| Hi I need help removing an adware virus. ive tried using alot of different programs and
nothing seems to have removed it. I am constantly getting popups that have CiD on the upper
left hand corner. I have logs from Combofix, HJT, and AVG antispyware. If anyone could help
me remove the adware i would be soo very greatful.
Regards,
AngelDust
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:52 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktopO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: (no name) - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Bat Wave Base Dale] C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\meta mags.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cabO16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://ladyacethepiratess.spaces.live.com/PhotoUpload/MsnPUpld.cabO16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cabO16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) --
End of file - 11116 bytes
ComboFix:
ComboFix 08-01-09.2 - HP_Owner 2008-01-16 17:01:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.560 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.
2008-01-16 16:23 . 2008-01-16 16:23 <DIR> d-------- C:\VundoFix Backups
2008-01-16 15:46 . 2008-01-16 16:11 3,250 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-16 15:30 . 2008-01-16 15:30 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2008-01-16 15:30 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-16 15:25 . 2008-01-16 15:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 13:35 . 2008-01-16 13:35 <DIR> d-------- C:\Program Files\CCleaner
2008-01-16 12:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 11:55 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-01-16 11:55 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-01-16 11:55 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-01-15 23:33 . 2008-01-15 23:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-01-15 21:28 . 2008-01-15 21:28 <DIR> d-------- C:\Program Files\Sygate
2008-01-15 21:28 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-15 21:28 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-15 21:28 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-15 21:28 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-15 21:28 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-15 21:28 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-15 21:28 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-15 18:14 . 2008-01-16 15:45 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6
2008-01-15 17:25 . 2008-01-15 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-15 16:09 . 2008-01-15 16:09 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-15 16:09 . 2008-01-15 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 15:38 . 2008-01-16 10:39 318 --a------ C:\delete.bat
2008-01-15 15:34 . 2008-01-15 15:35 <DIR> d-------- C:\NoLopBackups
2008-01-15 14:15 . 2008-01-15 21:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-15 14:15 . 2008-01-15 14:15 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-13 17:57 . 2008-01-15 20:03 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2008-01-13 17:57 . 2008-01-13 17:57 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SuperAdBlocker.com
2008-01-12 09:13 . 2008-01-15 14:15 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-10 23:00 . 2008-01-14 16:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-10 22:25 . 2008-01-10 22:25 <DIR> d-------- C:\Program Files\batholeeggs
2008-01-10 22:25 . 2008-01-10 22:25 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\batholeeggs
2008-01-10 22:25 . 2008-01-10 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave
2008-01-07 22:07 . 2008-01-07 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Firefly Studios
2008-01-04 16:19 . 2008-01-04 16:19 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Media Player Classic
2007-12-31 12:39 . 2008-01-15 14:14 <DIR> d-------- C:\Program Files\GameShadow
2007-12-31 12:37 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 20:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-16 17:53 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-01-16 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-16 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-15 19:15 --------- d-----w C:\Program Files\DivX
2008-01-15 19:15 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2008-01-15 15:54 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-01-14 21:39 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-14 21:16 --------- d-----w C:\Program Files\Real
2008-01-12 14:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-31 17:42 --------- d-----w C:\Program Files\Viewpoint
2007-12-31 17:42 --------- d-----w C:\Program Files\Google
2007-12-31 17:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 17:31 --------- d-----w C:\Program Files\Firefly Studios
2007-12-31 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-31 16:20 --------- d-----w C:\Program Files\Ant Movie Catalog
2007-12-31 15:59 --------- d-----w C:\Program Files\Paint.NET
2007-12-31 15:49 --------- d-----w C:\Program Files\Jasc Software Inc
2007-12-19 05:13 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\DivX
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 04:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Motive
2007-12-04 22:31 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-02 20:15 --------- d-----w C:\Program Files\Windows Live
2007-12-02 20:13 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-02 20:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-02 20:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-02 20:05 --------- d-----w C:\Program Files\MSN Messenger
2007-11-30 12:58 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-19 21:29 --------- d-----w C:\Program Files\MSXML 6.0
2007-11-19 18:58 --------- d-----w C:\Program Files\MovieTrack
2007-11-19 17:30 --------- d-----w C:\Program Files\MSBuild
2007-11-19 17:24 --------- d-----w C:\Program Files\Reference Assemblies
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-31 18:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-23 22:06 585,728 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-06-04 19:51 1,754 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2007-03-05 21:45 80 --sh--r C:\WINDOWS\system32\F329FBADF7.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-16_12.31.31.90 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-16 18:23:55 884,736 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\a1d353edc300e3aff0784202f68a657b\AspNetMMCExt.ni.dll + 2008-01-16 19:03:29 503,808 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\bb3c2f59a821abc54f420f3a9e051d6a\ComSvcConfig.ni.exe + 2008-01-16 19:03:39 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\c10ec9b4de2b366236ec83237dc31281\CustomMarshalers.ni.dll + 2008-01-16 19:03:27 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\837fe02bdcf637d5bf1e5ffb935ebb80\dfsvc.ni.exe + 2008-01-16 19:03:41 876,544 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\9710a3c0d11dd264c3a6b88977699e9b\Microsoft.Build.Engine.ni.dll + 2008-01-16 19:03:42 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e2858a45971fb30b0c0523dbb52c1d4e\Microsoft.Build.Framework.ni.dll + 2008-01-16 19:03:46 1,695,744 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\63d69ffdf3c640d2d104a4b74e8115f8\Microsoft.Build.Tasks.ni.dll + 2008-01-16 19:03:47 167,936 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\11cb5418c06e30100616fbf205588489\Microsoft.Build.Utilities.ni.dll + 2008-01-16 19:03:33 1,232,896 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\e3dce636e798c53ec2b44d1d4aadb850\Microsoft.Transactions.Bridge.ni.dll + 2008-01-16 19:03:34 401,408 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f3902a808549b40d648206c9303f2788\Microsoft.Transactions.Bridge.Dtc.ni.dll + 2008-01-16 19:03:51 1,740,800 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\923bd55258380eae77353d36a5a1b08f\Microsoft.VisualBasic.ni.dll + 2008-01-16 19:03:55 1,581,056 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\ab2b2664932688ae7c8e0bd9d10448ef\PresentationBuildTasks.ni.dll + 2008-01-16 19:03:35 139,264 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\feac66e81309d67b48f7a9f4cb98f7c8\ServiceModelReg.ni.exe + 2008-01-16 19:03:36 299,008 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\169ba2fe1a4d87ede3ab8dd3d44d867e\SMDiagnostics.ni.dll + 2008-01-16 19:03:37 323,584 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMSvcHost\a098c66aa40d958878f3f5344e6ae1a4\SMSvcHost.ni.exe + 2008-01-16 19:04:08 262,144 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\sysglobl\6a075eb8e0f13de87d1278aa8562d51e\sysglobl.ni.dll + 2008-01-16 18:24:00 241,664 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\492d16599426c7ab35ad2c499a9d4ae6\System.IdentityModel.Selectors.ni.dll + 2008-01-16 18:23:59 1,118,208 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\bdd94a4c46e4424787dfed9381196cb3\System.IdentityModel.ni.dll + 2008-01-16 18:24:01 417,792 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IO.Log\e1e6aa5272543f1d9dad98be897b693e\System.IO.Log.ni.dll + 2008-01-16 19:04:40 655,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Messaging\[u]0[/u]0e3750e478bac4913ee7a6c3b7cd392\System.Messaging.ni.dll + 2008-01-16 18:24:06 2,445,312 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\e27527e67611d8acc0d8dff6d286af23\System.Runtime.Serialization.ni.dll + 2008-01-16 19:03:26 18,071,552 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\350903c091629396c08742c996c1caba\System.ServiceModel.ni.dll + 2008-01-16 19:04:07 2,039,808 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Speech\d4147c99010667b5c547fcfc56ed7bd5\System.Speech.ni.dll + 2008-01-16 19:04:13 2,342,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\37d87b3cab1c66ec4430ebb2abeaa570\System.Web.Mobile.ni.dll + 2008-01-16 19:04:22 3,084,288 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\9798b3ba448ba7d5f1dd70a8a1fb7562\System.Workflow.Activities.ni.dll + 2008-01-16 19:04:33 4,579,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\575dad1c0dc9d035acbab10846802ce0\System.Workflow.ComponentModel.ni.dll + 2008-01-16 19:04:38 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\9d89b57d703aefe4938b45f8b398d378\System.Workflow.Runtime.ni.dll + 2008-01-16 19:04:43 483,328 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2e5aa36c753a605bdefb97ab83e8806\UIAutomationClient.ni.dll + 2008-01-16 19:04:46 1,118,208 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\ae395b4b568f0d71fec35e3902a46a99\UIAutomationClientsideProviders.ni.dll + 2008-01-16 19:04:50 270,336 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\b7c202147607f93463ead99e743c78b9\WindowsFormsIntegration.ni.dll + 2008-01-16 19:03:38 380,928 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WsatConfig\13f498f606b7cb97c086eea149b8c872\WsatConfig.ni.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Aim6"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-06-15 22:22 106571]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-21 00:51 118784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10 339968]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:16 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-01 16:51 282624]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 03:34 2551808 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 19:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"Bat Wave Base Dale"="C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\meta mags.exe" [2008-01-16 16:53 2473984]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:16 219136]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
--a------ 2004-06-15 22:22 106571 C:\Program Files\ATI Multimedia\main\launchpd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 22:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-29 02:40 77824 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
S1 SABKUTIL;SABKUTIL;C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys []
S3 C-Dilla;C-Dilla;C:\WINDOWS\system32\drivers\CDANT.SYS [2001-09-10 18:09]
S3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\system32\Drivers\ICAM3D2.SYS [2001-12-03 11:57]
*Newly Created Service* - PHOOKS
*Newly Created Service* - SDTHOOK
*Newly Created Service* - XAHVBFSQFNBU
.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 21:21:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-16 21:45:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-01-16 17:04:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************************************** . Completion time: 2008-01-16 17:05:23 ComboFix-quarantined-files.txt 2008-01-16 22:05:21 ComboFix2.txt 2008-01-16 17:31:50 . 2008-01-14 13:54:17 --- E O F --- File Attachment : hijackthis.log 11KB (application/octet-stream) This file has been downloaded 118 time(s). | 
|