix: Version 1.144*

Run by Eli on Wed 02/20/2008 at 04:16 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services*:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


*Checking Files*: 

Trojan Files Found:

C:\PROGRA~1\MESSEN~1\LAVUK183 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK351 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK403 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK423 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK628 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK981 - Deleted
C:\PROGRA~1\MESSEN~1\LAVUK987 - Deleted
C:\Program Files\xInsIDE\xInsIDE.exe - Deleted
C:\WINNT\tsitra572.exe.tmp - Deleted
C:\WINNT\Fonts\Setup.exe  - Deleted
C:\WINNT\system32\rerolpxei.le  - Deleted



Folder C:\Program Files\xInsIDE - Removed


Removing Temp Files...

*ADS Check*:



*Final Check*:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 04:54:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:8c2bd29a
"s1"=dword:7eede99c
"s2"=dword:4ca776ef
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:33,e6,ca,a4,d6,56,c8,ce,72,1b,36,47,a7,8b,2a,d8,95,df,c0,de,2f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:33,e6,ca,a4,d6,56,c8,ce,72,1b,36,47,a7,8b,2a,d8,95,df,c0,de,2f,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services*:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

*Remaining Files*:


File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes*:

Fri 24 Sep 2004        33,280 A..H. --- "C:\Data\stuff\~WRL0057.tmp"
Fri  7 Sep 2007         7,559 A.SH. --- "C:\WINNT\system32\rrrqr.tmp"
Fri 19 Oct 2007         8,434 A.SH. --- "C:\WINNT\system32\rrrqr.bak1"
Fri 19 Oct 2007         6,717 A.SH. --- "C:\WINNT\system32\rrrqr.bak2"
Sat 16 Jun 2007     1,644,119 A.SH. --- "C:\WINNT\system32\vxyxx.tmp"
Fri  4 Mar 2005        41,472 A..H. --- "C:\Data\Family\Kimba\~WRL1167.tmp"
Sun 16 Jul 2006         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 10 Mar 2006        30,208 A..H. --- "C:\Data\work\Real Estate\Forms\~WRL3441.tmp"
Tue 26 Nov 2002        25,600 A..H. --- "C:\Data\work\Real Estate\Marketing\~WRL0004.tmp"
Wed 26 Dec 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 12 Dec 2003        24,064 A..H. --- "C:\Data\work\Real Estate\Clients\Beck\~WRL0002.tmp"
Mon 15 Mar 2004         6,838 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp"
Sun  7 Mar 2004         8,246 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp"
Sun  7 Mar 2004         8,246 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp"
Wed 14 Aug 2002        65,088 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM"
Wed 14 Aug 2002        12,732 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM"
Wed 14 Aug 2002        26,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM"
Wed 14 Aug 2002        28,062 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM"
Wed 14 Aug 2002        10,710 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM"
Wed 14 Aug 2002        10,083 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM"
Wed 14 Aug 2002        10,257 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM"
Wed 14 Aug 2002        29,499 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM"
Wed 14 Aug 2002        12,660 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM"
Wed 14 Aug 2002        11,031 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM"
Wed 14 Aug 2002        17,952 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM"
Wed 14 Aug 2002         9,424 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM"
Wed 14 Aug 2002         7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM"
Wed 14 Aug 2002        13,673 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM"
Wed 14 Aug 2002        14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM"
Wed 14 Aug 2002         7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM"
Wed 14 Aug 2002         7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM"
Wed 14 Aug 2002         7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM"
Wed 14 Aug 2002         7,243 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM"
Wed 14 Aug 2002        24,767 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM"
Wed 14 Aug 2002         7,463 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM"
Wed 14 Aug 2002         7,825 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM"
Wed 14 Aug 2002        10,286 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM"
Wed 14 Aug 2002        25,460 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM"
Wed 14 Aug 2002        28,866 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM"
Wed 14 Aug 2002        14,438 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM"
Wed 14 Aug 2002         8,544 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys"
Wed 14 Aug 2002        33,149 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys"
Wed 28 May 2003        51,150 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS"
Wed 14 Aug 2002        35,340 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS"
Wed 14 Aug 2002        14,378 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS"
Wed 14 Aug 2002        37,984 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS"
Wed 14 Aug 2002        44,828 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS"
Wed 14 Aug 2002        29,628 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS"
Wed 28 May 2003        52,106 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS"
Wed 14 Aug 2002        49,242 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS"
Wed 14 Aug 2002        50,606 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS"
Wed 14 Aug 2002       161,792 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS"
Wed 14 Aug 2002       174,080 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys"
Wed 14 Aug 2002        21,971 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS"
Wed 14 Aug 2002        30,955 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS"
Wed 14 Aug 2002       202,517 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE"
Wed 14 Aug 2002       374,038 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE"
Wed 14 Aug 2002        22,158 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS"
Wed 14 Aug 2002         1,608 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM"
Wed 14 Aug 2002        15,345 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS"
Wed 14 Aug 2002         7,840 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS"
Wed 14 Aug 2002        56,821 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE"
Wed 14 Aug 2002        64,425 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS"
Wed 14 Aug 2002        32,396 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE"
Wed 14 Aug 2002        14,160 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS"
Wed 14 Aug 2002        10,898 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM"
Wed 14 Aug 2002        53,556 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS"
Wed 14 Aug 2002        15,777 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM"
Wed 14 Aug 2002        37,681 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM"
Wed 14 Aug 2002       354,304 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys"
Wed 14 Aug 2002        21,180 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE"
Wed 14 Aug 2002       354,263 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe"
Wed 14 Aug 2002         8,513 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM"
Wed 14 Aug 2002        41,302 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS"
Wed 14 Aug 2002       129,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE"
Wed 14 Aug 2002        28,439 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com"
Wed 14 Aug 2002        13,770 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE"
Wed 14 Aug 2002       130,980 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE"
Wed 14 Aug 2002        11,854 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM"
Wed 14 Aug 2002        52,715 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM"
Wed 14 Aug 2002        62,391 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM"
Wed 14 Aug 2002        11,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com"
Wed 14 Aug 2002        17,791 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com"
Wed 14 Aug 2002        17,043 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com"
Wed 14 Aug 2002        11,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com"
Wed 14 Aug 2002        18,300 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com"
Wed 14 Aug 2002        48,224 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com"
Wed 14 Aug 2002        13,360 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com"
Wed 14 Aug 2002         9,190 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com"
Wed 14 Aug 2002        12,567 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com"
Wed 14 Aug 2002        44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM"
Wed 14 Aug 2002        56,896 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com"
Wed 14 Aug 2002        44,640 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com"
Wed 14 Aug 2002         9,692 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com"
Wed 14 Aug 2002         9,537 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM"
Wed 14 Aug 2002        32,484 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com"
Wed 14 Aug 2002        52,225 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe"
Wed 14 Aug 2002        48,491 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe"
Wed 14 Aug 2002        50,405 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com"
Wed 14 Aug 2002        33,860 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe"
Wed 14 Aug 2002        50,175 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe"
Wed 14 Aug 2002        50,795 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe"
Wed 14 Aug 2002        48,223 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com"
Wed 14 Aug 2002        48,641 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe"
Wed 14 Aug 2002        49,015 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com"
Wed 14 Aug 2002        53,786 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com"
Wed 14 Aug 2002        44,240 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM"
Wed 14 Aug 2002        42,550 A..H. --- "C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM"

*Finished!*




Here is the new Hijackthis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:26 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINNT\system32\ZuneBusEnum.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [desktop_light.pxx] "C:\Program Files\Tavultesoft\Keyman Desktop Light 7.0\kmshell.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: http://messaging.myspace.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - http://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cab
O20 - Winlogon Notify: jkkjjhf - jkkjjhf.dll (file missing)
O20 - Winlogon Notify: rqrrr - C:\WINNT\system32\rqrrr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINNT\system32\HPHipm09.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7540 bytes


----------



## ceewi1 (Feb 21, 2008)

We're making progress, but there's still work to be done.

Your logfile shows signs of *Viewpoint Manager.*
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it.

I suggest you remove it.  To do so, click on *Start* -> *Control Panel* -> *Add or Remove Programs*. Click on *Viewpoint Manager* and click Remove.


Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:


```
File::
C:\WINNT\system32\rrrqr.bak1
C:\WINNT\system32\rrrqr.bak2
C:\WINNT\system32\rrrqr.ini2
C:\WINNT\devadwp.exe
C:\WINNT\Tasks\SpywareBot Scheduled Scan.job

Folder::
C:\Program Files\SpywareBot

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjhf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrr]
[-HKLM\~\startupfolder\C:^Documents and Settings^Eli^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVSystemCare]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iexplorer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjodxn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lwxbkua]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msia]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qekyamxdvg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smwenmxamy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ufhmbhqg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdyjrdxxusfhk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\whttqurheltf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpknfgqwxj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrraekunyuaj]
```

Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*O15 - Trusted Zone: http://click.getmirar.com (HKLM)*
*O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)*
*O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)*
*O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)*

If you chose to remove Viewpoint Manager, please also check the following entry (if still present):

*O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe*
Please close all open windows except for HijackThis and choose *Fix checked*

While there are a number of Symantec entries in your log, they don't indicate the presence of an active anti-virus program.  

If you don't have an active antivirus program, please download one of the following *free *antivirus clients and allow it to run a full scan before proceeding:  AVG, AntiVir or avast!.

Please reboot your PC and post
The ComboFix log
A new HijackThis log
An update on how your PC is running now


----------



## wiwazevedo (Feb 21, 2008)

ComboFix 08-02-20.2 - Eli 2008-02-20 20:07:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.442 [GMT -8:00]
Running from: C:..Documents and Settings..Eli..Desktop..ComboFix.exe
Command switches used :: C:..Documents and Settings..Eli..Desktop..CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 04:13 . 2008-02-20 04:13 .. d-------- C:..WINNT..ERUNT
2008-02-20 04:08 . 2008-02-20 05:06 .. d-------- C:..SDFix
2008-02-19 21:41 . 2008-02-19 21:41 .. d-------- C:..Program Files..Trend Micro
2008-02-16 16:49 . 2008-02-16 16:50 .. d-------- C:..Program Files..Any Video Converter Professional
2008-02-16 16:49 . 2008-02-16 17:56 .. d-------- C:..Documents and Settings..Eli..Application Data..Any Video Converter Professional
2008-02-16 16:17 . 2008-02-16 16:17 147,456 --a------ C:..WINNT..system32..vbzip10.dll
2008-02-16 11:28 . 2008-02-16 11:28 .. d-------- C:..Program Files..Any Video Converter
2008-02-16 11:28 . 2008-02-16 12:33 .. d-------- C:..Documents and Settings..Eli..Application Data..Any Video Converter
2008-02-14 22:09 . 2008-02-14 22:09 .. d-------- C:..Documents and Settings..All Users..Application Data..Tavultesoft
2008-02-14 22:04 . 2008-02-14 22:04 .. d-------- C:..Program Files..Common Files..Tavultesoft
2008-02-14 22:03 . 2008-02-14 22:04 .. d-------- C:..Program Files..Tavultesoft
2008-02-14 22:01 . 2008-02-14 22:02 .. d-------- C:..Program Files..Microsoft Silverlight
2008-02-14 21:35 . 2008-02-14 21:38 .. d-------- C:..Program Files..AIM Invader
2008-02-11 20:43 . 2008-02-11 20:43 .. d-------- C:..Documents and Settings..Owner..Application Data..acccore
2008-02-11 19:56 . 2008-02-13 07:45 1,374 --a------ C:..WINNT..imsins.BAK
2008-02-09 03:34 . 2008-02-15 18:54 54,156 --ah----- C:..WINNT..QTFont.qfn
2008-02-09 03:34 . 2008-02-09 03:34 1,409 --a------ C:..WINNT..QTFont.for
2008-02-05 07:46 . 2008-02-05 07:46 .. d-------- C:..windows
2008-02-05 01:37 . 2008-02-17 20:44 .. d-------- C:..Program Files..Counter-Strike 1.6
2008-01-31 23:00 . 2008-01-31 23:02 .. d-------- C:..Program Files..AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 03:51 --------- d-----w C:..Documents and Settings..All Users..Application Data..Viewpoint
2008-02-21 03:50 --------- d-----w C:..Program Files..Viewpoint
2008-02-17 17:41 --------- d-----w C:..Documents and Settings..Eli..Application Data..LimeWire
2008-02-16 07:44 --------- d-----w C:..Program Files..Zune
2008-02-12 12:38 --------- d-----w C:..Program Files..AIM
2008-02-12 12:28 --------- d-----w C:..Program Files..Common Files..Adobe
2008-02-11 22:37 --------- d-----w C:..Program Files..Common Files..Symantec Shared
2008-02-03 17:09 --------- d-----w C:..Program Files..Bulent's Screen Recorder 4
2008-02-01 07:00 --------- d-----w C:..Program Files..Common Files..AOL
2008-02-01 07:00 --------- d-----w C:..Documents and Settings..All Users..Application Data..AOL
2008-01-27 01:15 --------- d-----w C:..Documents and Settings..Eli..Application Data..Apple Computer
2008-01-13 21:46 165 ----a-w C:..Program Files..fun_maze_cbble.txt
2008-01-12 10:53 518,204 ----a-w C:..Program Files..fun_maze_cbble.bsp
2007-12-26 08:55 0 ---ha-w C:..WINNT..system32..drivers..MsftWdf_Kernel_01005_Coinstall
er_Critical.Wdf
2007-12-26 08:55 0 ---ha-w C:..WINNT..system32..drivers..Msft_Kernel_zumbus_01005.Wdf
2006-07-01 21:38 70,920 ----a-w C:..Documents and Settings..Eli..Application Data..GDIPFONTCACHEV1.DAT
2006-06-17 05:59 70,920 ----a-w C:..Documents and Settings..Guest..Application Data..GDIPFONTCACHEV1.DAT
2006-06-09 04:12 70,920 ----a-w C:..Documents and Settings..Owner..Application Data..GDIPFONTCACHEV1.DAT
2005-01-10 22:35 69,984 ----a-w C:..Documents and Settings..All Users..Application Data..GDIPFONTCACHEV1.DAT
2004-08-04 08:56 561,179 ----a-w C:..Program Files..Common Files..dao360.dll
1998-04-27 07:00 570,128 ----a-w C:..Program Files..Common Files..DAO350.DLL
2004-02-29 01:42 32 --sha-w C:..WINNT..{5A1DE60E-63D4-411F-819C-8A27E968C34B}.dat
2004-02-29 01:44 32 --sha-w C:..WINNT..{77F34DDC-BE64-4C66-968A-710FD450DF9B}.dat
2004-02-29 01:42 32 --sha-w C:..WINNT..{9383845D-FCDF-4F3E-B9ED-6D7A80014D9B}.dat
2004-02-29 01:43 32 --sha-w C:..WINNT..{9AB54738-7DF1-4C00-9904-724052B1CBA3}.dat
2004-02-29 01:42 32 --sha-w C:..WINNT..{B473FFAC-ADCC-4471-ACAB-22211CD3B66C}.dat
2004-02-29 01:44 32 --sha-w C:..WINNT..{B83C3FD1-AF69-4C98-860F-8B93571A7A20}.dat
2007-10-19 13:26 8,434 --sha-w C:..WINNT..system32..rrrqr.bak1
2007-10-19 22:11 6,717 --sha-w C:..WINNT..system32..rrrqr.bak2
2007-10-20 09:38 7,666 --sha-w C:..WINNT..system32..rrrqr.ini2
2004-02-29 01:44 32 --sha-w C:..WINNT..system32..{4ED47025-B944-4999-B941-BA0A8CCD7C5C}.
dat
2004-02-29 01:42 32 --sha-w C:..WINNT..system32..{9D4A8C51-12B5-4B1B-B280-4A82ADDC6A20}.
dat
2004-02-29 01:43 32 --sha-w C:..WINNT..system32..{B4E78FFD-5507-47A5-AABD-7063002FED4B}.
dat
2004-02-29 01:42 32 --sha-w C:..WINNT..system32..{BFE21B32-E04B-47C5-B65E-E7678177DA9D}.
dat
2004-02-29 01:44 32 --sha-w C:..WINNT..system32..{C3FFBBD3-535C-4BB1-B187-47AD9BAC05D8}.
dat
2004-02-29 01:42 32 --sha-w C:..WINNT..system32..{FAF8EF9A-AE41-4381-8369-AB595EC8BC08}.
dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER..SOFTWARE..Microsoft..Windows..CurrentVer
sion..Run]
"Aim6"="" []
"ctfmon.exe"="C:..WINNT..system32..ctfmon.exe" [2004-08-03 23:56 15360]
"swg"="C:..Program Files..Google..GoogleToolbarNotifier..GoogleToolbarNotifier.
exe" [2007-03-29 15:10 68856]
"desktop_light.pxx"="C:..Program Files..Tavultesoft..Keyman Desktop Light 7.0..kmshell.exe" [2007-11-27 14:49 1288048]

[HKEY_USERS...DEFAULT..Software..Microsoft..Windows..Current
Version..Run]
"DWQueuedReporting"="C:..PROGRA~1..COMMON~1..MICROS~1..DW..d
wtrig20.exe" [2007-02-26 01:01 437160]

[HKEY_LOCAL_MACHINE..software..microsoft..windows nt..currentversion..winlogon..notify..Sebring]
C:..WINNT..System32..LgNotify.dll 2003-02-28 14:01 110592 C:..WINNT..system32..LgNotify.dll

[HKEY_LOCAL_MACHINE..system..currentcontrolset..control..lsa
]
Notification Packages REG_MULTI_SZ scecli scecli scecli

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Acrobat Assistant.lnk
backup=C:..WINNT..pss..Acrobat Assistant.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Adobe Gamma Loader.lnk
backup=C:..WINNT..pss..Adobe Gamma Loader.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Adobe Reader Speed Launch.lnk
backup=C:..WINNT..pss..Adobe Reader Speed Launch.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Adobe Reader Synchronizer.lnk
backup=C:..WINNT..pss..Adobe Reader Synchronizer.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..autos.exe
backup=C:..WINNT..pss..autos.exeCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..eFax Tray Menu.lnk
backup=C:..WINNT..pss..eFax Tray Menu.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Google Updater.lnk
backup=C:..WINNT..pss..Google Updater.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Kodak EasyShare software.lnk
backup=C:..WINNT..pss..Kodak EasyShare software.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..KODAK Software Updater.lnk
backup=C:..WINNT..pss..KODAK Software Updater.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Live Menu.lnk
backup=C:..WINNT..pss..Live Menu.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Microsoft Office.lnk
backup=C:..WINNT..pss..Microsoft Office.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..officejet 6100.lnk
backup=C:..WINNT..pss..officejet 6100.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RingCentral Call Controller.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..RingCentral Call Controller.lnk
backup=C:..WINNT..pss..RingCentral Call Controller.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..Service Manager.lnk
backup=C:..WINNT..pss..Service Manager.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:..Documents and Settings..All Users..Start Menu..Programs..Startup..WinZip Quick Pick.lnk
backup=C:..WINNT..pss..WinZip Quick Pick.lnkCommon Startup

[HKLM..~..startupfolder..C:^Documents and Settings^Eli^Start Menu^Programs^Startup^Xfire.lnk]
path=C:..Documents and Settings..Eli..Start Menu..Programs..Startup..Xfire.lnk
backup=C:..WINNT..pss..Xfire.lnkStartup

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..AdaptecDirectCD]
--a------ 2002-10-03 16:50 684032 C:..Program Files..Roxio..Easy CD Creator 5..DirectCD..DirectCD.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..AGRSMMSG]


[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..AIM]
C:..Program Files..AIM..aim.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..BitTorrent]
C:..Program Files..BitTorrent..bittorrent.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ccApp]
--a------ 2007-06-04 18:05 116328 C:..Program Files..Common Files..Symantec Shared..ccApp.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ClientGW]

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:..WINNT..system32..ctfmon.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..eSnips]
C:..PROGRA~1..eSnips..ClientGW.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Gateway Ink Monitor]
--a------ 2003-11-05 10:23 303180 C:..Program Files..Gateway..Gateway Ink Monitor..GWInkMonitor.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..GhostStartTrayApp]
--a------ 2002-08-14 15:21 94208 C:..Program Files..Norton SystemWorks..Norton Ghost..GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Google Desktop Search]
C:..Program Files..Google..Google Desktop Search..GoogleDesktop.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..H/PC Connection Agent]
C:..Program Files..Microsoft ActiveSync..WCESCOMM.EXE

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HotKeysCmds]
--a------ 2003-10-02 12:19 118784 C:..WINNT..System32..hkcmd.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HPDJ Taskbar Utility]
--a------ 2003-01-30 18:55 196608 C:..WINNT..system32..spool..drivers..w32x86..3..hpztsb04.exe


[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HPHmon03]
--a------ 2003-01-30 18:55 311296 C:..WINNT..system32..hphmon03.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..HPHmon04]
C:..WINNT..System32..hphmon04.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..IgfxTray]
--a------ 2003-10-02 12:37 155648 C:..WINNT..System32..igfxtray.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:..PROGRA~1..COMMON~1..INSTAL~1..UPDATE~1..ISUSPM.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ISUSScheduler]
--a------ 2004-08-09 06:03 81920 C:..PROGRA~1..COMMON~1..INSTAL~1..UPDATE~1..issch.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..iTunesHelper]
--a------ 2007-06-28 08:14 270648 C:..Program Files..iTunes..iTunesHelper.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..KernelFaultCheck]
C:..WINNT..system32..dumprep 0 -k

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..LtMoh]
C:..Program Files..ltmoh..Ltmoh.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..mmtask]
c:..Program Files..MusicMatch..MusicMatch Jukebox..mmtask.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..MSMSGS]
--------- 2004-10-13 08:24 1694208 C:..Program Files..Messenger..msmsgs.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..msnmsgr]
C:..Program Files..MSN Messenger..msnmsgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..osCheck]
--a------ 2007-06-25 21:00 771440 C:..Program Files..Norton AntiVirus..osCheck.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..PhotoShow Deluxe Media Manager]
C:..PROGRA~1..SIMPLE~1..PHOTOS~1..data..Xtras..mssysmgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..PlaxoUpdate]
C:..Program Files..Plaxo..2.0.3.16..InstallStub.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Projector Manager]
C:..Program Files..InFocus..Projector Manager..Projmgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..QD FastAndSafe]


[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..QuickTime Task]
--a------ 2007-04-27 08:41 282624 C:..Program Files..QuickTime..qttask.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..RAMBooster.Net]
C:..Program Files..RAMBooster.Net..RAMBooster.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..RCHotKey]
--a------ 2006-05-02 16:48 14848 C:..Program Files..RingCentral..RingCentral Call Controller..RCHotKey.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Simple Star PhotoShow Media Manager]
C:..PROGRA~1..SIMPLE~1..PHOTOS~1..data..Xtras..mssysmgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Spyware Doctor]
C:..Program Files..Spyware Doctor..swdoctor.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SSC_UserPrompt]
C:..Program Files..Common Files..Symantec Shared..Security Center..UsrPrmpt.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Steam]
C:..Program Files..Valve..Steam..Steam.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:..Program Files..Java..jre1.5.0_03..bin..jusched.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..swg]
--a------ 2007-03-29 15:10 68856 C:..Program Files..Google..GoogleToolbarNotifier..GoogleToolbarNotifier.
exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Symantec NetDriver Monitor]
C:..PROGRA~1..SYMNET~1..SNDMon.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SynTPEnh]
--a------ 2003-01-02 18:11 577536 C:..Program Files..Synaptics..SynTP..SynTPEnh.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..SynTPLpr]
--a------ 2003-01-02 18:12 126976 C:..Program Files..Synaptics..SynTP..SynTPLpr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..TkBellExe]
C:..Program Files..Common Files..Real..Update_OB..realsched.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..UserFaultCheck]
C:..WINNT..system32..dumprep 0 -u

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..ViewMgr]
C:..Program Files..Viewpoint..Viewpoint Manager..ViewMgr.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..vptray]
C:..PROGRA~1..SYMANT~1..VPTray.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Windows Defender]
--a------ 2006-11-03 17:20 866584 C:..Program Files..Windows Defender..MSASCui.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..startupreg..Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:..PROGRA~1..Yahoo!..MESSEN~1..YAHOOM~1.exe

[HKEY_LOCAL_MACHINE..software..microsoft..shared tools..msconfig..services]
"SPIAgent5"=2 (0x2)
"SAVScan"=3 (0x3)
"gusvc"=2 (0x2)
"SQLAgent$PARAMOUNT"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$PARAMOUNT"=2 (0x2)
"iPod Service"=3 (0x3)
"Speed Disk service"=2 (0x2)
"NProtectService"=2 (0x2)
"GhostStartService"=2 (0x2)

R1 GhPciScan;GhostPciScanner;C:..Program Files..Norton SystemWorks..Norton Ghost..ghpciscan.sys [2002-08-14 15:11]
R1 oreans32;oreans32;C:..WINNT..system32..drivers..oreans32.sys
[2006-09-07 16:52]
R2 zumbus;Zune Bus Enumerator Driver;C:..WINNT..system32..DRIVERS..zumbus.sys [2007-11-15 21:38]
R2 ZuneBusEnum;Zune Bus Enumerator;c:..WINNT..system32..ZuneBusEnum.exe [2007-11-15 21:51]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:..WINNT..system32..drivers..hphius09.sys [2003-01-30 18:55]
S3 dump_wmimmc;dump_wmimmc;C:..Program Files..Bots..GameGuard..dump_wmimmc.sys []
S3 IFCUSB;IFCUSB;C:..WINNT..system32..drivers..IFCUSB.SYS [2001-05-22 21:55]
S3 NPDriver;Norton Unerase Protection Driver;C:..WINNT..System32..Drivers..NPDRIVER.SYS [2002-08-14 06:03]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;c:..WINNT..system32..ZuneWlanCfgSvc.exe [2007-11-15 21:51]
S4 MSSQL$PARAMOUNT;MSSQL$PARAMOUNT;C:..Program Files..Microsoft SQL Server..MSSQL$PARAMOUNT..Binn..sqlservr.exe [2002-12-17 17:26]
S4 SQLAgent$PARAMOUNT;SQLAgent$PARAMOUNT;C:..Program Files..Microsoft SQL Server..MSSQL$PARAMOUNT..Binn..sqlagent.EXE [2002-12-17 17:23]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 20:45:02 C:..WINNT..Tasks..AppleSoftwareUpdate.job"
- C:..Program Files..Apple Software Update..SoftwareUpdate.exe
"2008-02-21 04:20:59 C:..WINNT..Tasks..MP Scheduled Scan.job"
- C:..Program Files..Windows Defender..MpCmdRun.exe
"2008-02-12 04:00:00 C:..WINNT..Tasks..Norton AntiVirus - Run Full System Scan - Eli.job"
- C:..Program Files..Norton AntiVirus..Navw32.exeh/TASK:
"2008-02-02 01:30:00 C:..WINNT..Tasks..Norton SystemWorks One Button Checkup.job"
- C:..Program Files..Norton SystemWorks..OBC.exe
"2008-02-20 11:00:00 C:..WINNT..Tasks..SpywareBot Scheduled Scan.job"
- C:..Program Files..SpywareBot..SpywareBot.ex
- C:..Program Files..SpywareBot
"2008-02-16 00:00:00 C:..WINNT..Tasks..{271C803A-1298-428D-ADB0-440CC94F98D3}_ASO
USASTU_Annette Sousa.job"
- C:..WINNT..system32..mobsync.exeL /Schedule=
"2008-02-20 00:00:00 C:..WINNT..Tasks..{2D186DD2-FA0F-48F7-A7DD-1473C92EB67A}_ASO
USASTU_Annette Sousa.job"
- C:..WINNT..system32..mobsync.exeL /Schedule=
"2008-02-20 17:00:00 C:..WINNT..Tasks..{A7FD14B9-2705-4CE2-A53C-23060B45984D}_ASO
USASTU_Annette Sousa.job"
- C:..WINNT..system32..mobsync.exeL /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 20:21:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:..Program Files..Windows Defender..MsMpEng.exe
C:..WINNT..System32..S24EvMon.exe
C:..Program Files..Common Files..Symantec Shared..ccSvcHst.exe
C:..Program Files..Common Files..Symantec Shared..AppCore..AppSvc32.exe
C:..WINNT..system32..ZCfgSvc.exe
C:..Program Files..Common Files..Apple..Mobile Device Support..bin..AppleMobileDeviceService.exe
C:..WINNT..System32..RegSrvc.exe
C:..WINNT..System32..RoamMgr.exe
C:..Program Files..Intel..Switching..User..RoamSvc.exe
C:..WINNT..System32..imapi.exe
C:..WINNT..system32..wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-20 20:29:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-21 04:29:07
ComboFix2.txt 2008-02-20 12:07:02
.
2008-02-14 20:25:36 --- E O F ---















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:26 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:..WINNT..System32..smss.exe
C:..WINNT..system32..winlogon.exe
C:..WINNT..system32..services.exe
C:..WINNT..system32..lsass.exe
C:..WINNT..system32..svchost.exe
C:..Program Files..Windows Defender..MsMpEng.exe
C:..WINNT..System32..svchost.exe
C:..WINNT..system32..svchost.exe
C:..WINNT..System32..S24EvMon.exe
C:..Program Files..Common Files..Symantec Shared..ccSvcHst.exe
C:..Program Files..Common Files..Symantec Shared..AppCore..AppSvc32.exe
C:..WINNT..system32..spoolsv.exe
C:..Program Files..Common Files..Apple..Mobile Device Support..bin..AppleMobileDeviceService.exe
C:..Program Files..Symantec..LiveUpdate..ALUSchedulerSvc.exe
C:..Program Files..Common Files..Microsoft Shared..VS7Debug..mdm.exe
C:..WINNT..System32..RegSrvc.exe
C:..WINNT..System32..RoamMgr.exe
C:..WINNT..System32..svchost.exe
C:..Program Files..Viewpoint..Common..ViewpointService.exe
c:..WINNT..system32..ZuneBusEnum.exe
C:..Program Files..Intel..Switching..User..RoamSvc.exe
C:..WINNT..system32..ZCfgSvc.exe
C:..WINNT..Explorer.EXE
C:..WINNT..system32..wscntfy.exe
C:..WINNT..system32..ctfmon.exe
C:..Program Files..Google..GoogleToolbarNotifier..GoogleToolbarNotifier.
exe
C:..WINNT..system32..wuauclt.exe
C:..Program Files..Trend Micro..HijackThis..HijackThis.exe

R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM..Software..Microsoft..Internet Explorer..Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8.r{}


----------



## wiwazevedo (Feb 21, 2008)

background is back
can get to the control panel now
thank you soooooo much!



ALL HAIL CEEW1


----------



## ceewi1 (Feb 21, 2008)

Thanks, and glad your problems seem to be fixed.  It seems a few of those files weren't deleted by ComboFix.

Please *download* the *OTMoveIt2 by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt2.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

*


		Code:
	

C:\WINNT\system32\rrrqr.bak1
C:\WINNT\system32\rrrqr.bak2
C:\WINNT\system32\rrrqr.ini2
C:\WINNT\devadwp.exe
C:\WINNT\Tasks\SpywareBot Scheduled Scan.job

*
 Return to OTMoveIt2, right click in the *Paste Standard List of Files/Folders to be Moved* window (under the light blue bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.  These results are also located at *C:\_OTMoveIt\MovedFiles\Date_Time.log*, where Date_Time is the date and time you ran OTMoveIt.
Close *OTMoveIt2*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Please post a new HijackThis log, as the old one seems to have been cut off.

I'd also like to see the results of an online scan, just to be sure there's nothing malicious left.

Please use the *Internet Explorer* browser (or FireFox with IETab), and do an online scan with *Kaspersky Online Scanner*

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add Or Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(*Note*.. _for Internet *Explorer 7* users: If at any time you have trouble with the *Accept* button of the license, click on the *Zoom* tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%_.)
The program launches and downloads the latest definition files. 
Once the files are downloaded click on *Next*
 Click on *Scan Settings* and configure as follows:
 Scan using the following Anti-Virus database:
*Extended*

Scan Options:
*Scan Archives*

*Scan Mail Bases*


 Click *OK* and, under select a target to scan, select *My Computer*
When the scan is done, in the _Scan is completed _window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.








To obtain the report:
Click on: *Save Report As* (above - red blinking arrow)
Next, in the _Save as _prompt, _Save in_ area, select: *Desktop*
In the _File name_ area, use KScan, or something similar
In _Save as type_, click the drop arrow and select: *Text file [*.txt]*
Then, click: *Save*
Please post the *Kaspersky Online Scanner Report *in your reply.

Please post
The OTMoveIt2 report
A new HijackThis log
The results of the Kaspersky scan


----------

