"Dude" - 07-02-13 15:42:33 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Dude\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\p2pnetworking.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32ghynf.exe
C:\DOCUME~1\LOCALS~1\Application Data\NetMon
C:\Program Files\Common Files\{182FF~1
C:\Program Files\Common Files\{382FF~1
C:\Program Files\outlook
C:\Program Files\winupdate
C:\Program Files\winupdates
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\STEM32~1
C:\qoobox\purity\WINDOWS\system32\STEM32~1
((((((((((((((((((((((((((((((( Files Created from 2007-01-13 to 2007-02-13 ))))))))))))))))))))))))))))))))))
2007-02-13 15:35 <DIR> d-------- C:\SDFix
2007-02-12 20:05 <DIR> d-------- C:\DOCUME~1\Dude\Application Data\Creative
2007-02-11 23:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-11 23:06 <DIR> d-------- C:\Program Files\Grisoft
2007-02-11 19:00 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-02-11 18:59 417,792 --a------ C:\Program Files\Video.exe
2007-02-11 18:59 417,792 --a------ C:\Program Files\Track_03.exe
2007-02-11 18:59 393,216 --a------ C:\WINDOWS\system32\shared.exe
2007-02-11 18:59 393,216 --a------ C:\Program Files\Setup.exe
2007-02-11 18:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-02-11 18:58 32,768 --a------ C:\WINDOWS\system32\stup9x.exe
2007-02-10 06:09 <DIR> d-------- C:\Program Files\Incomplete
2007-02-08 11:05 1,460 --a------ C:\WINDOWS\system32\lxy4f92a.sys
2007-02-08 10:45 <DIR> d-------- C:\WINDOWS\Prefetch
2007-02-08 10:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-02-07 17:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo!
2007-01-26 10:23 <DIR> d-------- C:\DOCUME~1\Dude\Incomplete
2007-01-18 09:32 <DIR> d-------- C:\Program Files\The Weather Channel FW
2007-01-15 15:17 <DIR> d-------- C:\Program Files\RealFlight G3 Demo
2007-01-15 15:17 <DIR> d-------- C:\Program Files\Common Files\KnifeEdge
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-02-13 15:38 288 --a------ C:\WINDOWS\system32\dvcstatebkp-{00000004-00000000-00000002-00001102-00000002-100a1102}.dat
2007-02-13 15:38 288 --a------ C:\WINDOWS\system32\dvcstate-{00000004-00000000-00000002-00001102-00000002-100a1102}.dat
2007-02-13 15:37 25214 --a------ C:\Program Files\b.ico
2007-02-13 15:37 25214 --a------ C:\Program Files\a.ico
2007-02-13 15:37 218599 --a------ C:\Program Files\c.zip
2007-02-13 15:37 217699 --a------ C:\Program Files\b.zip
2007-02-13 15:37 201620 --a------ C:\Program Files\a.zip
2007-02-13 14:42 -------- d-------- C:\Program Files\mozilla firefox
2007-02-12 00:04 -------- d-------- C:\Program Files\windows nt
2007-02-12 00:04 -------- d-------- C:\Program Files\messenger
2007-02-08 20:28 -------- d-------- C:\DOCUME~1\Dude\Application Data\limewire
2007-02-07 17:03 -------- d-------- C:\Program Files\yahoo!
2007-01-25 19:23 -------- d--h----- C:\Program Files\installshield installation information
2007-01-25 19:22 -------- d-------- C:\DOCUME~1\Dude\Application Data\real
2007-01-06 10:14 4218 --a------ C:\WINDOWS\mozver.dat
2006-12-30 20:31 -------- d-------- C:\Program Files\apple software update
2006-12-24 16:43 -------- d-------- C:\Program Files\itunes
2006-12-24 16:42 -------- d-------- C:\Program Files\quicktime
2006-12-20 22:09 -------- d-------- C:\Program Files\directx
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="\"C:\\Program Files\\Ahead\\InCD\\InCD.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"lxy4f92a"="RUNDLL32.EXE w0045d30.dll,n 0074f923000000020045d30"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_DCFS2K
********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-02-13 15:45:03
Logfile of HijackThis v1.97.7
Scan saved at 3:41:37 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dude\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yourstartingpage.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,wrtpxxp.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e186.exe
O4 - HKLM\..\Run: [lxy4f92a] RUNDLL32.EXE w0045d30.dll,n 0074f923000000020045d30
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dllhost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
Run by: Dude - Tue 02/13/2007 @ 15:48:51.40
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Path:
Client IP-IPX Deleted
Windows Overlay Components Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe"="C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe:*:Enabled:dfbhd"
"C:\\Documents and Settings\\Dude\\Desktop\\wowclient-downloader.exe"="C:\\Documents and Settings\\Dude\\Desktop\\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\World of Warcraft\\BackgroundDownloader.exe"="C:\\World of Warcraft\\BackgroundDownloader.exe:*:Disabled:Blizzard Downloader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\SVKSystems\\ClearView\\bin\\jre\\bin\\java.exe"="C:\\Program Files\\SVKSystems\\ClearView\\bin\\jre\\bin\\java.exe:*:Enabled:java"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:YServer Module"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\Dude\Local Settings\Application Data\Microsoft\Media Player\MTVN\Downloads\00A490B9\BIT2.tmp
C:\Documents and Settings\Dude\Local Settings\Application Data\Microsoft\Media Player\MTVN\Downloads\00A490B9\BIT26.tmp
C:\Documents and Settings\Dude\Local Settings\Application Data\Microsoft\Media Player\MTVN\Downloads\00A490B9\BITE.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7a199afb2eb748baf4e4a35c4281d089\BIT9.tmp
Finished
thank you for your help