Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old January 19th, 2008, 11:28 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Error during booting

Whenever i boot up my pc i keep getting this message.

Windows cannot find C:\Windows\system32\awtqr.exe make sure typed correctly and then try again. To search for file click the start button and then click search.[/

Can you help me, plz and ty.
Reply With Quote
  #2  
Old January 21st, 2008, 01:08 PM
Morfeasss Morfeasss is offline
CTH Subscriber
 
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
Hello junlee,

This is a malware file that it is supposed to load on startup, but it probably doesn't exist anymore and this is the reason you see this message every time you boot. Usually infections install more files in a system, let's see what's running in your system.

Please download HijackThis from here. Click on the downloaded file to run it and select "Do a system scan and save a logfile". Use copy/paste and post back here the log it creates for review.
~~~~~~~~~~~

I would also like to see another kind of scan, go here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here.

Please post back the HijackThis log and the Silent Runners log.
Reply With Quote
  #3  
Old January 21st, 2008, 03:43 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:50 AM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jun Lee\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196301569458
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SphtBot Profile Launcher (SBProfileLauncher) - Unknown owner - C:\Documents and Settings\Jun Lee\Desktop\New Folder (3)\ProfileLauncher.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11430 bytes
Reply With Quote
  #4  
Old January 21st, 2008, 03:44 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Aim6" = (empty string) [file not found]
"NVIDIA nTune" = ""C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" ["NVIDIA"]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" ["Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Steam" = ""C:\Program Files\Steam\Steam.exe" -silent" ["Valve Corporation"]
"Router" = "C:\Program Files\Router\Router.exe" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Words" = "C:\Program Files\Words\Words.exe" [file not found]
"DAEMON Tools Lite" = ""C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"IAAnotif" = "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" ["Intel Corporation"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask .exe" -atboottime" ["Apple Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll" ["Symantec Corporation"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll" ["BitComet"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.d ll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.d ll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "load" = "C:\WINDOWS\system32\awtqr.exe" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.D LL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandler s\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex \ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jun Lee\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Jun Lee" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Jun Lee\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Reply With Quote
  #5  
Old January 21st, 2008, 03:44 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll" ["Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\
"ButtonText" = "BitComet"
"Script" = "res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206" ["BitComet"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Intel(R) Matrix Storage Event Monitor, IAANTMon, "C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe" ["Intel Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
nTune Service, nTuneService, "C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\
Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2008-01-21 09:41:27)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 74 seconds, including 21 seconds for message boxes)
Reply With Quote
  #6  
Old January 21st, 2008, 07:20 PM
Morfeasss Morfeasss is offline
CTH Subscriber
 
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
Yes, that file was supposed to load early on startup.

Download

Combofix.exe and save it to your desktop.

Disable your Antivirus (Important!).
Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix.
When the scan completes it will open a text window. Please copy/paste that log back here together with a new HijackThis log.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
~~~~~~~~~~~~~~

I have limited information on an entry. Do you know what this is?

O23 - Service: SphtBot Profile Launcher (SBProfileLauncher) - Unknown owner - C:\Documents and Settings\Jun Lee\Desktop\New Folder (3)\ProfileLauncher.exe (file missing)


If you don't, please make sure you can View Hidden Files and Folders first and go here or here and upload the following file(s) for a scan, after the scan is completed please copy and paste the results back here:

C:\Documents and Settings\Jun Lee\Desktop\New Folder (3)\ProfileLauncher.exe

Post back the Combofix report along with a new HijackThis log and a new Silent Runners report. Also any information you can provide on the entry I asked you or the results from VirusTotal or Jotti please.
Reply With Quote
  #7  
Old January 21st, 2008, 10:58 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Combofix part1

ComboFix 08-01-20.1 - Jun Lee 2008-01-21 16:54:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1344 [GMT -5:00]
Running from: C:\Documents and Settings\Jun Lee\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\Router
C:\Program Files\Temporary
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\WINDOWS\b143.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 16:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 18:08 . 2008-01-20 22:32 <DIR> d---s---- C:\Program Files\Xfire
2008-01-20 18:08 . 2008-01-20 22:33 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\Xfire
2008-01-20 18:05 . 2008-01-20 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-20 18:00 . 2008-01-20 18:00 <DIR> d-------- C:\Program Files\GALA-NET
2008-01-20 18:00 . 2005-08-11 15:29 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-01-19 12:32 . 2008-01-19 12:35 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-19 12:32 . 2008-01-19 12:32 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\DAEMON Tools
2008-01-19 10:57 . 2008-01-19 10:57 <DIR> d-------- C:\Program Files\uTorrent
2008-01-19 10:57 . 2008-01-21 16:53 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\uTorrent
2008-01-19 10:07 . 2008-01-19 10:07 <DIR> d-------- C:\Program Files\Eidos
2008-01-13 19:49 . 2007-11-06 20:30 158,263 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-12 10:04 . 2008-01-12 10:04 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-12 10:04 . 2008-01-12 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-12 09:33 . 2008-01-17 08:21 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-12 00:37 . 2008-01-20 13:33 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-11 16:05 . 2008-01-11 16:05 <DIR> d-------- C:\Program Files\DivX
2008-01-09 16:55 . 2003-10-27 14:06 140,488 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-01-09 16:55 . 2003-10-27 14:06 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-09 16:55 . 2003-10-27 14:06 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-01-09 16:55 . 2003-10-27 14:06 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2008-01-09 16:55 . 2003-10-27 14:06 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2008-01-09 16:55 . 2003-10-27 14:06 35,840 --a------ C:\WINDOWS\system32\comdlg32.oca
2008-01-09 16:55 . 2003-10-27 14:06 29,184 --a------ C:\WINDOWS\system32\MSINET.oca
2008-01-09 16:55 . 2003-10-27 14:06 26,096 --a------ C:\WINDOWS\system32\xmlinst.exe
2008-01-09 16:55 . 2003-10-27 14:06 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-09 16:50 . 2008-01-19 11:50 <DIR> d-------- C:\Program Files\UBISOFT
2008-01-05 18:59 . 2008-01-05 19:00 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\DAEMON Tools Pro
2008-01-05 18:53 . 2008-01-19 12:29 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-01-05 18:50 . 2008-01-06 11:18 <DIR> d-------- C:\WINDOWS\svchost
2008-01-05 18:50 . 2004-08-03 20:07 72,192 --a------ C:\WINDOWS\system32\data2.set
2008-01-05 18:50 . 2004-08-03 20:07 72,192 --a------ C:\WINDOWS\system32\data1.set
2008-01-05 18:50 . 2006-09-05 00:51 2,074 --a------ C:\WINDOWS\regedit.exe.reg
2008-01-05 18:35 . 2008-01-05 19:04 <DIR> d-------- C:\Program Files\The Witcher
2008-01-04 09:42 . 2008-01-05 09:50 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\Move Networks
2008-01-02 20:41 . 2008-01-02 20:41 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-02 20:41 . 2008-01-02 20:41 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-02 06:39 . 2008-01-02 06:39 244 --ah----- C:\sqmnoopt06.sqm
2008-01-02 06:39 . 2008-01-02 06:39 232 --ah----- C:\sqmdata06.sqm
2008-01-01 21:21 . 2008-01-01 21:21 244 --ah----- C:\sqmnoopt05.sqm
2008-01-01 21:21 . 2008-01-01 21:21 232 --ah----- C:\sqmdata05.sqm
2008-01-01 15:43 . 2008-01-01 15:43 244 --ah----- C:\sqmnoopt04.sqm
2008-01-01 15:43 . 2008-01-01 15:43 232 --ah----- C:\sqmdata04.sqm
2008-01-01 09:18 . 2008-01-01 09:18 244 --ah----- C:\sqmnoopt03.sqm
2008-01-01 09:18 . 2008-01-01 09:18 232 --ah----- C:\sqmdata03.sqm
2007-12-31 10:59 . 2007-12-31 10:59 <DIR> dr-h----- C:\Documents and Settings\Jun Lee\Application Data\SecuROM
2007-12-31 10:59 . 2008-01-19 12:26 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-31 10:44 . 2007-12-31 10:44 <DIR> d-------- C:\Program Files\Flagship Studios
2007-12-29 11:14 . 2007-12-29 11:14 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\InstallShield Installation Information
2007-12-29 10:57 . 2007-12-29 10:57 <DIR> d-------- C:\Program Files\Unreal Tournament 3
2007-12-29 09:50 . 2007-12-29 09:50 268 --ah----- C:\sqmdata02.sqm
2007-12-29 09:50 . 2007-12-29 09:50 244 --ah----- C:\sqmnoopt02.sqm
2007-12-29 09:31 . 2007-12-29 09:31 244 --ah----- C:\sqmnoopt01.sqm
2007-12-29 09:31 . 2007-12-29 09:31 232 --ah----- C:\sqmdata01.sqm
2007-12-24 10:04 . 2007-12-24 11:05 5,120 --a------ C:\WINDOWS\system32\BReWErS.dll
2007-12-24 09:23 . 2007-12-24 09:23 319 --a------ C:\WINDOWS\game.ini
2007-12-24 09:10 . 2007-12-24 09:10 <DIR> d-------- C:\Program Files\Activision
2007-12-24 09:08 . 2007-12-24 09:08 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-23 08:40 . 2008-01-21 07:32 <DIR> d-------- C:\Program Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-20 23:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 23:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-20 21:56 --------- d-----w C:\Program Files\Warcraft III
2008-01-20 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-20 21:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-19 17:30 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-19 16:33 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Skype
2008-01-19 15:15 --------- d-----w C:\Program Files\Azureus
2008-01-19 15:12 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\skypePM
2008-01-19 15:07 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Azureus
2008-01-19 00:32 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-19 00:31 --------- d-----w C:\Program Files\QuickTime
2008-01-19 00:31 --------- d-----w C:\Program Files\Norton 360
2008-01-19 00:31 --------- d-----w C:\Program Files\iTunes
2008-01-12 15:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-11 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-06 14:27 --------- d-----w C:\Program Files\Final Fantasy VII
2007-12-29 15:56 --------- d-----w C:\Program Files\AGEIA Technologies
2007-12-29 15:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 15:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-27 15:58 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-24 14:51 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-24 14:24 22,328 ----a-w C:\Documents and Settings\Jun Lee\Application Data\PnkBstrK.sys
2007-12-20 16:51 --------- d-----w C:\Program Files\TriChlor
2007-12-16 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-16 18:42 --------- d-----w C:\Program Files\BitComet
2007-12-15 15:52 --------- d-----w C:\Program Files\Google
2007-12-15 01:09 --------- d-----w C:\Program Files\Square Soft, Inc
2007-12-14 23:40 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Ventrilo
2007-12-14 19:08 --------- d-----w C:\Program Files\Pcsx2
2007-12-12 00:23 --------- d-----w C:\Program Files\Ares
2007-12-11 04:04 --------- d-----w C:\Program Files\The Rosetta Stone
2007-12-11 02:06 --------- d-----w C:\Program Files\Java
2007-12-11 02:04 --------- d-----w C:\Program Files\Common Files\Java
2007-12-10 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 23:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-08 14:57 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Talkback
2007-12-08 14:52 --------- d-----w C:\Program Files\Picasa2
2007-12-08 14:51 --------- d-----w C:\Program Files\Norton Security Scan
2007-12-05 21:51 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Grisoft
2007-12-05 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-05 21:05 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 21:05 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 21:05 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 21:05 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 21:05 --------- d-----w C:\Program Files\Symantec
2007-12-05 03:56 --------- d-----w C:\Program Files\Jasc Software Inc
2007-12-05 03:56 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Jasc Software Inc
2007-12-05 03:55 --------- d-----w C:\Program Files\Dell Computer
2007-12-05 03:54 --------- d-----w C:\Program Files\Dell 720
2007-12-04 03:43 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-04 00:10 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-12-04 00:00 --------- d-----w C:\Program Files\Electronic Arts
2007-12-03 14:06 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-02 16:56 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Nero
2007-12-02 16:55 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-02 16:53 --------- d-----w C:\Program Files\Nero
2007-12-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-02 16:10 --------- d-----w C:\Program Files\MSBuild
2007-12-02 16:10 --------- d-----w C:\Program Files\Microsoft Works
2007-12-01 15:05 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-01 15:05 --------- d-----w C:\Program Files\Skype
2007-12-01 15:05 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-01 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-01 06:40 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\vlc
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 17:47 --------- d-----w C:\Program Files\Ventrilo
2007-11-30 17:41 --------- d-----w C:\Program Files\VideoLAN
2007-11-30 13:35 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Symantec
2007-11-29 23:29 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Viewpoint
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 20:35 --------- d-----w C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-29 03:45 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-11-29 03:18 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2007-11-29 02:57 --------- d-----w C:\Program Files\iPod
2007-11-29 02:57 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Apple Computer
2007-11-29 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 02:56 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-29 02:56 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 02:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-29 02:41 --------- d-----w C:\Program Files\Windows Live
2007-11-29 02:40 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-29 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-29 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-11-29 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-29 02:36 --------- d-----w C:\Program Files\Viewpoint
2007-11-29 02:36 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-29 02:36 --------- d-----w C:\Program Files\AIM6
2007-11-29 02:36 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\acccore
2007-11-29 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
.
Code:
<pre>
----a-w           970,752 2008-01-18 22:18:52  C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater .exe
----a-w           202,024 2008-01-18 22:18:38  C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe
----a-w           115,816 2008-01-18 22:18:28  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           517,768 2008-01-19 00:31:33  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w           136,136 2008-01-17 20:43:59  C:\Program Files\DAEMON Tools Pro\DTProAgent .exe
----a-w            68,856 2008-01-18 22:18:41  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           139,264 2008-01-18 22:18:25  C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif .exe
----a-w           267,048 2008-01-18 22:18:25  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2008-01-18 22:18:28  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         1,694,208 2008-01-18 22:19:02  C:\Program Files\Messenger\msmsgs .exe
----a-w            31,016 2008-01-18 22:18:28  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w            81,920 2008-01-18 22:18:34  C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd .exe
----a-w           286,720 2008-01-19 00:33:21  C:\Program Files\QuickTime\qttask                         .exe
----a-w           286,720 2008-01-20 18:42:07  C:\Program Files\QuickTime\qttask                        .exe
----a-w           286,720 2008-01-20 18:42:08  C:\Program Files\QuickTime\qttask                       .exe
----a-w           286,720 2008-01-20 18:42:08  C:\Program Files\QuickTime\qttask                      .exe
----a-w           286,720 2008-01-20 18:42:09  C:\Program Files\QuickTime\qttask                     .exe
----a-w           286,720 2008-01-20 18:42:10  C:\Program Files\QuickTime\qttask                    .exe
----a-w           286,720 2008-01-20 18:42:11  C:\Program Files\QuickTime\qttask                   .exe
----a-w           286,720 2008-01-20 18:42:12  C:\Program Files\QuickTime\qttask                  .exe
----a-w           286,720 2008-01-20 18:42:12  C:\Program Files\QuickTime\qttask                 .exe
----a-w           286,720 2008-01-20 18:42:13  C:\Program Files\QuickTime\qttask                .exe
----a-w           286,720 2008-01-20 18:42:13  C:\Program Files\QuickTime\qttask               .exe
----a-w           286,720 2008-01-20 18:42:14  C:\Program Files\QuickTime\qttask              .exe
----a-w           286,720 2008-01-20 18:42:16  C:\Program Files\QuickTime\qttask             .exe
----a-w           286,720 2008-01-20 18:42:18  C:\Program Files\QuickTime\qttask            .exe
----a-w           286,720 2008-01-20 18:42:19  C:\Program Files\QuickTime\qttask           .exe
----a-w           286,720 2008-01-20 18:42:20  C:\Program Files\QuickTime\qttask          .exe
----a-w           286,720 2008-01-20 18:42:22  C:\Program Files\QuickTime\qttask         .exe
----a-w           286,720 2008-01-20 18:42:23  C:\Program Files\QuickTime\qttask        .exe
----a-w           286,720 2008-01-20 18:42:24  C:\Program Files\QuickTime\qttask       .exe
----a-w           286,720 2008-01-20 18:42:25  C:\Program Files\QuickTime\qttask      .exe
----a-w           286,720 2008-01-20 18:42:25  C:\Program Files\QuickTime\qttask     .exe
----a-w           286,720 2008-01-20 18:42:26  C:\Program Files\QuickTime\qttask    .exe
----a-w           286,720 2008-01-20 18:42:27  C:\Program Files\QuickTime\qttask   .exe
----a-w           286,720 2008-01-20 18:42:28  C:\Program Files\QuickTime\qttask  .exe
----a-w           286,720 2008-01-20 18:42:28  C:\Program Files\QuickTime\qttask .exe
----a-w         1,266,936 2008-01-18 22:18:52  C:\Program Files\Steam\Steam .exe
----a-w         5,724,184 2008-01-16 18:52:21  C:\Program Files\Windows Live\Messenger\MsnMsgr                   .Exe
----a-w         5,724,184 2008-01-20 18:45:46  C:\Program Files\Windows Live\Messenger\MsnMsgr                  .Exe
----a-w         5,724,184 2008-01-20 18:45:55  C:\Program Files\Windows Live\Messenger\MsnMsgr                 .Exe
----a-w         5,724,184 2008-01-20 18:46:03  C:\Program Files\Windows Live\Messenger\MsnMsgr                .Exe
----a-w         5,724,184 2008-01-20 18:46:12  C:\Program Files\Windows Live\Messenger\MsnMsgr               .Exe
----a-w         5,724,184 2008-01-20 18:46:21  C:\Program Files\Windows Live\Messenger\MsnMsgr              .Exe
----a-w         5,724,184 2008-01-20 18:46:31  C:\Program Files\Windows Live\Messenger\MsnMsgr             .Exe
----a-w         5,724,184 2008-01-20 18:46:41  C:\Program Files\Windows Live\Messenger\MsnMsgr            .Exe
----a-w         5,724,184 2008-01-20 18:46:50  C:\Program Files\Windows Live\Messenger\MsnMsgr           .Exe
----a-w         5,724,184 2008-01-20 18:46:59  C:\Program Files\Windows Live\Messenger\MsnMsgr          .Exe
----a-w         5,724,184 2008-01-20 18:47:07  C:\Program Files\Windows Live\Messenger\msnmsgr        .exe
----a-w         5,724,184 2008-01-20 18:47:17  C:\Program Files\Windows Live\Messenger\msnmsgr       .exe
----a-w         5,724,184 2008-01-20 18:47:26  C:\Program Files\Windows Live\Messenger\msnmsgr      .exe
----a-w         5,724,184 2008-01-20 18:47:34  C:\Program Files\Windows Live\Messenger\msnmsgr     .exe
----a-w         5,724,184 2008-01-20 18:47:43  C:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         5,724,184 2008-01-20 18:47:53  C:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         5,724,184 2008-01-20 18:48:01  C:\Program Files\Windows Live\Messenger\msnmsgr  .exe
----a-w         5,724,184 2008-01-18 01:12:19  C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w            15,360 2008-01-17 13:21:10  C:\WINDOWS\system32\ctfmon .exe
</pre>
Reply With Quote
  #8  
Old January 21st, 2008, 10:59 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
combofix part2

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="" []
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-18 19:33 81920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-01-18 19:32 202024]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-01-18 19:32 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 19:32 15360]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-18 19:33 1266936]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-18 19:33 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 11:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-06 20:30 8523776]
"nwiz"="nwiz.exe" [2007-11-06 20:30 1626112 C:\WINDOWS\system32\nwiz.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-18 19:32 139264]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-18 19:32 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-18 19:32 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-18 19:32 517768]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-01-18 19:33 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-18 19:33 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-18 19:33 286720]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2007-11-06 20:30 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-28 20:36:30 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-18 19:32 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-11-07 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-18 19:33 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-20 13:42 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 17:20 339968 C:\WINDOWS\stsystra.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 SBProfileLauncher;SphtBot Profile Launcher;C:\Documents and Settings\Jun Lee\Desktop\New Folder (3)\ProfileLauncher.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55a3c243-a1e1-11dc-8555-00123f75d0fd}]
\Shell\AutoRun\command - K:\Autorun.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 13:24:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 16:57:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-21 16:57:48
ComboFix-quarantined-files.txt 2008-01-21 21:57:46
.
2008-01-09 14:13:35 --- E O F ---
Reply With Quote
  #9  
Old January 21st, 2008, 11:00 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Hijacklog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:49 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jun Lee\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196301569458
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SphtBot Profile Launcher (SBProfileLauncher) - Unknown owner - C:\Documents and Settings\Jun Lee\Desktop\New Folder (3)\ProfileLauncher.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11382 bytes
Reply With Quote
  #10  
Old January 21st, 2008, 11:01 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Silent runner part 1

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Aim6" = (empty string) [file not found]
"NVIDIA nTune" = ""C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" ["NVIDIA"]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" ["Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Steam" = ""C:\Program Files\Steam\Steam.exe" -silent" ["Valve Corporation"]
"Router" = "C:\Program Files\Router\Router.exe" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"DAEMON Tools Lite" = ""C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"IAAnotif" = "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" ["Intel Corporation"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask .exe" -atboottime" ["Apple Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll" ["Symantec Corporation"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll" ["BitComet"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.d ll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.d ll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.D LL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandler s\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMen uHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex \ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Reply With Quote
  #11  
Old January 21st, 2008, 11:02 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Silent runner part 2

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jun Lee\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Jun Lee" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Jun Lee\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D18A0B52-D63C-4ED0-AFC6-C1E3DC1AF43A}\
"ButtonText" = "BitComet"
"Script" = "res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206" ["BitComet"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Intel(R) Matrix Storage Event Monitor, IAANTMon, "C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe" ["Intel Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
nTune Service, nTuneService, "C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\
Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2008-01-21 17:00:16)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 48 seconds, including 10 seconds for message boxes)
Reply With Quote
  #12  
Old January 21st, 2008, 11:04 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
Oh and about that file, i couldnt find it, i have already the show all hidden files set up but i dont see the new foler. However i remember making that folder jsut not sure waht was in it. It was probally somehting that i unzip, i didn want it to be all over my desktop.
Reply With Quote
  #13  
Old January 22nd, 2008, 02:29 PM
Morfeasss Morfeasss is offline
CTH Subscriber
 
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
That's alright,

Run HijackThis and place a checkmark next to the following item in bold, close all open windows and click Fix Checked:

O23 - Service: SphtBot Profile Launcher (SBProfileLauncher) - Unknown owner - C:\Documents and Settings\Jun Lee\Desktop\New Folder (3)\ProfileLauncher.exe (file missing)

And close HijackThis.
~~~~~~~~~~~~~~~~


Code:
KillAll::
File::
C:\WINDOWS\regedit.exe.reg
C:\WINDOWS\system32\data1.set
C:\WINDOWS\system32\data2.set


Folder::
C:\WINDOWS\svchost

RenV::
----a-w           970,752 2008-01-18 22:18:52  C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater .exe
----a-w           202,024 2008-01-18 22:18:38  C:\Program Files\Common Files\Nero\Lib\NMBgMonitor .exe
----a-w           115,816 2008-01-18 22:18:28  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           517,768 2008-01-19 00:31:33  C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
----a-w           136,136 2008-01-17 20:43:59  C:\Program Files\DAEMON Tools Pro\DTProAgent .exe
----a-w            68,856 2008-01-18 22:18:41  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           139,264 2008-01-18 22:18:25  C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif .exe
----a-w           267,048 2008-01-18 22:18:25  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2008-01-18 22:18:28  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w         1,694,208 2008-01-18 22:19:02  C:\Program Files\Messenger\msmsgs .exe
----a-w            31,016 2008-01-18 22:18:28  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w            81,920 2008-01-18 22:18:34  C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd .exe
----a-w           286,720 2008-01-19 00:33:21  C:\Program Files\QuickTime\qttask                         .exe
----a-w           286,720 2008-01-20 18:42:07  C:\Program Files\QuickTime\qttask                        .exe
----a-w           286,720 2008-01-20 18:42:08  C:\Program Files\QuickTime\qttask                       .exe
----a-w           286,720 2008-01-20 18:42:08  C:\Program Files\QuickTime\qttask                      .exe
----a-w           286,720 2008-01-20 18:42:09  C:\Program Files\QuickTime\qttask                     .exe
----a-w           286,720 2008-01-20 18:42:10  C:\Program Files\QuickTime\qttask                    .exe
----a-w           286,720 2008-01-20 18:42:11  C:\Program Files\QuickTime\qttask                   .exe
----a-w           286,720 2008-01-20 18:42:12  C:\Program Files\QuickTime\qttask                  .exe
----a-w           286,720 2008-01-20 18:42:12  C:\Program Files\QuickTime\qttask                 .exe
----a-w           286,720 2008-01-20 18:42:13  C:\Program Files\QuickTime\qttask                .exe
----a-w           286,720 2008-01-20 18:42:13  C:\Program Files\QuickTime\qttask               .exe
----a-w           286,720 2008-01-20 18:42:14  C:\Program Files\QuickTime\qttask              .exe
----a-w           286,720 2008-01-20 18:42:16  C:\Program Files\QuickTime\qttask             .exe
----a-w           286,720 2008-01-20 18:42:18  C:\Program Files\QuickTime\qttask            .exe
----a-w           286,720 2008-01-20 18:42:19  C:\Program Files\QuickTime\qttask           .exe
----a-w           286,720 2008-01-20 18:42:20  C:\Program Files\QuickTime\qttask          .exe
----a-w           286,720 2008-01-20 18:42:22  C:\Program Files\QuickTime\qttask         .exe
----a-w           286,720 2008-01-20 18:42:23  C:\Program Files\QuickTime\qttask        .exe
----a-w           286,720 2008-01-20 18:42:24  C:\Program Files\QuickTime\qttask       .exe
----a-w           286,720 2008-01-20 18:42:25  C:\Program Files\QuickTime\qttask      .exe
----a-w           286,720 2008-01-20 18:42:25  C:\Program Files\QuickTime\qttask     .exe
----a-w           286,720 2008-01-20 18:42:26  C:\Program Files\QuickTime\qttask    .exe
----a-w           286,720 2008-01-20 18:42:27  C:\Program Files\QuickTime\qttask   .exe
----a-w           286,720 2008-01-20 18:42:28  C:\Program Files\QuickTime\qttask  .exe
----a-w           286,720 2008-01-20 18:42:28  C:\Program Files\QuickTime\qttask .exe
----a-w         1,266,936 2008-01-18 22:18:52  C:\Program Files\Steam\Steam .exe
----a-w         5,724,184 2008-01-16 18:52:21  C:\Program Files\Windows Live\Messenger\MsnMsgr                   .Exe
----a-w         5,724,184 2008-01-20 18:45:46  C:\Program Files\Windows Live\Messenger\MsnMsgr                  .Exe
----a-w         5,724,184 2008-01-20 18:45:55  C:\Program Files\Windows Live\Messenger\MsnMsgr                 .Exe
----a-w         5,724,184 2008-01-20 18:46:03  C:\Program Files\Windows Live\Messenger\MsnMsgr                .Exe
----a-w         5,724,184 2008-01-20 18:46:12  C:\Program Files\Windows Live\Messenger\MsnMsgr               .Exe
----a-w         5,724,184 2008-01-20 18:46:21  C:\Program Files\Windows Live\Messenger\MsnMsgr              .Exe
----a-w         5,724,184 2008-01-20 18:46:31  C:\Program Files\Windows Live\Messenger\MsnMsgr             .Exe
----a-w         5,724,184 2008-01-20 18:46:41  C:\Program Files\Windows Live\Messenger\MsnMsgr            .Exe
----a-w         5,724,184 2008-01-20 18:46:50  C:\Program Files\Windows Live\Messenger\MsnMsgr           .Exe
----a-w         5,724,184 2008-01-20 18:46:59  C:\Program Files\Windows Live\Messenger\MsnMsgr          .Exe
----a-w         5,724,184 2008-01-20 18:47:07  C:\Program Files\Windows Live\Messenger\msnmsgr        .exe
----a-w         5,724,184 2008-01-20 18:47:17  C:\Program Files\Windows Live\Messenger\msnmsgr       .exe
----a-w         5,724,184 2008-01-20 18:47:26  C:\Program Files\Windows Live\Messenger\msnmsgr      .exe
----a-w         5,724,184 2008-01-20 18:47:34  C:\Program Files\Windows Live\Messenger\msnmsgr     .exe
----a-w         5,724,184 2008-01-20 18:47:43  C:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         5,724,184 2008-01-20 18:47:53  C:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         5,724,184 2008-01-20 18:48:01  C:\Program Files\Windows Live\Messenger\msnmsgr  .exe
----a-w         5,724,184 2008-01-18 01:12:19  C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w            15,360 2008-01-17 13:21:10  C:\WINDOWS\system32\ctfmon .exe
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

[IMG]http://users.*******.be/bluepatchy/miekiemoes/images/CFScript.gif[/IMG]

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Reply With Quote
  #14  
Old January 23rd, 2008, 11:15 PM
junlee's Avatar
junlee junlee is offline
Senior Member
 
Join Date: Feb 2007
Posts: 111
ComboFix 08-01-20.1 - Jun Lee 2008-01-23 17:07:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1588 [GMT -5:00]
Running from: C:\Documents and Settings\Jun Lee\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jun Lee\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\regedit.exe.reg
C:\WINDOWS\system32\data1.set
C:\WINDOWS\system32\data2.set
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.exe.reg
C:\WINDOWS\svchost
C:\WINDOWS\svchost\add.txt
C:\WINDOWS\svchost\aliases.ini
C:\WINDOWS\svchost\away.txt
C:\WINDOWS\svchost\channels.txt
C:\WINDOWS\svchost\conn.ini
C:\WINDOWS\svchost\engine.ini
C:\WINDOWS\svchost\flood.txt
C:\WINDOWS\svchost\fullname.txt
C:\WINDOWS\svchost\greet.ini
C:\WINDOWS\svchost\injuraturi.txt
C:\WINDOWS\svchost\IRC.ICO
C:\WINDOWS\svchost\kick.txt
C:\WINDOWS\svchost\mirc.ini
C:\WINDOWS\svchost\notify.ini
C:\WINDOWS\svchost\operator.ini
C:\WINDOWS\svchost\partmsg.ini
C:\WINDOWS\svchost\perform.ini
C:\WINDOWS\svchost\reg.reg
C:\WINDOWS\svchost\remote.ini
C:\WINDOWS\svchost\servers.ini
C:\WINDOWS\system32\data1.set
C:\WINDOWS\system32\data2.set

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-21 16:54 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 18:08 . 2008-01-20 22:32 <DIR> d---s---- C:\Program Files\Xfire
2008-01-20 18:08 . 2008-01-20 22:33 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\Xfire
2008-01-20 18:05 . 2008-01-20 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-20 18:00 . 2008-01-20 18:00 <DIR> d-------- C:\Program Files\GALA-NET
2008-01-20 18:00 . 2005-08-11 15:29 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-01-19 12:32 . 2008-01-19 12:35 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-19 12:32 . 2008-01-19 12:32 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\DAEMON Tools
2008-01-19 10:57 . 2008-01-19 10:57 <DIR> d-------- C:\Program Files\uTorrent
2008-01-19 10:57 . 2008-01-21 22:43 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\uTorrent
2008-01-19 10:07 . 2008-01-19 10:07 <DIR> d-------- C:\Program Files\Eidos
2008-01-13 19:49 . 2007-11-06 20:30 158,263 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-12 10:04 . 2008-01-12 10:04 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-12 10:04 . 2008-01-12 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-12 09:33 . 2008-01-17 08:21 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-12 09:33 . 2008-01-17 08:21 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-12 00:37 . 2008-01-20 13:33 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-11 16:05 . 2008-01-11 16:05 <DIR> d-------- C:\Program Files\DivX
2008-01-09 16:55 . 2003-10-27 14:06 140,488 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-01-09 16:55 . 2003-10-27 14:06 115,016 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-09 16:55 . 2003-10-27 14:06 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-01-09 16:55 . 2003-10-27 14:06 69,632 --a------ C:\WINDOWS\system32\xmltok.dll
2008-01-09 16:55 . 2003-10-27 14:06 36,864 --a------ C:\WINDOWS\system32\xmlparse.dll
2008-01-09 16:55 . 2003-10-27 14:06 35,840 --a------ C:\WINDOWS\system32\comdlg32.oca
2008-01-09 16:55 . 2003-10-27 14:06 29,184 --a------ C:\WINDOWS\system32\MSINET.oca
2008-01-09 16:55 . 2003-10-27 14:06 26,096 --a------ C:\WINDOWS\system32\xmlinst.exe
2008-01-09 16:55 . 2003-10-27 14:06 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-09 16:50 . 2008-01-19 11:50 <DIR> d-------- C:\Program Files\UBISOFT
2008-01-05 18:59 . 2008-01-05 19:00 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\DAEMON Tools Pro
2008-01-05 18:53 . 2008-01-23 17:07 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-01-05 18:35 . 2008-01-05 19:04 <DIR> d-------- C:\Program Files\The Witcher
2008-01-04 09:42 . 2008-01-05 09:50 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\Move Networks
2008-01-02 20:41 . 2008-01-02 20:41 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-02 20:41 . 2008-01-02 20:41 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-02 06:39 . 2008-01-02 06:39 244 --ah----- C:\sqmnoopt06.sqm
2008-01-02 06:39 . 2008-01-02 06:39 232 --ah----- C:\sqmdata06.sqm
2008-01-01 21:21 . 2008-01-01 21:21 244 --ah----- C:\sqmnoopt05.sqm
2008-01-01 21:21 . 2008-01-01 21:21 232 --ah----- C:\sqmdata05.sqm
2008-01-01 15:43 . 2008-01-01 15:43 244 --ah----- C:\sqmnoopt04.sqm
2008-01-01 15:43 . 2008-01-01 15:43 232 --ah----- C:\sqmdata04.sqm
2008-01-01 09:18 . 2008-01-01 09:18 244 --ah----- C:\sqmnoopt03.sqm
2008-01-01 09:18 . 2008-01-01 09:18 232 --ah----- C:\sqmdata03.sqm
2007-12-31 10:59 . 2007-12-31 10:59 <DIR> dr-h----- C:\Documents and Settings\Jun Lee\Application Data\SecuROM
2007-12-31 10:59 . 2008-01-19 12:26 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-31 10:44 . 2007-12-31 10:44 <DIR> d-------- C:\Program Files\Flagship Studios
2007-12-29 11:14 . 2007-12-29 11:14 <DIR> d-------- C:\Documents and Settings\Jun Lee\Application Data\InstallShield Installation Information
2007-12-29 10:57 . 2007-12-29 10:57 <DIR> d-------- C:\Program Files\Unreal Tournament 3
2007-12-29 09:50 . 2007-12-29 09:50 268 --ah----- C:\sqmdata02.sqm
2007-12-29 09:50 . 2007-12-29 09:50 244 --ah----- C:\sqmnoopt02.sqm
2007-12-29 09:31 . 2007-12-29 09:31 244 --ah----- C:\sqmnoopt01.sqm
2007-12-29 09:31 . 2007-12-29 09:31 232 --ah----- C:\sqmdata01.sqm
2007-12-24 10:04 . 2007-12-24 11:05 5,120 --a------ C:\WINDOWS\system32\BReWErS.dll
2007-12-24 09:23 . 2007-12-24 09:23 319 --a------ C:\WINDOWS\game.ini
2007-12-24 09:10 . 2007-12-24 09:10 <DIR> d-------- C:\Program Files\Activision
2007-12-24 09:08 . 2007-12-24 09:08 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-23 08:40 . 2008-01-23 17:07 <DIR> d-------- C:\Program Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-23 22:07 --------- d-----w C:\Program Files\QuickTime
2008-01-23 22:07 --------- d-----w C:\Program Files\iTunes
2008-01-23 22:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-23 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-20 23:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 23:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-20 21:56 --------- d-----w C:\Program Files\Warcraft III
2008-01-20 14:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-19 17:30 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-19 16:33 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Skype
2008-01-19 15:15 --------- d-----w C:\Program Files\Azureus
2008-01-19 15:12 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\skypePM
2008-01-19 15:07 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Azureus
2008-01-19 00:31 --------- d-----w C:\Program Files\Norton 360
2008-01-12 15:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-11 02:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-06 14:27 --------- d-----w C:\Program Files\Final Fantasy VII
2007-12-29 15:56 --------- d-----w C:\Program Files\AGEIA Technologies
2007-12-29 15:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 15:59 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-27 15:58 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-24 14:51 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-24 14:24 22,328 ----a-w C:\Documents and Settings\Jun Lee\Application Data\PnkBstrK.sys
2007-12-20 16:51 --------- d-----w C:\Program Files\TriChlor
2007-12-16 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-16 18:42 --------- d-----w C:\Program Files\BitComet
2007-12-15 15:52 --------- d-----w C:\Program Files\Google
2007-12-15 01:09 --------- d-----w C:\Program Files\Square Soft, Inc
2007-12-14 23:40 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Ventrilo
2007-12-14 19:08 --------- d-----w C:\Program Files\Pcsx2
2007-12-12 00:23 --------- d-----w C:\Program Files\Ares
2007-12-11 04:04 --------- d-----w C:\Program Files\The Rosetta Stone
2007-12-11 02:06 --------- d-----w C:\Program Files\Java
2007-12-11 02:04 --------- d-----w C:\Program Files\Common Files\Java
2007-12-10 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 23:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-08 14:57 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Talkback
2007-12-08 14:52 --------- d-----w C:\Program Files\Picasa2
2007-12-08 14:51 --------- d-----w C:\Program Files\Norton Security Scan
2007-12-05 21:51 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Grisoft
2007-12-05 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-05 21:05 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 21:05 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 21:05 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 21:05 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 21:05 --------- d-----w C:\Program Files\Symantec
2007-12-05 03:56 --------- d-----w C:\Program Files\Jasc Software Inc
2007-12-05 03:56 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Jasc Software Inc
2007-12-05 03:55 --------- d-----w C:\Program Files\Dell Computer
2007-12-05 03:54 --------- d-----w C:\Program Files\Dell 720
2007-12-04 03:43 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-04 00:10 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-12-04 00:00 --------- d-----w C:\Program Files\Electronic Arts
2007-12-03 14:06 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-02 16:56 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Nero
2007-12-02 16:55 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-02 16:53 --------- d-----w C:\Program Files\Nero
2007-12-02 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-02 16:10 --------- d-----w C:\Program Files\MSBuild
2007-12-02 16:10 --------- d-----w C:\Program Files\Microsoft Works
2007-12-01 15:05 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-01 15:05 --------- d-----w C:\Program Files\Skype
2007-12-01 15:05 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-01 15:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-01 06:40 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\vlc
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-30 17:47 --------- d-----w C:\Program Files\Ventrilo
2007-11-30 17:41 --------- d-----w C:\Program Files\VideoLAN
2007-11-30 13:35 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Symantec
2007-11-29 23:29 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Viewpoint
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-29 20:35 --------- d-----w C:\Documents and Settings\Default User\Application Data\Apple Computer
2007-11-29 03:45 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-11-29 03:18 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2007-11-29 02:57 --------- d-----w C:\Program Files\iPod
2007-11-29 02:57 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\Apple Computer
2007-11-29 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 02:56 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-29 02:56 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 02:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-29 02:41 --------- d-----w C:\Program Files\Windows Live
2007-11-29 02:40 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-29 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-29 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-11-29 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-11-29 02:36 --------- d-----w C:\Program Files\Viewpoint
2007-11-29 02:36 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-29 02:36 --------- d-----w C:\Program Files\AIM6
2007-11-29 02:36 --------- d-----w C:\Documents and Settings\Jun Lee\Application Data\acccore
2007-11-29 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-29 02:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="" []
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-18 17:18 81920]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-01-18 17:18 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-17 08:21 15360]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-18 17:19 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 11:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-06 20:30 8523776]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-18 17:18 139264]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-18 17:18 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-18 17:18 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-18 19:31 517768]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-01-18 17:18 31016]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2007-11-06 20:30 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-11-28 20:36:30 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-01-18 17:18 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-17 08:21 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-11-07 05:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-18 17:19 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-11-06 20:30 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 17:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-18 17:18 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-18 17:18 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 SBProfileLauncher;SphtBot Profile Launcher;C:\Documents and Settings\Jun Lee\Desktop\New Folder (3)\ProfileLauncher.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55a3c243-a1e1-11dc-8555-00123f75d0fd}]
\Shell\AutoRun\command - K:\Autorun.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 13:24:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 17:12:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-23 17:14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 22:14:36
ComboFix2.txt 2008-01-21 21:57:49
.
2008-01-09 14:13:35 --- E O F ---
Reply With Quote
  #15  
Old January 24th, 2008, 10:08 AM
Morfeasss Morfeasss is offline
CTH Subscriber
 
Join Date: Feb 2006
O/S: Windows XP Home
Location: Greece
Posts: 5,140
Your logs look much better. I see I missed one malware entry, which is now only a registry remnant.

Go to Start> Run, type msconfig and hit Enter. In the window that opens click the Startup tan and locate the entry for "QuickTime Task" . Place a checkmark in the box and click Apply> OK> Reboot afterwards.
~~~~~~~~~~~~

Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

Please post back the report from Kaspersky along with a fresh HijackThis log.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
What is the Com A error when booting PC OldBit2K15 Windows 95 5 May 7th, 2015 07:40 PM
error during booting up johnfoster Windows XP 0 May 9th, 2011 02:47 AM
Booting up error stk37626 Windows XP 4 November 7th, 2007 02:38 PM
Booting Error Sovetcki Windows Vista 12 October 24th, 2007 09:35 PM
Error While Booting Computer, LowLikeWhoaF150 Windows 98 6 August 29th, 2001 09:26 AM


All times are GMT +1. The time now is 02:45 PM.