cure it log
---------
Process.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
1166984976XWQCa.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.Fakealert;Deleted.;
gwpc.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.DownLoader.17544;Deleted.;
installer.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Trojan.DownLoader.17482;Deleted.;
VVSNInst.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Adware.SaveNow;Incurable.Moved.;
~ds39990.tmp;C:\Documents and Settings\Owner.YOUR-6JNHHU0520\Local Settings\Temp;Trojan.Kolweb;Deleted.;
backup-20070522-064406-358.dll;C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\hijackthis\backups;Trojan.DownLoader.based;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
EN_CA-ie.reg;C:\hp\region;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0000010.dll;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.DownLoader.based;Deleted.;
A0000011.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.Fakealert;Deleted.;
A0000012.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.DownLoader.17544;Deleted.;
A0000013.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.DownLoader.17482;Deleted.;
A0000014.exe;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.KillApp.30208;Deleted.;
A0000015.reg;C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP2;Trojan.StartPage.1505;Deleted.;
bkd.exe;C:\WINDOWS\system32;Adware.Surfside;Incurable.Moved.;
driverd.exe;C:\WINDOWS\system32;Trojan.Kolweb;Deleted.;
ipv6mons.dll;C:\WINDOWS\system32;Trojan.PWS.Tanspy;Deleted.;
monterreyd_olive.exe;C:\WINDOWS\system32;Trojan.Kolweb;Deleted.;
zore2[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1QVMVQX;Trojan.MulDrop.5866;Deleted.;
startdrv.exe;C:\WINDOWS\Temp;BackDoor.Bulknet;Deleted.;
sd fix
--------
SDFix: Version 1.84
Run by Owner - Tue 05/22/2007 - 9:14:39.54
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Client IP-IPX
EXAMPLE
NDnet1
TCP and UDP Supp0rt
ImagePath:
"" -e te-110-12-0000271
\??\C:\WINDOWS\System32\main.sys
\??\C:\WINDOWS\System32\ksys.sys
C:\WINDOWS\System32\tccpip.exe /winnt
Client IP-IPX - Deleted
EXAMPLE - Deleted
NDnet1 - Deleted
TCP and UDP Supp0rt - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Service runtime2 - Deleted after Reboot
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4707A9YZ\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4707A9YZ\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\PING_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUF7B2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4R61QTW1\RUNNED~4.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\RUNNED~3.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\ALIVE_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\ICONS_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\LW_1_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\RUNNED~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\RUNNED~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\PFB0E0~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\PFCA7F~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~2.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~3.DLL - Deleted
C:\WINDOWS\SYSTEM32\SFXZMT~4.DLL - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4707A9YZ\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_4~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\O3092XI5\TASK_5~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_1~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_2~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_3~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_4~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_5~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\W1QVMVQX\TASK_6~1.HTM - Deleted
C:\WINDOWS\system32\winlogon.exe.tmp - Deleted
C:\as.txt - Deleted
C:\WINDOWS\system32\8_exception.nls - Deleted
C:\WINDOWS\system32\lzx32.sys - Deleted
C:\WINDOWS\system32\vexg6ame4.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Folder C:\Program Files\Ipwindows - Removed
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\tcpip.exe"="%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support"
"C:\\WINDOWS\\System32\\vexga3me2.exe"="C:\\WINDOWS\\System32\\vexga3me2.exe:*:Enabled:taskmgr32"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp:*:Enabled:Server"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\11.tmp.exe"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\11.tmp.exe:*:Enabled:qwertybot"
"C:\\WINDOWS\\System32\\qwertybot.exe"="C:\\WINDOWS\\System32\\qwertybot.exe:*:Enabled:qwertybot"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\10.tmp.exe"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\10.tmp.exe:*:Enabled:qwertybot"
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\12.tmp.exe"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\12.tmp.exe:*:Enabled:qwertybot"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp"="C:\\DOCUME~1\\OWNERY~1.000\\LOCALS~1\\Temp\\14.tmp:*:Enabled:Server"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 7.0\aolphx.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\America Online 7.0\COMIT\cswitch.exe
C:\Program Files\America Online 7.0a\aolphx.exe
C:\Program Files\America Online 7.0a\aoltray.exe
C:\Program Files\America Online 7.0a\RBM.exe
C:\Program Files\America Online 7.0a\waol.exe
C:\Program Files\America Online 7.0a\COMIT\cswitch.exe
C:\Program Files\America Online 7.0b\aolphx.exe
C:\Program Files\America Online 7.0b\aoltray.exe
C:\Program Files\America Online 7.0b\RBM.exe
C:\Program Files\America Online 7.0b\waol.exe
C:\Program Files\America Online 7.0b\COMIT\cswitch.exe
C:\Program Files\Detto\DettoWeb.exe
C:\Program Files\Detto\IntelliMover Demo.exe
C:\WINDOWS\psvyyb.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem44.inf
C:\WINDOWS\LastGood.Tmp\INF\oem44.PNF
Finished
hijackthis
------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:34:49 AM, on 5/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\hijackthis\hjt_v2.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2A0C9465-06D5-C6B0-F589-0355AFFF3D59} - C:\WINDOWS\System32\tinjhvc.dll
O2 - BHO: (no name) - {335AB0BD-0213-4D21-B5D0-1694C88470E6} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5497f96a-9986-4961-8fe1-6f97c69bc7d4} - C:\WINDOWS\system32\ligand.dll (file missing)
O2 - BHO: (no name) - {6B767B3B-82DD-DBE5-E124-058BACAC99CE} - C:\WINDOWS\System32\zvlegmn.dll
O2 - BHO: (no name) - {93A0942B-A1E9-4D09-88BC-B4EE1C612F76} - C:\Program Files\Online Services\hokel.dll (file missing)
O2 - BHO: (no name) - {D198FF9A-4860-495C-ACA8-208A6415D905} - \
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll (file missing)
O2 - BHO: 0 - {FE1CD948-AC89-443C-4B81-F4C02E39F3D0} - C:\Program Files\Messenger\lavufav601.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
http://www.driveclea...leanerstart.cabO16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} -
http://installs.spam...ckerutility.cabO20 - AppInit_DLLs: C:\WINDOWS\System32\ieajsaj.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
O20 - Winlogon Notify: ligand - ligand.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 5462 bytes
combofix
----------
"Owner" - 2007-05-22 9:38:59 Service Pack 1
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Owner.YOUR-6JNHHU0520.000\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\winsysupd51.dat
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\DOCUME~1\OWNER~1.YOU\APPLIC~1\Install.dat
C:\WINDOWS\system32\driverb.exe
C:\WINDOWS\system32\driverc.exe
C:\Program Files\jalmp\arpf.cfg
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\DeskAlerts\basis.xml
C:\Program Files\DeskAlerts\cancel_button.gif
C:\Program Files\DeskAlerts\deskbar.crc
C:\Program Files\DeskAlerts\deskbar.inf
C:\Program Files\DeskAlerts\history.html
C:\Program Files\DeskAlerts\hs_delete.bmp
C:\Program Files\DeskAlerts\hs_search.bmp
C:\Program Files\DeskAlerts\icons.bmp
C:\Program Files\DeskAlerts\mbclose.bmp
C:\Program Files\DeskAlerts\mblogo.bmp
C:\Program Files\DeskAlerts\newversion.txt
C:\Program Files\DeskAlerts\notify.wav
C:\Program Files\DeskAlerts\options.html
C:\Program Files\DeskAlerts\save_button.gif
C:\Program Files\DeskAlerts\title_back.gif
C:\Program Files\DeskAlerts\version.txt
C:\Program Files\DeskAlerts\Cache\045b4f7adac10e512896af2a0470f433.xml
C:\Program Files\Common Files\{30477~1\Bar888.dll
C:\Program Files\Common Files\{30477~1\UnInstall.exe
C:\WINDOWS\system32\mm.ini
C:\Program Files\jalmp
C:\WINDOWS\system32\bund1
C:\Program Files\DeskAlerts
C:\Program Files\Common Files\{30477~1
C:\Program Files\Common Files\{C0477~1
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))
2007-05-22 06:45 <DIR> d-------- C:\DOCUME~1\OWNERY~1.000\DoctorWeb
2007-05-16 04:49 <DIR> d-------- C:\Program Files\RogueRemover
2007-05-15 21:57 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-05-15 21:56 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-05-15 21:56 <DIR> d-------- C:\WINDOWS\Windows Update Setup Files
2007-05-15 21:47 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-15 21:06 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-05-15 20:49 <DIR> d-------- C:\WINDOWS\pss
2007-05-15 18:42 <DIR> d-------- C:\WINDOWS\EDCD4CE3DE9249A987F9FE09B2FBA16C.TMP
2007-05-15 10:52 <DIR> d-------- C:\Program Files\CCleaner
2007-05-15 09:43 1,622 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-15 08:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 03:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-15 00:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-14 22:28 786,432 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\VERITAS
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Share-to-Web Upload Folder
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Freedom
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
2007-05-14 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.limewire
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-16 01:32:43 -------- d-----w C:\Program Files\WildTangent
2007-05-16 01:32:16 -------- d-----w C:\Program Files\Viewpoint
2007-05-16 01:30:47 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-15 16:12:39 -------- d--h--w C:\Program Files\BHO Plugin
2007-05-15 14:49:05 -------- d-----w C:\Program Files\AWS
2007-05-15 09:47:32 -------- d-----w C:\Program Files\SoftwareOnline
2007-05-15 07:15:09 278 ----a-w C:\WINDOWS\teeyu.dll
2007-05-15 07:11:29 1,456,707 --sh--w C:\WINDOWS\psvyyb.ini2
2007-05-02 15:46:04 75,264 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-04-20 16:13:35 -------- d-----w C:\Program Files\America Online 7.0b
2007-04-12 20:17:22 -------- d-----w C:\Program Files\Common Files\aolshare
2007-04-12 20:17:16 -------- d-----w C:\Program Files\America Online 7.0a
2007-04-12 14:03:15 -------- d-----w C:\Program Files\Online Services
2007-04-12 13:55:52 39,936 ----a-w C:\WINDOWS\system32\ieajsaj.dll
2007-04-12 13:55:51 208 ----a-w C:\WINDOWS\system32\wincrc32ie.dll
2007-04-12 13:52:57 -------- d-----w C:\Program Files\Messenger
2007-04-12 01:14:16 7,342 ----a-w C:\sysxzle.exe
2007-04-10 22:17:18 -------- d-----w C:\Program Files\Common Files\moir
2007-04-04 21:09:25 -------- d-----w C:\DOCUME~1\OWNERY~1.000\APPLIC~1\Aim
2007-04-02 19:38:49 -------- d-----w C:\Program Files\ArcSoft
2007-04-02 15:07:56 -------- d-----w C:\Program Files\Windows NT
2007-04-02 15:07:47 -------- d-----w C:\Program Files\Movie Maker
2007-03-31 18:48:00 25,588 ----a-w C:\WINDOWS\freedom.backup.dat
2007-03-28 13:34:28 96,256 --s-a-w C:\WINDOWS\system32\monterreyc_olive.exe
2007-03-19 12:24:54 96,256 --s-a-w C:\WINDOWS\system32\monterreyb_olive.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 20:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlockTracker"="c:\hp\bin\BlockTracker.exe" []
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" []
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" []
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-10-01 00:39 C:\WINDOWS\system32\nwiz.exe]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-15 03:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll,nViewLoadHook" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
C:\hp\bin\autotbar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
rundll32.exe "C:\WINDOWS\byyvsp.dll",realset
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\moir]
C:\PROGRA~1\COMMON~1\moir\moirm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070522-064407-854
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
backup-20070522-064407-687
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
backup-20070522-064407-848
O20 - Winlogon Notify: ligand - ligand.dll (file missing)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ligand]
"Asynchronous"=dword:00000000
"Dllname"="ligand.dll"
"Impersonate"=dword:00000000
"Startup"="NotifyStartup"
"Shutdown"="NotifyShutdown"
backup-20070522-064407-805
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
backup-20070522-064407-724
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll (file missing)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\A3dxq]
"DllName"="C:\\WINDOWS\\System32\\a3dxq.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Startup"="Startup"
backup-20070522-064407-645
O20 - AppInit_DLLs: C:\WINDOWS\System32\ieajsaj.dll
backup-20070522-064407-919
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} -
http://installs.spam...ckerutility.cab?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
backup-20070522-064407-949
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
http://www.driveclea...leanerstart.cab??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??????????????????
backup-20070522-064407-685
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
???????????????????????????????????????????4??????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
backup-20070522-064406-621
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
???????????????????????????????????????????4??????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
backup-20070522-064406-950
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'SYSTEM')
backup-20070522-064406-942
O2 - BHO: (no name) - {DE0B3210-B828-475B-96F0-6796FE533E46} - C:\WINDOWS\system32\drivere.dll (file missing)
backup-20070522-064406-426
O4 - HKCU\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271
backup-20070522-064406-689
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
backup-20070522-064406-807
O2 - BHO: (no name) - {93A0942B-A1E9-4D09-88BC-B4EE1C612F76} - C:\Program Files\Online Services\hokel.dll (file missing)
backup-20070522-064406-380
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{C04770C0-05FC-1033-1216-021113020001}] "C:\Program Files\Common Files\{C04770C0-05FC-1033-1216-021113020001}\Update.exe" te-110-12-0000271 (User 'Default user')
backup-20070522-064406-358
O2 - BHO: (no name) - {6B767B3B-82DD-DBE5-E124-058BACAC99CE} - C:\WINDOWS\System32\zvlegmn.dll
backup-20070522-064406-935
O2 - BHO: 0 - {FE1CD948-AC89-443C-4B81-F4C02E39F3D0} - C:\Program Files\Messenger\lavufav601.dll (file missing)
backup-20070522-064406-273
O2 - BHO: (no name) - {D198FF9A-4860-495C-ACA8-208A6415D905} - \
backup-20070522-064406-404
O2 - BHO: (no name) - {335AB0BD-0213-4D21-B5D0-1694C88470E6} - \
backup-20070522-064406-544
O2 - BHO: (no name) - {5497f96a-9986-4961-8fe1-6f97c69bc7d4} - C:\WINDOWS\system32\ligand.dll (file missing)
backup-20070522-064406-998
O2 - BHO: (no name) - {2A0C9465-06D5-C6B0-F589-0355AFFF3D59} - C:\WINDOWS\System32\tinjhvc.dll
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer,
http://www.gmer.netRootkit scan 2007-05-22 09:44:34
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NNServ]
"ImagePath"="\"C:\Program Files\NewDotNet\nnrun.exe\" \"C:\Program Files\NewDotNet\nncore.dll\" ServiceStart"
Completion time: 2007-05-22 9:48:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-22 09:48
--- E O F ---