Thanks
Dwight
ComboFix 07-12-08.1 - dianna 2007-12-08 10:48:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT -6:00]
Running from: C:\Documents and Settings\dianna\Desktop\combo fix\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\dianna\spooldr.ini
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\winam.dat
C:\Program Files\cmfibula
C:\Program Files\Common Files\{B480A~1
C:\Program Files\newdotnet
C:\Program Files\newdotnet\nncore.dll
C:\windows\system32\dpqaqlqx.bin
C:\windows\system32\drivers\blank.gif
C:\windows\system32\drivers\box_2.gif
C:\windows\system32\drivers\button_buynow.gif
C:\windows\system32\drivers\button_freescan.gif
C:\windows\system32\drivers\cell_bg.gif
C:\windows\system32\drivers\cell_footer.gif
C:\windows\system32\drivers\cell_header_block.gif
C:\windows\system32\drivers\cell_header_remove.gif
C:\windows\system32\drivers\cell_header_scan.gif
C:\windows\system32\drivers\detect.htm
C:\windows\system32\drivers\download_btn.jpg
C:\windows\system32\drivers\download_now_btn.gif
C:\windows\system32\drivers\footer_back.jpg
C:\windows\system32\drivers\header_1.gif
C:\windows\system32\drivers\header_2.gif
C:\windows\system32\drivers\header_3.gif
C:\windows\system32\drivers\header_4.gif
C:\windows\system32\drivers\header_red_bg.gif
C:\windows\system32\drivers\header_red_free_scan.gif
C:\windows\system32\drivers\header_red_free_scan_bg.gif
C:\windows\system32\drivers\header_red_protect_your_pc.gif
C:\windows\system32\drivers\infected.gif
C:\windows\system32\drivers\main_back.gif
C:\windows\system32\drivers\product_2_header.gif
C:\windows\system32\drivers\product_2_name_small.gif
C:\windows\system32\drivers\product_features.gif
C:\windows\system32\drivers\pt.htm
C:\windows\system32\drivers\rating.gif
C:\windows\system32\drivers\s_detect.htm
C:\windows\system32\drivers\screenshot.jpg
C:\windows\system32\drivers\sep_hor.gif
C:\windows\system32\drivers\sep_vert.gif
C:\windows\system32\drivers\shadow.jpg
C:\windows\system32\drivers\shadow_bg.gif
C:\windows\system32\drivers\spacer.gif
C:\windows\system32\drivers\star.gif
C:\windows\system32\drivers\star_gray.gif
C:\windows\system32\drivers\star_gray_small.gif
C:\windows\system32\drivers\star_small.gif
C:\windows\system32\drivers\style.css
C:\windows\system32\drivers\v.gif
C:\windows\system32\drivers\warning_icon.gif
C:\windows\system32\drivers\win_logo.gif
C:\windows\system32\drivers\x.gif
C:\windows\system32\guard.tmp
C:\windows\system32\sznf.ascii
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NNSERV
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\cmdService
-------\NNServ
((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.
2007-12-07 22:30 . 2007-12-07 22:30 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-07 22:30 . 2007-12-07 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-07 22:29 . 2007-12-07 22:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-07 12:28 . 2007-12-07 14:22 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-12-07 12:20 . 2007-12-07 00:07 1,679 --a------ C:\WINDOWS\default.htm
2007-12-07 00:12 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-12-07 00:12 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-12-07 00:12 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-12-07 00:12 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-12-07 00:12 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-07 00:12 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-06 07:42 . 2007-12-06 07:42 <DIR> d-------- C:\Documents and Settings\dianna\Application Data\OfficeUpdate12
2007-12-06 07:41 . 2007-12-06 07:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-05 17:03 . 2007-12-05 17:03 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-12-04 18:28 . 2007-12-04 18:28 <DIR> d-------- C:\Program Files\CCleaner
2007-12-04 17:54 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-12-04 17:54 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-12-04 17:54 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-12-04 17:54 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-12-04 17:54 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-12-04 17:54 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-12-04 17:52 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2007-12-04 17:51 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-04 17:50 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2007-12-04 17:49 . 2004-08-04 04:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-12-04 17:48 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-04 17:47 . 2004-08-03 22:41 404,990 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2007-12-04 17:46 . 2001-08-17 22:36 386,560 --a--c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2007-12-04 17:45 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-04 17:44 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-04 17:43 . 2004-08-04 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-12-04 17:42 . 2004-08-04 00:56 259,328 --a--c--- C:\WINDOWS\system32\dllcache\perm3dd.dll
2007-12-04 17:41 . 2004-08-04 00:56 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-12-04 17:40 . 2004-08-03 22:31 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2007-12-04 17:39 . 2004-08-04 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-12-04 17:38 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-04 17:37 . 2004-08-04 04:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-12-04 17:36 . 2004-08-04 04:00 811,064 --a--c--- C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-12-04 17:35 . 2004-08-04 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-12-04 17:34 . 2001-08-17 13:28 542,879 --a--c--- C:\WINDOWS\system32\dllcache\hsf_msft.sys
2007-12-04 17:33 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-04 17:32 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2007-12-04 17:31 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-04 17:30 . 2001-08-17 22:36 419,357 --a--c--- C:\WINDOWS\system32\dllcache\dgconfig.dll
2007-12-04 17:29 . 2004-08-04 04:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-12-04 17:28 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2007-12-04 17:27 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2007-12-04 17:26 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-11-14 10:50 . 2007-04-13 02:21 271,360 --a------ C:\WINDOWS\system32\mscoree.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 03:41 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2007-12-08 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-05 00:21 --------- d-----w C:\Documents and Settings\administrator.NEMSCO\Application Data\Lavasoft
2007-12-05 00:16 --------- d-----w C:\Program Files\Google
2007-11-13 21:22 --------- d-----w C:\Program Files\MSECache
2007-10-22 16:57 524,288 ----a-w C:\windows\opuc.dll
2007-07-30 16:27 3,072 ----a-w C:\Documents and Settings\dianna\open.exe
2006-10-10 20:46 488,144 ----a-w C:\Program Files\HJTsetup.exe
2006-10-10 13:13 192 ----a-w C:\Documents and Settings\dianna\ggg.bat
2007-03-02 15:19 88 --sh--r C:\windows\system32\DD6B5BB102.sys
2007-09-05 18:26 1,682 --sha-w C:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2003-11-06 19:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-15 12:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
logon.bat [2007-08-01 17:35:53]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\nemsco.com\netlogon\DaylightSavingFix.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=\\nemsco.com\netlogon\tzmove.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-1005\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122901767-2188283067-2291903390-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPLink-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\GPO-List\2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Scripts]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Scripts\Logoff]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Scripts\Logon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Scripts\Logon\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-1116\Scripts\Logon\0\0]
"Script"=\\nemsco.com\netlogon\logon.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\Extension-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\Extension-List\{00000000-0000-0000-0000-000000000000}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\GPLink-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\GPLink-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\GPO-List\0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\GPO-List\1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\Loopback-GPLink-List]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2471050201-3403342066-611932151-500\Loopback-GPO-List]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
C:\Program Files\ACT\ACT for Windows\ActSage.exe -preload
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
2006-10-25 09:57 9728 --------- C:\Program Files\ACT\ACT for Windows\Act.Outlook.Service.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 820 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 EPSON Stylus Photo 820 Series /O5 LPT1: /M Stylus Photo 820
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-01-13 08:47 163840 --a------ C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-01-13 08:47 131072 --a------ C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -HideWindow
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-01-13 08:46 135168 --a------ C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 18:42 32768 --a------ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
C:\Program Files\UltraVNC\WinVNC.exe -servicehelper
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 20:05 204288 --------- C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido anti-spyware 4.0 guard"=2 (0x2)
R2 MSSQL$ACT7;SQL Server (ACT7);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a9c3f41-a48b-11dc-b805-0013205fa063}]
\Shell\AutoRun\command - F:\setup.exe /AUTORUN
\Shell\configure\command - F:\setup.exe
\Shell\install\command - F:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d18be978-6372-11db-91c8-0013205fa063}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 10:52:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-08 10:53:53 - machine was rebooted
.
--- E O F ---
Incident Status Location
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@atdmt[3].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@bs.serving-sys[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@questionmarket[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@serving-sys[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@target[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\dianna\Cookies\dianna@tribalfusion[3].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\dianna\Desktop\combo fix\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\dianna\Desktop\combo fix\ComboFix.exe[nircmd.cfexe]
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Spyware:Cookie/Ccbill Not disinfected D:\Documents and Settings\Administrator\Cookies\administrator@ccbill[2].txt
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\Administrator\Cookies\administrator@go[1].txt
Spyware:Cookie/888 Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@888[2].txt
Spyware:Cookie/Gorillanation Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@ads.gorillanation[1].txt
Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Centralmedia Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@centralmedia[2].txt
Spyware:Cookie/did-it Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@did-it[2].txt
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@go[1].txt
Spyware:Cookie/Kount Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@kount[1].txt
Spyware:Cookie/Rn11 Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@rn11[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@smni[1].txt
Spyware:Cookie/Target Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@target[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected D:\Documents and Settings\dianna\Cookies\administrator@www.affiliatefuel[2].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@belnk[1].txt
Spyware:Cookie/Cgi-bin Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@cgi-bin[3].txt
Spyware:Cookie/360i Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@dist.belnk[1].txt
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@go[2].txt
Spyware:Cookie/Screensavers Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@i.screensavers[1].txt
Spyware:Cookie/Rightmedia Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@rightmedia[1].txt
Spyware:Cookie/Target Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@target[1].txt
Spyware:Cookie/Tickle Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@web.tickle[1].txt
Spyware:Cookie/Buydomains Not disinfected D:\Documents and Settings\dianna\Cookies\dianna@www47.buydomains[1].txt
Adware:Adware/Comet Not disinfected D:\Documents and Settings\dianna\Local Settings\Temp\unpack\CC_43.inf
Adware:Adware/Comet Not disinfected D:\Documents and Settings\dianna\Local Settings\Temp\unpack\inst43.exe
end
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24, on 2007-12-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\windows\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dianna\Desktop\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{B480A4EE-0BB8-1033-0324-050304200001}] "C:\Program Files\Common Files\{B480A4EE-0BB8-1033-0324-050304200001}\Update.exe" mc-110-12-0000140
O4 - Global Startup: logon.bat
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/co ... mHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1447327750
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://63.150.255.187/dpr/apps/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://click.mirarsearch.com/CABUPDATES/winwcd.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nemsco.com
O17 - HKLM\Software\..\Telephony: DomainName = nemsco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nemsco.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nemsco.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = nemsco.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 6175 bytes