Deleted Trojan w/ AVG

[bluewaker]

heya,

I was going through a couple of questionable exes for my friends with a virus scanner and only one was detected as a trojan. I ran one of the other ones and surely enough, I'm greeted by the file self-deleting, and I knew I was in trouble. I start up AVG and 4 or so infections are healed. Considering this computer is important, I did 2 more spyware sweeps with adaware 6 and spybot s&d, both updated. Then I system restored and checked over the computer again, considering that the trojan could have infected the restore files again. Everything is fast, I see no unnecessary/questionable processes in task manager and msconfig's start up list looks fine. I want to check if the infection has been wiped clean by AVG + spyware sweeps or not, so please tell me if you can see any indication of an infection in my HJT log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:16:12 PM, on 21/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\HS\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/MercuryWebTours
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A04E2CD-6873-4A16-BC2F-AB3C1BF21661}: NameServer = 192.168.1.1
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

--
End of file - 3704 bytes


Thanks,
mark

[Morfeasss]

Hello bluewaker,

We are not using this version of HijackThis yet as it is still a BETA. Please delete the copy you have and download HijackThis v1.99.1 from here.
~~~~~~~~

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.


1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, it will create two text files - main.txt <- this one will be maximized and extra.txt<-this one will be minimized on your Taskbar.
4. Copy/paste both logs back here please (they will also be located at C:\Deckard\System Scanner).
~~~~~~~~~~~~~~~~

I would also like to see another kind of scan, go here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here.

Please post back the two logs from Deckard System Scanner and the Silent Runners log.

[bluewaker]

Alright, here it is.

Logfile of HijackThis v1.99.1
Scan saved at 8:43:07 PM, on 24/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A04E2CD-6873-4A16-BC2F-AB3C1BF21661}: NameServer = 192.168.1.1
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[Morfeasss]

Post back the Deckard's System Scanner logs as well please.

[bluewaker]

Deckard's System Scanner v20070426.43
Run by HS on 2007-05-31 at 19:08:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-06-01 02:08:28 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as HS.exe) --------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:09:23 PM, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HS\Desktop\dss.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\PROGRA~1\HIJACK~1\HS.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A04E2CD-6873-4A16-BC2F-AB3C1BF21661}: NameServer = 192.168.1.1
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 hardlock - c:\windows\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 paldrv - c:\windows\system32\pal_drv.sys <Not Verified; Mercury Interactive Corp.; Astra>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-25 18:20:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-04-30 and 2007-05-31 -----------------------------

2007-05-31 09:27:29 0 d-------- C:\WINDOWS\LastGood
2007-05-29 21:58:57 51088 --a------ C:\Documents and Settings\HS\Application Data\GDIPFONTCACHEV1.DAT
2007-05-21 14:19:45 0 d---s---- C:\Documents and Settings\HS\UserData
2007-05-21 14:07:56 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-05-21 14:07:55 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-05-21 14:07:47 0 d-------- C:\Program Files\Sygate
2007-05-21 14:07:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 12:48:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-21 12:48:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-21 12:48:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-05-21 12:36:11 1932 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-21 11:28:30 0 d-------- C:\MercuryWebTours
2007-05-21 11:23:49 0 d-------- C:\Program Files\Xitami
2007-05-21 11:22:30 277504 --a------ C:\WINDOWS\system32\PerlCRT.dll <Not Verified; ActiveState Tool Corp.; Perl C Runtime DLL>
2007-05-21 11:22:30 0 d-------- C:\Perl
2007-05-21 11:20:26 0 d-------- C:\Quadbase
2007-05-21 11:20:05 299779 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-05-21 11:20:03 0 d-------- C:\Documents and Settings\HS\WINDOWS
2007-05-21 11:01:33 0 d-------- C:\Temp
2007-05-21 09:45:40 0 d-------- C:\WINDOWS\Downloaded Installations
2007-05-21 09:34:29 10951 --a------ C:\WINDOWS\system32\pal_drv.sys <Not Verified; Mercury Interactive Corp.; Astra>
2007-05-21 09:34:28 512 --a------ C:\WINDOWS\system32\cfgams32.dll
2007-05-21 09:30:21 0 d-------- C:\Program Files\Common Files\Mercury Interactive
2007-05-21 09:29:54 457216 --a------ C:\WINDOWS\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
2007-05-21 09:29:51 6656 --a------ C:\WINDOWS\system32\haspvdd.dll <Not Verified; Aladdin Knowledge Systems.; Windows NT HASP Virtual Device Driver>
2007-05-21 09:29:51 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-05-21 09:29:51 47616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
2007-05-21 09:28:05 148480 -----n--- C:\WINDOWS\system32\tlbinf32.dll <Not Verified; Microsoft Corporation; Object Navigator, Visual Basic>
2007-05-21 09:28:04 287504 -----n--- C:\WINDOWS\system32\msxbse35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:28:04 165648 -----n--- C:\WINDOWS\system32\mstext35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:28:04 252176 -----n--- C:\WINDOWS\system32\msrd2x35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:28:03 250128 -----n--- C:\WINDOWS\system32\mspdox35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:28:03 166160 -----n--- C:\WINDOWS\system32\msltus35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:28:03 1046288 -----n--- C:\WINDOWS\system32\msjet35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:28:03 250128 -----n--- C:\WINDOWS\system32\msexcl35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:28:02 446464 -----n--- C:\WINDOWS\system32\HHActiveX.dll <Not Verified; Blue Sky Software Corporation.; RoboHELP HTML 2000>
2007-05-21 09:28:02 69632 -----n--- C:\WINDOWS\system32\dzstactx.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Status ActiveX Control>
2007-05-21 09:28:02 253952 -----n--- C:\WINDOWS\system32\dzactx.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 ZIP ActiveX Control>
2007-05-21 09:28:02 229376 -----n--- C:\WINDOWS\system32\duzactx.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 UnZIP ActiveX Control>
2007-05-21 09:28:01 368912 -----n--- C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2007-05-21 09:28:01 49209 -----n--- C:\WINDOWS\system32\ShellHook.dll <Not Verified; Mercury Interactive Corp.; Astra>
2007-05-21 09:28:01 28672 -----n--- C:\WINDOWS\system32\RegAsm.exe <Not Verified; Microsoft Corporation; Microsoft .NET Framework>
2007-05-21 09:28:01 640512 -----n--- C:\WINDOWS\system32\OC30.DLL <Not Verified; Microsoft Corporation; Microsoft® OLE Controls Development Kit>
2007-05-21 09:28:01 77891 -----n--- C:\WINDOWS\system32\BHOManager.dll <Not Verified; Mercury Interactive Corp.; Astra>
2007-05-21 09:28:00 274704 -----n--- C:\WINDOWS\system32\ntwdblib.dll <Not Verified; Microsoft Corporation; Microsoft SQL Server>
2007-05-21 09:27:59 415504 -----n--- C:\WINDOWS\system32\msrepl35.dll <Not Verified; Microsoft Corporation; Microsoft® Access>
2007-05-21 09:27:59 24848 -----n--- C:\WINDOWS\system32\msjter35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:27:59 123664 -----n--- C:\WINDOWS\system32\msjint35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2007-05-21 09:27:59 155648 -----n--- C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft .NET Framework>
2007-05-21 09:27:58 24648 -----n--- C:\WINDOWS\system32\MercuryTestLauncher.exe <Not Verified; Mercury Interactive Corp.; LoadRunner>
2007-05-21 09:27:58 122981 -----n--- C:\WINDOWS\system32\MercuryScenarioLauncher.exe <Not Verified; Mercury Interactive Corp.; LoadRunner>
2007-05-21 09:27:58 49214 -----n--- C:\WINDOWS\system32\jdkhook.dll <Not Verified; Mercury Interactive Corp.; LoadRunner>
2007-05-21 09:27:57 634880 -----n--- C:\WINDOWS\system32\gsprop32.dll <Not Verified; Bits Per Second Ltd; GSPROP>
2007-05-21 09:27:57 110592 -----n--- C:\WINDOWS\system32\gsjpg32.dll <Not Verified; Bits Per Second Ltd; Graphics Server bitmap to JPEG translation DLL>
2007-05-21 09:27:56 32768 -----n--- C:\WINDOWS\system32\dzprog32.exe <Not Verified; Inner Media, Inc.; DZPROG32 (Multi-Threading)>
2007-05-21 09:27:56 131072 -----n--- C:\WINDOWS\system32\dzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading ZIP DLL>
2007-05-21 09:27:56 49152 -----n--- C:\WINDOWS\system32\dz_ez32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 DZ-Easy (Multi-Threaded)>
2007-05-21 09:27:56 110592 -----n--- C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2007-05-21 09:27:56 1216580 -----n--- C:\WINDOWS\system32\cjhook_rec.dll <Not Verified; Mercury Interactive Corp.; LoadRunner>
2007-05-21 09:27:55 16272 -----n--- C:\WINDOWS\system32\drivers\packet.sys <Not Verified; Mercury Interactive Corp.; >
2007-05-21 09:19:59 159744 -----n--- C:\WINDOWS\miuninst6.exe <Not Verified; Mercury Interactive Corporation; Mercury Interactive Setup>
2007-05-21 08:23:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-05-21 08:22:58 0 d-------- C:\Program Files\Google
2007-05-21 08:11:44 0 d-------- C:\WINDOWS\network diagnostic
2007-05-21 08:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-05-21 00:14:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-21 00:07:57 1017758 ---hs---- C:\WINDOWS\system32\jmppo.bak1

[bluewaker]

2007-05-21 00:02:25 0 d-------- C:\$VAULT$.AVG
2007-05-20 23:54:44 0 d-------- C:\Documents and Settings\HS\Application Data\uTorrent
2007-05-19 23:42:14 0 d-------- C:\Documents and Settings\HS\Application Data\AVG7
2007-05-19 23:41:45 0 d-------- C:\Program Files\Grisoft(2)
2007-05-19 23:41:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2007-05-19 23:41:45 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7(2)
2007-05-19 23:09:43 0 d-------- C:\Program Files\Microsoft.NET
2007-05-19 23:07:50 0 d-------- C:\Program Files\MSXML 6.0
2007-05-19 22:57:02 0 d-------- C:\Program Files\MSBuild
2007-05-19 22:52:37 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-05-19 22:51:42 0 d-------- C:\Program Files\Reference Assemblies
2007-05-19 22:23:35 0 d-------- C:\Program Files\Microsoft SQL Server
2007-05-19 22:14:52 0 d-------- C:\WINDOWS\system32\URTTemp
2007-05-19 20:56:46 0 d-------- C:\Documents and Settings\HS\Application Data\Adobe
2007-05-19 20:55:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-05-19 20:53:51 0 d-------- C:\Program Files\Common Files\Adobe
2007-05-19 19:48:31 0 d-------- C:\Program Files\Snapshot Viewer
2007-05-19 15:35:05 0 d-------- C:\70SP4
2007-05-19 09:25:10 0 d-------- C:\Program Files\Mercury Interactive
2007-05-19 00:42:36 0 d-------- C:\Program Files\GCC4243N_fw
2007-05-19 00:40:13 0 d-------- C:\Program Files\CONEXANT
2007-05-19 00:37:50 0 d-------- C:\Program Files\Intel
2007-05-19 00:37:03 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-05-19 00:36:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-19 00:36:52 0 d-------- C:\Program Files\Common Files\InstallShield
2007-05-19 00:27:56 0 d-------- C:\Documents and Settings\HS\Application Data\Identities
2007-05-19 00:27:45 0 dr------- C:\Documents and Settings\HS\My Documents
2007-05-19 00:27:45 0 d--h----- C:\Documents and Settings\HS\Local Settings
2007-05-19 00:27:45 0 dr------- C:\Documents and Settings\HS\Favorites
2007-05-19 00:27:45 0 d-------- C:\Documents and Settings\HS\Desktop
2007-05-19 00:27:45 0 d---s---- C:\Documents and Settings\HS\Cookies
2007-05-19 00:27:45 0 dr-h----- C:\Documents and Settings\HS\Application Data
2007-05-19 00:27:44 0 d--h----- C:\Documents and Settings\HS\Templates
2007-05-19 00:27:44 0 dr------- C:\Documents and Settings\HS\Start Menu
2007-05-19 00:27:44 0 dr-h----- C:\Documents and Settings\HS\SendTo
2007-05-19 00:27:44 0 dr-h----- C:\Documents and Settings\HS\Recent
2007-05-19 00:27:44 0 d--h----- C:\Documents and Settings\HS\PrintHood
2007-05-19 00:27:44 2097152 --ah----- C:\Documents and Settings\HS\NTUSER.DAT
2007-05-19 00:27:44 0 d--h----- C:\Documents and Settings\HS\NetHood
2007-05-19 00:25:04 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-05-19 00:25:02 0 d-------- C:\WINDOWS\Prefetch
2007-05-19 00:25:01 0 d---s---- C:\WINDOWS\system32\Microsoft
2007-05-19 00:25:00 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-05-19 00:25:00 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2007-05-19 00:25:00 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-05-19 00:25:00 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-05-19 00:24:59 786432 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2007-05-19 00:24:43 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-05-19 00:24:43 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2007-05-19 00:24:43 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-05-19 00:24:43 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-05-19 00:24:42 786432 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-05-19 00:21:20 0 d-------- C:\WINDOWS\system32\xircom
2007-05-19 00:21:20 0 d-------- C:\Program Files\microsoft frontpage
2007-05-19 00:21:17 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-05-19 00:21:06 0 -rahs---- C:\MSDOS.SYS
2007-05-19 00:21:06 0 -rahs---- C:\IO.SYS
2007-05-19 00:21:06 0 --a------ C:\CONFIG.SYS
2007-05-19 00:21:06 0 --a------ C:\AUTOEXEC.BAT
2007-05-19 00:19:45 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-05-19 00:19:30 0 dr------- C:\WINDOWS\Offline Web Pages
2007-05-19 00:19:30 0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-05-19 00:19:14 0 d--h----- C:\Program Files\WindowsUpdate
2007-05-19 00:18:47 0 d-------- C:\WINDOWS\system32\DirectX
2007-05-19 00:18:21 0 d---s---- C:\WINDOWS\Tasks
2007-05-19 00:18:20 0 d-------- C:\Program Files\Common Files\MSSoap
2007-05-19 00:18:17 0 d-------- C:\WINDOWS\system32\Macromed
2007-05-19 00:18:17 0 d-------- C:\WINDOWS\srchasst
2007-05-19 00:18:10 0 d-------- C:\Program Files\Movie Maker
2007-05-19 00:18:04 0 d-------- C:\WINDOWS\system32\Restore
2007-05-19 00:17:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-05-19 00:17:21 0 d-------- C:\WINDOWS\Registration
2007-05-19 00:16:40 0 d-------- C:\Program Files\Online Services
2007-05-19 00:16:32 0 d-------- C:\Program Files\Messenger
2007-05-19 00:16:29 0 d-------- C:\Program Files\MSN Gaming Zone
2007-05-19 00:15:57 0 d-------- C:\Program Files\Windows NT
2007-05-19 00:15:55 0 d-------- C:\WINDOWS\system32\MsDtc
2007-05-19 00:15:54 0 d-------- C:\WINDOWS\system32\Com
2007-05-18 22:41:36 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-05-18 22:41:06 0 d-------- C:\Documents and Settings\HS\Application Data\WinRAR
2007-05-18 21:55:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-05-18 21:49:50 0 d-------- C:\WINDOWS\pss
2007-05-18 21:48:20 0 d-------- C:\Documents and Settings\HS\Application Data\Macromedia
2007-05-18 21:47:50 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-18 21:47:38 0 d-------- C:\Documents and Settings\HS\Application Data\Mozilla
2007-05-18 21:46:48 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-18 20:10:59 0 d-------- C:\WINDOWS\system32\PreInstall
2007-05-18 20:10:57 0 d--h----- C:\WINDOWS\$hf_mig$
2007-05-18 17:03:05 0 d--hs---- C:\WINDOWS\Installer
2007-05-18 17:03:03 0 d-------- C:\Program Files\Common Files\ODBC
2007-05-18 17:03:00 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-05-18 17:02:59 0 dr------- C:\Program Files
2007-05-18 17:01:23 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-05-18 17:01:23 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-05-18 17:01:23 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-05-18 17:01:23 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-05-18 17:01:23 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-05-18 17:01:23 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-05-18 17:01:23 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-05-18 17:01:23 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-05-18 17:01:23 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-05-18 17:01:23 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-05-18 17:01:23 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-05-18 17:01:23 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-05-18 17:01:23 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-05-18 17:01:23 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-05-18 17:01:23 0 dr------- C:\Documents and Settings\All Users\Documents
2007-05-18 17:01:23 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-05-18 17:01:07 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-05-18 17:01:07 0 d-------- C:\WINDOWS\system32\CatRoot
2007-05-18 17:01:02 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-05-18 17:01:02 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-05-18 17:01:01 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-05-18 17:01:01 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-05-18 17:00:36 0 d-------- C:\Documents and Settings
2007-05-18 17:00:35 0 d--hs---- C:\System Volume Information
2007-05-18 16:53:20 0 d-------- C:\WINDOWS
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\WinSxS
2007-05-18 16:53:20 0 dr------- C:\WINDOWS\Web
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\twain_32
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\wins
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\wbem
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\usmt
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\spool
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\ShellExt
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\Setup
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\ras
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\oobe
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\npp
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\mui
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\inetsrv
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\IME
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\icsxml
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\ias
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\export
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\drivers
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-05-18 16:53:20 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\dhcp
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\config
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\3076
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\2052
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1054
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1042
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1041
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1037
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1033
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1031
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1028
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system32\1025
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\system
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\security
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Resources
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\repair
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Provisioning
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\PeerNet
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\pchealth
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\mui
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\msapps
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\msagent
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Media
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\java
2007-05-18 16:53:20 0 d--h----- C:\WINDOWS\inf
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\ime
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Help
2007-05-18 16:53:20 0 dr--s---- C:\WINDOWS\Fonts
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Driver Cache
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Debug
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Cursors
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Connection Wizard
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\Config
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\AppPatch
2007-05-18 16:53:20 0 d-------- C:\WINDOWS\addins
2007-05-18 14:00:04 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-05-18 13:59:55 0 d-------- C:\WINDOWS\ShellNew
2007-05-18 09:35:30 0 d-------- C:\Program Files\Microsoft Works
2007-05-18 09:34:34 0 d-------- C:\Program Files\Microsoft Works Suite 2003
2007-05-18 00:55:58 0 d-------- C:\Program Files\QuickTime
2007-05-18 00:55:37 0 d-------- C:\Program Files\Apple Software Update


-- Find3M Report ---------------------------------------------------------------

2007-05-18 17:01:23 62 --ahs---- C:\Documents and Settings\HS\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{474264BC-9571-47C1-85B9-780F756DC9CE} C:\WINDOWS\system32\BHOManager.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG .EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINT LGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT \\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.ex e"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.ex e"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc. exe /STARTUP"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.e xe -startgui"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.ex e"

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"="Mercury.ShHook"

HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-31 at 19:10:40 ---------


-----

[bluewaker]

Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) M processor 1400MHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 478.42 MiB / 186.8 MiB
Pagefile Memory (total/avail): 1120.7 MiB / 855.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1964.41 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 46.25 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: AVG 7.5.472 v7.5.472 (GRISOFT)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\HS\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NOTEBOOK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\HS
LOGONSERVER=\\NOTEBOOK
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Perl\bin;C:\WINDOWS\system32;C:\WINDOWS;C: \WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PE_HOME=C:\PROGRA~1\MERCUR~1\MERCUR~1
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HS\LOCALS~1\Temp
TMP=C:\DOCUME~1\HS\LOCALS~1\Temp
USERDOMAIN=NOTEBOOK
USERNAME=HS
USERPROFILE=C:\Documents and Settings\HS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HS (admin)

[bluewaker]

-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{439C01D2-84A2-4421-9141-ED58FE79C6BE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64912600-7B81-11D5-92C4-000102E19FD0}\setup.exe" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ActivePerl build 509 --> C:\Perl\bin\perl.exe C:\Perl\bin\uninstall.pl C:\Perl\bin/p_uninst.dat
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Broadcom 802.11 Wireless LAN Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
Conexant AC-Link Audio --> CIAunwdm.exe
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
HijackThis 1.99.1 --> C:\Program Files\HijackThis\Uninstal.exe
Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Mercury LoadRunner 8.0 --> "C:\WINDOWS\miuninst6.exe" /boot "C:\Program Files\Mercury Interactive\Mercury LoadRunner\dat\miuninst.ini"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2003 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2003\Setup\Launcher.exe D:\
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
SoftV90 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SU BSYS_3080103C\HXFSETUP.EXE -U -Ihpm30805.inf
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xitami Web Server --> C:\PROGRA~1\Xitami\UNWISE.EXE C:\PROGRA~1\Xitami\INSTALL.LOG


-- End of Deckard's System Scanner: finished at 2007-05-31 at 19:10:40 ---------

[bluewaker]

Those were the Deckard posts, the main followed by the extra.

Silent Runner's log.

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{474264BC-9571-47C1-85B9-780F756DC9CE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "BHOManager Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\BHOManager.dll" ["Mercury Interactive Corp."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{A5949E07-8536-4625-A3D0-2DD83F559990}" = "Mercury.ShHook"
-> {HKLM...CLSID} = "ShHook Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellHook.dll" ["Mercury Interactive Corp."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "HS" & "All Users" startup folders:
----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"LoadRunner Agent Process" -> shortcut to: "C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe" ["Mercury Interactive Corp."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 112 seconds.
---------- (total run time: 176 seconds)

[Morfeasss]

Hello,

This system has a Vundo infection trace.

Please download

VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from Click the "Scan for Vundo button", when VundoFix appears at reboot.
~~~~~~~~~~~`

Download

Combofix.exe.

Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix.
When the scan completes it will open a text window. Please copy/paste that log back here together with a new HijackThis log.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
~~~~~~~~

Please post back these two logs from vundofix.txt and the Combofix log and reboot afterwards.

After the reboot run HijackThis again and post back a new log please.

[bluewaker]

"HS" - 2007-06-05 21:52:54 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "E:\"


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-05 21:46 <DIR> d-------- C:\VundoFix Backups
2007-06-02 23:07 <DIR> d-------- C:\Program Files\PasswordTools
2007-06-01 07:30 <DIR> d-------- C:\Program Files\Microsoft Script Debugger
2007-05-31 21:47 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-05-31 21:47 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-05-31 21:47 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2007-05-31 21:47 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2007-05-31 21:47 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2007-05-31 19:08 <DIR> d-------- C:\Deckard
2007-05-29 21:58 51,088 --a------ C:\DOCUME~1\HS\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-05-21 14:19 <DIR> d---s---- C:\DOCUME~1\HS\UserData
2007-05-21 14:07 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-05-21 14:07 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-05-21 14:07 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-05-21 14:07 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-05-21 14:07 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-05-21 14:07 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-05-21 14:07 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-05-21 14:07 <DIR> d-------- C:\Program Files\Sygate
2007-05-21 14:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 12:36 1,932 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-21 11:28 <DIR> d-------- C:\MercuryWebTours
2007-05-21 11:23 <DIR> d-------- C:\Program Files\Xitami
2007-05-21 11:22 277,504 --a------ C:\WINDOWS\system32\PerlCRT.dll
2007-05-21 11:22 <DIR> d-------- C:\Perl
2007-05-21 11:20 299,779 --a------ C:\WINDOWS\uninst.exe
2007-05-21 11:20 <DIR> d-------- C:\Quadbase
2007-05-21 11:20 <DIR> d-------- C:\DOCUME~1\HS\WINDOWS
2007-05-21 11:01 <DIR> d-------- C:\Temp\LoadRunner_8.1.0.0
2007-05-21 11:01 <DIR> d-------- C:\Temp
2007-05-21 09:45 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-05-21 09:34 512 --a------ C:\WINDOWS\system32\cfgams32.dll
2007-05-21 09:34 10,951 --a------ C:\WINDOWS\system32\pal_drv.sys
2007-05-21 09:30 <DIR> d-------- C:\Program Files\Common Files\Mercury Interactive
2007-05-21 09:29 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-05-21 09:29 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-05-21 09:29 457,216 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-05-21 09:29 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-05-21 09:28 69,632 --------- C:\WINDOWS\system32\dzstactx.dll
2007-05-21 09:28 640,512 --------- C:\WINDOWS\system32\OC30.DLL
2007-05-21 09:28 499,712 --------- C:\WINDOWS\system32\msvcp71.dll
2007-05-21 09:28 446,464 --------- C:\WINDOWS\system32\HHActiveX.dll
2007-05-21 09:28 368,912 --------- C:\WINDOWS\system32\vbar332.dll
2007-05-21 09:28 348,160 --------- C:\WINDOWS\system32\msvcr71.dll
2007-05-21 09:28 287,504 --------- C:\WINDOWS\system32\msxbse35.dll
2007-05-21 09:28 28,672 --------- C:\WINDOWS\system32\RegAsm.exe
2007-05-21 09:28 274,704 --------- C:\WINDOWS\system32\ntwdblib.dll
2007-05-21 09:28 253,952 --------- C:\WINDOWS\system32\dzactx.dll
2007-05-21 09:28 252,176 --------- C:\WINDOWS\system32\msrd2x35.dll
2007-05-21 09:28 250,128 --------- C:\WINDOWS\system32\mspdox35.dll
2007-05-21 09:28 250,128 --------- C:\WINDOWS\system32\msexcl35.dll
2007-05-21 09:28 229,376 --------- C:\WINDOWS\system32\duzactx.dll
2007-05-21 09:28 166,160 --------- C:\WINDOWS\system32\msltus35.dll
2007-05-21 09:28 165,648 --------- C:\WINDOWS\system32\mstext35.dll
2007-05-21 09:28 148,480 --------- C:\WINDOWS\system32\tlbinf32.dll
2007-05-21 09:28 1,046,288 --------- C:\WINDOWS\system32\msjet35.dll
2007-05-21 09:27 974,848 --------- C:\WINDOWS\system32\mfc70.dll
2007-05-21 09:27 89,088 --------- C:\WINDOWS\system32\atl71.dll
2007-05-21 09:27 84,992 --------- C:\WINDOWS\system32\atl70.dll
2007-05-21 09:27 634,880 --------- C:\WINDOWS\system32\gsprop32.dll
2007-05-21 09:27 49,214 --------- C:\WINDOWS\system32\jdkhook.dll
2007-05-21 09:27 49,152 --------- C:\WINDOWS\system32\dz_ez32.dll
2007-05-21 09:27 423,016 --------- C:\WINDOWS\system32\gsw32.exe
2007-05-21 09:27 415,504 --------- C:\WINDOWS\system32\msrepl35.dll
2007-05-21 09:27 32,768 --------- C:\WINDOWS\system32\dzprog32.exe
2007-05-21 09:27 242,816 --------- C:\WINDOWS\system32\gswag32.dll
2007-05-21 09:27 24,848 --------- C:\WINDOWS\system32\msjter35.dll
2007-05-21 09:27 24,648 --------- C:\WINDOWS\system32\MercuryTestLauncher.exe
2007-05-21 09:27 16,272 --------- C:\WINDOWS\system32\drivers\packet.sys
2007-05-21 09:27 155,648 --------- C:\WINDOWS\system32\mscoree.dll
2007-05-21 09:27 152,688 --------- C:\WINDOWS\system32\gswdll32.dll
2007-05-21 09:27 146,976 --------- C:\WINDOWS\system32\MFCOLEUI.DLL
2007-05-21 09:27 131,072 --------- C:\WINDOWS\system32\dzip32.dll
2007-05-21 09:27 123,664 --------- C:\WINDOWS\system32\msjint35.dll
2007-05-21 09:27 122,981 --------- C:\WINDOWS\system32\MercuryScenarioLauncher.exe
2007-05-21 09:27 110,592 --------- C:\WINDOWS\system32\gsjpg32.dll
2007-05-21 09:27 110,592 --------- C:\WINDOWS\system32\dunzip32.dll
2007-05-21 09:27 1,216,580 --------- C:\WINDOWS\system32\cjhook_rec.dll
2007-05-21 09:27 1,060,864 --------- C:\WINDOWS\system32\mfc71.dll
2007-05-21 09:19 159,744 --------- C:\WINDOWS\miuninst6.exe
2007-05-21 08:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-05-21 08:22 <DIR> d-------- C:\Program Files\Google
2007-05-21 08:11 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-05-21 08:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-21 00:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 00:07 1,017,758 ---hs---- C:\WINDOWS\system32\jmppo.bak1
2007-05-20 23:54 <DIR> d-------- C:\DOCUME~1\HS\APPLIC~1\uTorrent
2007-05-19 23:41 <DIR> d-------- C:\Program Files\Grisoft(2)
2007-05-19 23:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft(2)
2007-05-19 23:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7(2)
2007-05-19 23:09 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-05-19 23:07 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-05-19 22:57 <DIR> d-------- C:\Program Files\MSBuild
2007-05-19 22:52 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-19 22:51 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-05-19 22:23 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-05-19 22:14 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-05-19 19:48 <DIR> d-------- C:\Program Files\Snapshot Viewer
2007-05-19 15:35 <DIR> d-------- C:\70SP4
2007-05-19 09:25 <DIR> d-------- C:\Program Files\Mercury Interactive


(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{474264BC-9571-47C1-85B9-780F756DC9CE}=C:\WINDOWS\system32\BHOManager.dll [2004-11-15 03:22]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-21 12:48]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"xitami"="C:\Program Files\Xitami\xiwin32.exe" [1998-07-10 15:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"="C:\WINDOWS\system32\ShellHook.dll" [2004-11-15 03:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=MicIPCU.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-26 01:20:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

************************************************** ************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-05 21:54:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Completion time: 2007-06-05 21:55:19

--- E O F ---

[bluewaker]

VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 9:46:32 PM 05/06/2007

Listing files found while scanning....

No infected files were found.




--------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:22:06 PM, on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Xitami\xiwin32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\HS\Desktop\SQLEXPR.EXE
c:\8209fd82b4ba861942b8d1\setup.exe
c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BHOManager Class - {474264BC-9571-47C1-85B9-780F756DC9CE} - C:\WINDOWS\system32\BHOManager.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [xitami] C:\Program Files\Xitami\xiwin32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LoadRunner Agent Process.lnk = C:\Program Files\Mercury Interactive\Mercury LoadRunner\launch_service\bin\magentproc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A04E2CD-6873-4A16-BC2F-AB3C1BF21661}: NameServer = 192.168.1.1
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
O20 - AppInit_DLLs: MicIPCU.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[Morfeasss]

Hello bluewalker,

It seems that this is just a remnant left behind.

Make sure you can View Hidden Files and Folders and navigate and delete the following file:

C:\WINDOWS\system32\jmppo.bak1

Empty your Recycle Bin.
~~~~~~~~~~~~~~~~~~~~~~~~

Go here or here and upload the following file(s) for a scan, after the scan is completed please copy and paste the results back here:

c:\8209fd82b4ba861942b8d1\setup.exe