Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojandownloader.xs Infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 griff1096

griff1096

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 17 November 2007 - 01:38 AM

Hi all,

I got hit pretty hard! Computer has been messed up for awhile. Here's my info:

XP Home sp1. It was sp2, but I tried a REPAIR and since my dell did not come with disk, I borrowed one.
Dell inspiron 9300

Ran all of the prep things listed in the pinned threads. Removed over 300 infection but the trojandownloader still remains.


Problems:

1- Black Screen with red writing in the background saying I'm infected and showing me an IP address.
2- somewhere down the line of trying to fix this, My intelProset wireless has become usless. When I try to access it to choose my connection, it gives me this "Can not find the iFrmewrk.exe" with the option to BROWSE for it. I have downloaded the software to try and replace this, BUT it will start the installation and gives me this "Server Busy.." with the option to SWITCH TO or RETRY

What I would really like to do is get it back to factory settings but first I have to have disks and second I have to be able to back up my HD.

Here is my LOG file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:11 AM, on 11/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [{C6-69-9A-AD-ZN}] C:\windows\system32\kodsrngq.exe CHD001
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [ghyzgnwh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ghyzgnwh.dll"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinpldq.exe CHD001
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [cfqzwdor] rundll32.exe "C:\Program Files\svuhctqf\ixetgtmb.dll",Init
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [64ac6902] rundll32.exe "C:\WINDOWS\system32\vwtmuwfq.dll",b
O4 - HKLM\..\RunOnce: [WLuSetup] C:\Program Files\Symantec\LiveUpdate\luupdate.exe -p wlumsp.msp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\kodsrngq.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Unknown owner - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (file missing)

--
End of file - 13863 bytes


Thanks for any and All help

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:34 AM

Posted 17 November 2007 - 02:04 AM

Hi,

First of all.. I notice from the log that there are running more than one different Anti-Virus programs with Auto-protect enabled. McAfee and Norton (Symantec)
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then, * Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 17 November 2007 - 02:35 PM

* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Leeann Griffin\Desktop\internet.lnk
C:\Documents and Settings\Leeann Griffin\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Leeann Griffin\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Leeann Griffin\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Leeann Griffin\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\Insider
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\Online Services\rteqepra.html
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\SecCenter
C:\Program Files\Temporary
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\bodbgyzf.dllbox
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\fkmdvbtn
C:\WINDOWS\system32\fkmdvbtn\bg1.gif
C:\WINDOWS\system32\fkmdvbtn\bgtop.gif
C:\WINDOWS\system32\fkmdvbtn\bottom1.gif
C:\WINDOWS\system32\fkmdvbtn\essentials.gif
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn1.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn2.exe
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn3.exe
C:\WINDOWS\system32\fkmdvbtn\icon1.ico
C:\WINDOWS\system32\fkmdvbtn\install1.gif
C:\WINDOWS\system32\fkmdvbtn\left1.gif
C:\WINDOWS\system32\fkmdvbtn\li.gif
C:\WINDOWS\system32\fkmdvbtn\logo.gif
C:\WINDOWS\system32\fkmdvbtn\main.htm
C:\WINDOWS\system32\fkmdvbtn\mainframe.htm
C:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
C:\WINDOWS\system32\fkmdvbtn\right1.gif
C:\WINDOWS\system32\fkmdvbtn\s1.htm
C:\WINDOWS\system32\fkmdvbtn\s2.htm
C:\WINDOWS\system32\fkmdvbtn\s3.htm
C:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
C:\WINDOWS\system32\fkmdvbtn\top1.gif
C:\WINDOWS\system32\fkmdvbtn\top2.gif
C:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
C:\WINDOWS\system32\fkmdvbtn\turnon1.gif
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\llnmp.bak2
C:\WINDOWS\system32\llnmp.tmp
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 12:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 11:40 968,192 --a------ C:\WINDOWS\system32\msgina.dll
2007-11-17 11:40 671,744 --a------ C:\WINDOWS\system32\lsasrv.dll
2007-11-17 11:40 592,896 --a------ C:\WINDOWS\system32\h323msp.dll
2007-11-17 11:40 548,864 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-11-17 11:40 435,200 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-11-17 11:40 136,704 --a------ C:\WINDOWS\system32\schannel.dll
2007-11-17 11:40 51,200 --a------ C:\WINDOWS\system32\msasn1.dll
2007-11-17 09:25 85,056 --a------ C:\WINDOWS\system32\srtlqbul.dll
2007-11-17 09:22 82,496 --a------ C:\WINDOWS\system32\bltbwsfh.dll
2007-11-17 09:17 145,984 --ah----- C:\WINDOWS\system32\bodbgyzf.dll
2007-11-17 09:16 145,984 --a------ C:\WINDOWS\system32\ugwmmyay.dll
2007-11-17 09:01 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-11-17 03:13 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-11-17 02:48 <DIR> d-------- C:\WINDOWS\fzqk
2007-11-17 02:48 <DIR> d-------- C:\Program Files\Common Files\fzqk
2007-11-17 01:05 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-17 01:05 <DIR> d-------- C:\Temp\abW9
2007-11-17 01:05 38,912 --a------ C:\WINDOWS\system32\pmnnmnm.dll
2007-11-17 01:05 35,840 --a------ C:\WINDOWS\17PHolmes572.exe
2007-11-17 01:01 38,912 --a------ C:\WINDOWS\system32\pmnkiig.dll
2007-11-17 01:00 38,912 --a------ C:\WINDOWS\system32\opnkifc.dll
2007-11-17 00:51 <DIR> d-------- C:\WINDOWS\system32\bits
2007-11-17 00:47 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-11-17 00:47 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-11-17 00:47 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-11-17 00:47 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-11-17 00:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 23:03 <DIR> d-------- C:\Intel
2007-11-16 22:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-16 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 02:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 00:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 15:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-15 15:39 <DIR> d-------- C:\Program Files\DIFX
2007-11-15 15:39 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2007-11-15 15:39 2,210,048 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2007-11-15 15:39 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2007-11-15 14:48 1,712,984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-11-15 14:48 1,712,984 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-11-15 14:48 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-11-15 14:48 53,080 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-11-15 12:21 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-11-15 12:21 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-11-13 14:24 641,003 --ahs---- C:\WINDOWS\system32\cdeeg.ini2.ren
2007-11-13 11:54 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2007-11-13 11:54 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2007-11-13 11:54 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-11-13 11:54 40,960 --a------ C:\WINDOWS\system32\safrslv.dll
2007-11-13 11:54 39,424 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-11-13 11:54 33,280 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-11-13 11:54 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-11-13 11:54 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-11-13 11:54 26,624 --a------ C:\WINDOWS\system32\safrdm.dll
2007-11-08 04:45 50,048 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2007-11-08 04:45 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-11-08 04:44 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-11-08 04:42 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-11-08 04:41 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2007-11-08 04:37 71,168 --a------ C:\WINDOWS\system32\storprop.dll
2007-11-08 04:37 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-10-31 19:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-10-31 16:50 639,523 --a------ C:\WINDOWS\system32\cdeeg.bak2.ren
2007-10-31 16:42 6,465 --a------ C:\WINDOWS\system32\cdeeg.ini.ren
2007-10-31 15:27 8,425 --a------ C:\WINDOWS\system32\cdeeg.tmp.ren
2007-10-31 14:41 <DIR> d-------- C:\Documents and Settings\Leeann Griffin\Application Data\Symantec
2007-10-31 14:30 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 14:24 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-31 14:17 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 14:17 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-31 14:16 <DIR> d-------- C:\Program Files\Symantec
2007-10-31 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 14:10 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-31 12:15 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-31 12:13 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-31 12:00 6,465 --a------ C:\WINDOWS\system32\cdeeg.bak1.ren
2007-10-31 11:56 <DIR> d-------- C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro
2007-10-31 11:55 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-31 11:52 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin
2007-10-31 11:51 <DIR> d--hs---- C:\WINDOWS\TGVlYW5uIEdyaWZmaW4
2007-10-31 11:51 123,908 --a------ C:\WINDOWS\system32\vvgeowbv.exe.ren
2007-10-31 11:51 21,504 --a------ C:\WINDOWS\system32\aivskurq.dll.ren
2007-10-31 11:49 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-31 11:49 35,840 --a------ C:\WINDOWS\mrofinu572.exe
2007-10-31 11:47 <DIR> d-------- C:\WINDOWS\system32\Mz08r
2007-10-31 11:47 <DIR> d-------- C:\Temp\mZOr
2007-10-25 18:13 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-15 16:18 --------- d-----w C:\Program Files\Coding Workshop Ringtone Converter
2007-11-14 08:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-14 08:08 --------- d-----w C:\Program Files\McAfee
2007-11-05 05:59 --------- d-----w C:\Program Files\Advanced Invisible Keylogger
2007-10-31 20:57 0 ----a-w C:\Program Files\Common Files\mevo555077.dll
2007-10-31 20:33 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-31 20:33 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-26 00:10 --------- d-----w C:\Program Files\Kodak
2007-09-18 00:30 --------- d-----w C:\Documents and Settings\Leeann Griffin\Application Data\U3
2007-09-13 04:46 4,704 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-29 20:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-06-01 17:51:34 1,428,777 --sha-w C:\WINDOWS\system32\gjkkj.bak1

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-17 01:00 38912 --a------ C:\WINDOWS\System32\opnkifc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 14:28 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-17 11:19 145984 --ah----- C:\WINDOWS\system32\bodbgyzf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4b9733a-de7a-45ac-a261-bd0d465ef900}]
2007-11-17 09:22 82496 --a------ C:\WINDOWS\System32\bltbwsfh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\bodbgyzf.dll [2007-11-17 11:19 145984]

[HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 15:43]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-29 06:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" []
"{C6-69-9A-AD-ZN}"="C:\windows\system32\kodsrngq.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-28 12:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-28 12:41]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" []
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" []
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 12:46]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 12:46]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 03:59]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 08:57]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"64ac6902"="C:\WINDOWS\System32\srtlqbul.dll" [2007-11-17 09:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [2007-04-14 22:09]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 08:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"WLuSetup"=C:\Program Files\Symantec\LiveUpdate\luupdate.exe -p wlumsp.msp

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-28 12:35:47]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 04:31:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= C:\WINDOWS\System32\opnkifc.dll [2007-11-17 01:00 38912]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\System32\\userinit.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bodbgyzf]
bodbgyzf.dll 2007-11-17 11:19 145984 C:\WINDOWS\system32\bodbgyzf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkifc]
opnkifc.dll 2007-11-17 01:00 38912 C:\WINDOWS\system32\opnkifc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=2 (0x2)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"cmdService"=2 (0x2)

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\System32\DRIVERS\cledx.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\System32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\System32\Drivers\COH_Mon.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\System32\DRIVERS\cvspydr2.sys
S3 EWAVE;EWAVE;\??\C:\WINDOWS\system32\drivers\ew.sys
S3 FILESPY;FILESPY;\??\C:\WINDOWS\system32\drivers\FILESPY.sys
S3 NSTATION;NSTATION;\??\C:\WINDOWS\system32\drivers\nstation.sys
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\System32\DRIVERS\SaiHFF0C.sys
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\System32\DRIVERS\SaiUFF0C.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\System32\DRIVERS\SymIM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a553fda2-0a1f-11dc-a15f-001422df6e15}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9238638-fa4c-11db-a11e-001422df6e15}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 22:18:29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Leeann Griffin.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 13:15:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 13:20:26 - machine was rebooted
.
--- E O F ---

.

#4 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 17 November 2007 - 02:36 PM

I uninstalled Mcafee.. Norton will not allow me to uninstall until I upgrade to SP2???

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:34 AM

Posted 17 November 2007 - 02:47 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\Windows\absolute key logger.lnk
C:\Windows\aconti.ini
C:\Windows\aconti.log
C:\Windows\aconti.sdb
C:\Windows\acontidialer.txt
C:\Windows\default.htm
C:\Windows\System32\sznf.ascii
C:\Windows\fonts\a.zip
C:\Program Files\Common Files\mevo555077.dll
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\srtlqbul.dll
C:\WINDOWS\system32\bltbwsfh.dll
C:\WINDOWS\system32\bodbgyzf.dll
C:\WINDOWS\system32\ugwmmyay.dll
C:\WINDOWS\system32\pmnnmnm.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\pmnkiig.dll
C:\WINDOWS\system32\opnkifc.dll
C:\WINDOWS\system32\cdeeg.ini2.ren
C:\WINDOWS\system32\cdeeg.bak2.ren
C:\WINDOWS\system32\cdeeg.ini.ren
C:\WINDOWS\system32\cdeeg.tmp.ren
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\vvgeowbv.exe.ren
C:\WINDOWS\system32\aivskurq.dll.ren

Folder::
C:\Program Files\Advanced Invisible Keylogger
C:\WINDOWS\system32\Mz08r
C:\Temp\mZOr
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\TGVlYW5uIEdyaWZmaW4
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro
C:\WINDOWS\system32\acespy
C:\WINDOWS\fzqk
C:\Program Files\Common Files\fzqk
C:\WINDOWS\system32\rMa01yy
C:\Temp\abW9

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{140BD8E3-C167-11D4-B4A3-080000180323}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4b9733a-de7a-45ac-a261-bd0d465ef900}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{C6-69-9A-AD-ZN}"=-
"64ac6902"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bodbgyzf]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkifc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Network Monitor"=-
"cmdService"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:34 AM

Posted 17 November 2007 - 02:50 PM

I uninstalled Mcafee.. Norton will not allow me to uninstall until I upgrade to SP2???

This doesn't make sense. We'll deal with Norton afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:34 AM

Posted 24 November 2007 - 01:59 AM

Still with us?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 24 November 2007 - 09:16 PM

Hey... yes, I'm still here. Been gone this week though. OK ran the new fix. Going to run the hijack and post both tonight. Thanks man.

#9 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 24 November 2007 - 09:22 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:52 PM, on 11/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: {e9fe459f-d9b6-e8c9-4ed4-0b475bfe5850} - {0585efb5-74b0-4de4-9c8e-6b9df954ef9e} - C:\WINDOWS\System32\gvrusaqi.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\RunOnce: [WLuSetup] C:\Program Files\Symantec\LiveUpdate\luupdate.exe -p wlumsp.msp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Unknown owner - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (file missing)

--
End of file - 13029 bytes

#10 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 24 November 2007 - 09:23 PM

FILE
C:\Program Files\Common Files\mevo555077.dll
C:\WINDOWS\17PHolmes572.exe
C:\Windows\absolute key logger.lnk
C:\Windows\aconti.ini
C:\Windows\aconti.log
C:\Windows\aconti.sdb
C:\Windows\acontidialer.txt
C:\Windows\default.htm
C:\Windows\fonts\a.zip
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\aivskurq.dll.ren
C:\WINDOWS\system32\bltbwsfh.dll
C:\WINDOWS\system32\bodbgyzf.dll
C:\WINDOWS\system32\cdeeg.bak2.ren
C:\WINDOWS\system32\cdeeg.ini.ren
C:\WINDOWS\system32\cdeeg.ini2.ren
C:\WINDOWS\system32\cdeeg.tmp.ren
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\opnkifc.dll
C:\WINDOWS\system32\pmnkiig.dll
C:\WINDOWS\system32\pmnnmnm.dll
C:\WINDOWS\system32\srtlqbul.dll
C:\WINDOWS\system32\stfv.bin
C:\Windows\System32\sznf.ascii
C:\WINDOWS\system32\ugwmmyay.dll
C:\WINDOWS\system32\vvgeowbv.exe.ren
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\PGE.dat
C:\Documents and Settings\Leeann Griffin\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Leeann Griffin\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Leeann Griffin\Favorites\Online Security Guide.lnk
C:\Program Files\Advanced Invisible Keylogger
C:\Program Files\Advanced Invisible Keylogger\win32sys.dll
C:\Program Files\Common Files\fzqk
C:\Program Files\Common Files\fzqk\fzqka.lck
C:\Program Files\Common Files\fzqk\fzqkd\class-barrel
C:\Program Files\Common Files\fzqk\fzqkd\vocabulary
C:\Program Files\Common Files\fzqk\fzqkl.lck
C:\Program Files\Common Files\fzqk\fzqkm.lck
C:\Program Files\Common Files\mevo555077.dll
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\Temp\mZOr
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\17PHolmes572.exe
C:\Windows\absolute key logger.lnk
C:\Windows\aconti.log
C:\Windows\acontidialer.txt
C:\Windows\default.htm
C:\WINDOWS\fzqk
C:\WINDOWS\fzqk\fzqk.dat
C:\WINDOWS\fzqk\wu
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\aivskurq.dll.ren
C:\WINDOWS\system32\bltbwsfh.dll
C:\WINDOWS\system32\bodbgyzf.dll
C:\WINDOWS\system32\bodbgyzf.dllbox
C:\WINDOWS\system32\cdeeg.bak2.ren
C:\WINDOWS\system32\cdeeg.ini.ren
C:\WINDOWS\system32\cdeeg.ini2.ren
C:\WINDOWS\system32\cdeeg.tmp.ren
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\opnkifc.dll
C:\WINDOWS\system32\pmnkiig.dll
C:\WINDOWS\system32\pmnnmnm.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\system32\srtlqbul.dll
C:\WINDOWS\system32\stfv.bin
C:\Windows\System32\sznf.ascii
C:\WINDOWS\system32\ugwmmyay.dll
C:\WINDOWS\system32\vvgeowbv.exe.ren
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\TGVlYW5uIEdyaWZmaW4

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-24 19:18 775,832 --ahs---- C:\WINDOWS\system32\tvheeews.ini

#11 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 24 November 2007 - 09:27 PM

Ok.. The computer is running alot better. There are the 3 issues outside of what ever it is that you are going to see with these logs

1- My intel Proset wireless is 'searching" for ifrmwrk.exe??? I can't use it due to that??

2- Norton.. which you said we'd get to later

3- sp1.. should be sp2.. HOW do I get it back, or can I now do a restore to factory setting?


THANKS man for your help.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:34 AM

Posted 25 November 2007 - 04:37 AM

Hi,

Can you repost the log from Combofix, because it's not complete.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 25 November 2007 - 02:47 PM

FILE
C:\Program Files\Common Files\mevo555077.dll
C:\WINDOWS\17PHolmes572.exe
C:\Windows\absolute key logger.lnk
C:\Windows\aconti.ini
C:\Windows\aconti.log
C:\Windows\aconti.sdb
C:\Windows\acontidialer.txt
C:\Windows\default.htm
C:\Windows\fonts\a.zip
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\aivskurq.dll.ren
C:\WINDOWS\system32\bltbwsfh.dll
C:\WINDOWS\system32\bodbgyzf.dll
C:\WINDOWS\system32\cdeeg.bak2.ren
C:\WINDOWS\system32\cdeeg.ini.ren
C:\WINDOWS\system32\cdeeg.ini2.ren
C:\WINDOWS\system32\cdeeg.tmp.ren
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\opnkifc.dll
C:\WINDOWS\system32\pmnkiig.dll
C:\WINDOWS\system32\pmnnmnm.dll
C:\WINDOWS\system32\srtlqbul.dll
C:\WINDOWS\system32\stfv.bin
C:\Windows\System32\sznf.ascii
C:\WINDOWS\system32\ugwmmyay.dll
C:\WINDOWS\system32\vvgeowbv.exe.ren
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Leeann Griffin\Application Data\SpyGuardPro\PGE.dat
C:\Documents and Settings\Leeann Griffin\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Leeann Griffin\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Leeann Griffin\Favorites\Online Security Guide.lnk
C:\Program Files\Advanced Invisible Keylogger
C:\Program Files\Advanced Invisible Keylogger\win32sys.dll
C:\Program Files\Common Files\fzqk
C:\Program Files\Common Files\fzqk\fzqka.lck
C:\Program Files\Common Files\fzqk\fzqkd\class-barrel
C:\Program Files\Common Files\fzqk\fzqkd\vocabulary
C:\Program Files\Common Files\fzqk\fzqkl.lck
C:\Program Files\Common Files\fzqk\fzqkm.lck
C:\Program Files\Common Files\mevo555077.dll
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\Temp\mZOr
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\17PHolmes572.exe
C:\Windows\absolute key logger.lnk
C:\Windows\aconti.log
C:\Windows\acontidialer.txt
C:\Windows\default.htm
C:\WINDOWS\fzqk
C:\WINDOWS\fzqk\fzqk.dat
C:\WINDOWS\fzqk\wu
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\aivskurq.dll.ren
C:\WINDOWS\system32\bltbwsfh.dll
C:\WINDOWS\system32\bodbgyzf.dll
C:\WINDOWS\system32\bodbgyzf.dllbox
C:\WINDOWS\system32\cdeeg.bak2.ren
C:\WINDOWS\system32\cdeeg.ini.ren
C:\WINDOWS\system32\cdeeg.ini2.ren
C:\WINDOWS\system32\cdeeg.tmp.ren
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\Mz08r
C:\WINDOWS\system32\opnkifc.dll
C:\WINDOWS\system32\pmnkiig.dll
C:\WINDOWS\system32\pmnnmnm.dll
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\system32\srtlqbul.dll
C:\WINDOWS\system32\stfv.bin
C:\Windows\System32\sznf.ascii
C:\WINDOWS\system32\ugwmmyay.dll
C:\WINDOWS\system32\vvgeowbv.exe.ren
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\TGVlYW5uIEdyaWZmaW4

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-24 19:18 775,832 --ahs---- C:\WINDOWS\system32\tvheeews.ini
2007-11-24 19:11 81,472 --a------ C:\WINDOWS\system32\gvrusaqi.dll
2007-11-24 19:08 71,232 --a------ C:\WINDOWS\system32\ejmvueuc.exe
2007-11-18 03:17 593,408 -----c--- C:\WINDOWS\system32\dllcache\xpsp2res.dll
2007-11-18 03:14 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-11-18 03:14 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-11-18 03:14 253,440 --a------ C:\WINDOWS\system32\h323.tsp
2007-11-17 11:40 681,984 --a------ C:\WINDOWS\system32\lsasrv.dll
2007-11-17 11:40 136,704 --a------ C:\WINDOWS\system32\schannel.dll
2007-11-17 11:39 439,808 --a------ C:\WINDOWS\system32\SET55.tmp
2007-11-17 11:39 253,440 --a------ C:\WINDOWS\system32\SET53.tmp
2007-11-17 09:51 439,808 --a------ C:\WINDOWS\system32\SET358.tmp
2007-11-17 09:51 253,440 --a------ C:\WINDOWS\system32\SET356.tmp
2007-11-17 09:25 861,882 --ahs---- C:\WINDOWS\system32\lubqltrs.ini
2007-11-17 09:01 439,808 --a------ C:\WINDOWS\system32\SET2B7.tmp
2007-11-17 09:01 253,440 --a------ C:\WINDOWS\system32\SET2B5.tmp
2007-11-17 08:31 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-11-17 08:31 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-11-17 08:31 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-11-17 08:31 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-11-17 08:31 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-11-17 08:31 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-11-17 08:31 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-11-17 08:31 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-11-17 08:31 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-11-17 08:31 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-11-17 08:31 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-11-17 08:31 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-11-17 08:31 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2007-11-17 08:31 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-11-17 03:13 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-11-17 00:51 <DIR> d-------- C:\WINDOWS\system32\bits
2007-11-17 00:47 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-11-17 00:47 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-11-17 00:47 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-11-17 00:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 23:03 <DIR> d-------- C:\Intel
2007-11-16 22:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-16 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 02:09 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 00:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-15 23:58 0 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-15 15:39 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-15 15:39 <DIR> d-------- C:\Program Files\DIFX
2007-11-15 14:51 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2007-11-15 14:51 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2007-11-15 14:48 1,712,984 --a--c--- C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-11-15 14:48 53,080 --a--c--- C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-11-15 12:21 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-11-13 11:54 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2007-11-13 11:54 69,632 --a------ C:\WINDOWS\system32\icwdial.dll
2007-11-13 11:54 61,440 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-11-13 11:54 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-11-13 11:53 266,240 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-11-13 11:53 250,368 --a------ C:\WINDOWS\system32\mstask.dll
2007-11-13 11:53 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-11-13 11:53 73,728 --a------ C:\WINDOWS\system32\ils.dll
2007-11-13 11:53 69,248 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-11-13 11:50 499,200 --a------ C:\WINDOWS\system32\comuid.dll
2007-11-13 11:50 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
2007-11-13 11:50 174,592 --a------ C:\WINDOWS\system32\cmprops.dll
2007-11-13 11:50 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-11-13 11:50 124,416 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-11-13 11:50 116,104 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-11-13 11:50 89,600 --a------ C:\WINDOWS\system32\comrepl.dll
2007-11-13 11:50 53,248 --a------ C:\WINDOWS\system32\servdeps.dll
2007-11-13 11:50 18,432 --a------ C:\WINDOWS\system32\qprocess.exe
2007-11-13 11:50 16,384 --a------ C:\WINDOWS\system32\mmfutil.dll
2007-11-13 11:50 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
2007-11-13 11:49 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2007-11-13 11:49 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
2007-11-08 04:45 50,048 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2007-11-08 04:45 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-11-08 04:44 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-11-08 04:42 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2007-11-08 04:42 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-11-08 04:37 390,168 --a--c--- C:\WINDOWS\system32\dllcache\WFC.CAT
2007-11-08 04:37 132,096 --a------ C:\WINDOWS\system\winspool.drv
2007-11-08 04:37 21,281 --a--c--- C:\WINDOWS\system32\dllcache\XMLDSOC.CAT
2007-11-08 04:37 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2007-10-31 19:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-10-31 14:41 <DIR> d-------- C:\Documents and Settings\Leeann Griffin\Application Data\Symantec
2007-10-31 14:30 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-31 14:24 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-31 14:17 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 14:17 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-31 14:17 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-31 14:16 <DIR> d-------- C:\Program Files\Symantec
2007-10-31 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 14:10 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-10-31 11:51 14 --a------ C:\WINDOWS\system32\din.ip
2007-10-31 11:51 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-10-25 18:13 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-15 16:18 --------- d-----w C:\Program Files\Coding Workshop Ringtone Converter
2007-11-14 08:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-14 08:08 --------- d-----w C:\Program Files\McAfee
2007-10-26 00:10 --------- d-----w C:\Program Files\Kodak
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0585efb5-74b0-4de4-9c8e-6b9df954ef9e}]
2007-11-24 19:11 81472 --a------ C:\WINDOWS\System32\gvrusaqi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 14:28 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [2007-04-14 22:09]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 08:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 15:43]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-29 06:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-28 12:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-28 12:41]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" []
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" []
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 12:46]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 12:46]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 03:59]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 08:57]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WLuSetup"="C:\Program Files\Symantec\LiveUpdate\luupdate.exe" [2007-08-30 23:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-28 12:35:47]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 04:31:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"MpfService"=2 (0x2)

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\System32\DRIVERS\cledx.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\System32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\System32\Drivers\COH_Mon.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\System32\DRIVERS\cvspydr2.sys
S3 EWAVE;EWAVE;\??\C:\WINDOWS\system32\drivers\ew.sys
S3 FILESPY;FILESPY;\??\C:\WINDOWS\system32\drivers\FILESPY.sys
S3 NSTATION;NSTATION;\??\C:\WINDOWS\system32\drivers\nstation.sys
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\System32\DRIVERS\SaiHFF0C.sys
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\System32\DRIVERS\SaiUFF0C.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\System32\DRIVERS\SymIM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a553fda2-0a1f-11dc-a15f-001422df6e15}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9238638-fa4c-11db-a11e-001422df6e15}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 22:18:29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Leeann Griffin.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 20:05:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-24 20:07:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 13:20
.
--- E O F ---

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:34 AM

Posted 25 November 2007 - 03:09 PM

Hi,

To answer your questions..

1- My intel Proset wireless is 'searching" for ifrmwrk.exe??? I can't use it due to that??

2- Norton.. which you said we'd get to later

3- sp1.. should be sp2.. HOW do I get it back, or can I now do a restore to factory setting?

It appears that your ifrmwrk.exe is indeed missing here. Not sure how it got deleted.. unless you are dealing with a file infector as well, which doesn't suprise me if I see with what you were dealing. We'll find out afterwards and hope you're not dealing with a file infector (Virut in this case), otherwise this would mean that you'll have to format and reinstall Windows.
Anyway, we will remove the startup entry to ifrmwrk.exe since the file is missing anyway. In case you're having problems with your Intel wireless in general, I suggest you reinstall it again.

Yes, we deal with Norton afterwards.

Please do NOT restore to factory settings or whatever.. this won't help to get SP2 back. You just have to reinstall SP2 again.. but please do NOT do this right now. Because as long as your system is infected, you may have problems with installing SP2.
I guess you previously did a windows repair which explains why you have SP1 now instead of SP2


Let's create a new CFScript and give this another run..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\System32\gvrusaqi.dll
C:\WINDOWS\system32\tvheeews.ini
C:\WINDOWS\system32\ejmvueuc.exe
C:\WINDOWS\system32\lubqltrs.ini
C:\WINDOWS\system32\jpewocmz.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0585efb5-74b0-4de4-9c8e-6b9df954ef9e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"=-
"MSKAGENTEXE"=-
"MPFExe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=-
"MpfService"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also do next..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 griff1096

griff1096
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 25 November 2007 - 03:54 PM

FILE
C:\WINDOWS\system32\ejmvueuc.exe
C:\WINDOWS\System32\gvrusaqi.dll
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\lubqltrs.ini
C:\WINDOWS\system32\tvheeews.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_002354_.tmp.dll
C:\WINDOWS\system32\_002515_.tmp.dll
C:\WINDOWS\system32\_002516_.tmp.dll
C:\WINDOWS\system32\_002517_.tmp.dll
C:\WINDOWS\system32\_002518_.tmp.dll
C:\WINDOWS\system32\_002525_.tmp.dll
C:\WINDOWS\system32\_002526_.tmp.dll
C:\WINDOWS\system32\_002527_.tmp.dll
C:\WINDOWS\system32\_002528_.tmp.dll
C:\WINDOWS\system32\_002530_.tmp.dll
C:\WINDOWS\system32\_002531_.tmp.dll
C:\WINDOWS\system32\_002532_.tmp.dll
C:\WINDOWS\system32\_002534_.tmp.dll
C:\WINDOWS\system32\_002535_.tmp.dll
C:\WINDOWS\system32\_002537_.tmp.dll
C:\WINDOWS\system32\_002538_.tmp.dll
C:\WINDOWS\system32\_002539_.tmp.dll
C:\WINDOWS\system32\_002540_.tmp.dll
C:\WINDOWS\system32\_002541_.tmp.dll
C:\WINDOWS\system32\_002542_.tmp.dll
C:\WINDOWS\system32\_002544_.tmp.dll
C:\WINDOWS\system32\_002548_.tmp.dll
C:\WINDOWS\system32\_002549_.tmp.dll
C:\WINDOWS\system32\_002551_.tmp.dll
C:\WINDOWS\system32\_002552_.tmp.dll
C:\WINDOWS\system32\_002554_.tmp.dll
C:\WINDOWS\system32\_002556_.tmp.dll
C:\WINDOWS\system32\_002557_.tmp.dll
C:\WINDOWS\system32\_002558_.tmp.dll
C:\WINDOWS\system32\_002559_.tmp.dll
C:\WINDOWS\system32\_002560_.tmp.dll
C:\WINDOWS\system32\_002563_.tmp.dll
C:\WINDOWS\system32\_002565_.tmp.dll
C:\WINDOWS\system32\_002566_.tmp.dll
C:\WINDOWS\system32\_002567_.tmp.dll
C:\WINDOWS\system32\_002571_.tmp.dll
C:\WINDOWS\system32\ejmvueuc.exe
C:\WINDOWS\System32\gvrusaqi.dll
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\lubqltrs.ini
C:\WINDOWS\system32\tvheeews.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-24 23:23 150,528 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-11-24 21:06 35 --a------ C:\WINDOWS\system32\spdwnwxp.log
2007-11-24 20:45 891,711 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-11-24 20:45 593,408 --------- C:\WINDOWS\system32\dllcache\xpsp2res.dll
2007-11-24 20:45 403,456 --a------ C:\WINDOWS\system32\winbrand.dll
2007-11-24 20:45 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-11-24 20:45 187,904 --a------ C:\WINDOWS\system32\xpsp1res.dll
2007-11-24 20:45 115,200 --a------ C:\WINDOWS\system32\dpcdll.dll
2007-11-24 20:45 27,648 --a------ C:\WINDOWS\system32\pidgen.dll
2007-11-24 20:45 27,392 --a------ C:\WINDOWS\system32\drivers\viaagp.sys
2007-11-24 20:45 26,112 --a------ C:\WINDOWS\system32\drivers\sisagp.sys
2007-11-24 20:45 11,776 --a------ C:\WINDOWS\system32\drivers\tunmp.sys
2007-11-24 20:45 11,776 --------- C:\WINDOWS\system32\dllcache\tunmp.sys
2007-11-24 20:45 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-11-24 20:45 5,120 --a------ C:\WINDOWS\system32\hccoin.dll
2007-11-24 20:45 3,584 --a------ C:\WINDOWS\system32\dsprpres.dll
2007-11-24 20:44 1,004,032 --a------ C:\WINDOWS\explorer.exe
2007-11-24 20:44 266,752 --a------ C:\WINDOWS\winhlp32.exe
2007-11-24 20:44 257,536 --------- C:\WINDOWS\system32\dllcache\oakley.dll
2007-11-24 20:44 150,016 --a------ C:\WINDOWS\system32\hdwwiz.cpl
2007-11-24 20:44 143,872 --a------ C:\WINDOWS\system32\itircl.dll
2007-11-24 20:44 134,144 --a------ C:\WINDOWS\regedit.exe
2007-11-24 20:44 128,000 --a------ C:\WINDOWS\system32\itss.dll
2007-11-24 20:44 112,128 --a------ C:\WINDOWS\system32\ntmarta.dll
2007-11-24 20:44 77,824 --a------ C:\WINDOWS\system32\isign32.dll
2007-11-24 20:44 68,928 --a------ C:\WINDOWS\system\mmsystem.dll
2007-11-24 20:44 66,048 --a------ C:\WINDOWS\notepad.exe
2007-11-24 20:44 46,592 --a------ C:\WINDOWS\twain_32.dll
2007-11-24 20:44 38,400 --a------ C:\WINDOWS\system32\ntmsapi.dll
2007-11-24 20:44 38,400 --a------ C:\WINDOWS\system32\ntlanman.dll
2007-11-24 20:44 28,672 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-11-24 20:44 10,752 --a------ C:\WINDOWS\hh.exe
2007-11-24 20:43 1,955,840 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2007-11-24 20:43 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2007-11-24 20:43 928,768 --------- C:\WINDOWS\system32\dllcache\kernel32.dll
2007-11-24 20:43 802,304 --------- C:\WINDOWS\system32\dxmrtp.dll
2007-11-24 20:43 681,984 --a------ C:\WINDOWS\system32\lsasrv.dll
2007-11-24 20:43 578,560 --a------ C:\WINDOWS\system32\autoconv.exe
2007-11-24 20:43 565,760 --a------ C:\WINDOWS\system32\autochk.exe
2007-11-24 20:43 561,664 --a------ C:\WINDOWS\system32\comctl32.dll
2007-11-24 20:43 558,080 --a------ C:\WINDOWS\system32\advapi32.dll
2007-11-24 20:43 340,480 --------- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-11-24 20:43 316,416 --a------ C:\WINDOWS\system32\zipfldr.dll
2007-11-24 20:43 264,704 --a------ C:\WINDOWS\system32\wzcsvc.dll
2007-11-24 20:43 258,048 --a------ C:\WINDOWS\system32\comdlg32.dll
2007-11-24 20:43 205,120 --------- C:\WINDOWS\system32\dllcache\tcpip6.sys
2007-11-24 20:43 172,664 --a------ C:\WINDOWS\system32\xenroll.dll
2007-11-24 20:43 132,096 --a------ C:\WINDOWS\system\winspool.drv
2007-11-24 20:43 129,024 --a------ C:\WINDOWS\system32\desk.cpl
2007-11-24 20:43 126,976 --a------ C:\WINDOWS\system32\imagehlp.dll
2007-11-24 20:43 108,544 --a------ C:\WINDOWS\system32\msv1_0.dll
2007-11-24 20:43 91,648 --------- C:\WINDOWS\system32\iuctl.dll
2007-11-24 20:43 86,016 --a------ C:\WINDOWS\system32\xactsrv.dll
2007-11-24 20:43 77,440 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-11-24 20:43 70,912 --a------ C:\WINDOWS\system32\drivers\videoprt.sys
2007-11-24 20:43 70,656 --------- C:\WINDOWS\system32\dllcache\ws2_32.dll
2007-11-24 20:43 56,832 --a------ C:\WINDOWS\system32\wzcdlg.dll
2007-11-24 20:43 53,248 --a------ C:\WINDOWS\system32\sendmail.dll
2007-11-24 20:43 52,224 --a------ C:\WINDOWS\system32\secur32.dll
2007-11-24 20:43 49,152 --a------ C:\WINDOWS\system32\drivers\volsnap.sys
2007-11-24 20:43 47,104 --------- C:\WINDOWS\system32\mspmspsv.dll
2007-11-24 20:43 40,448 --a------ C:\WINDOWS\system32\ftp.exe
2007-11-24 20:43 36,352 --a------ C:\WINDOWS\system32\sens.dll
2007-11-24 20:43 33,280 --a------ C:\WINDOWS\system32\drivers\wanarp.sys
2007-11-24 20:43 29,184 --------- C:\WINDOWS\system32\dllcache\winipsec.dll
2007-11-24 20:43 29,184 --a------ C:\WINDOWS\system32\csrsrv.dll
2007-11-24 20:43 28,160 --a------ C:\WINDOWS\system32\xcopy.exe
2007-11-24 20:43 27,136 --a------ C:\WINDOWS\system32\sendcmsg.dll
2007-11-24 20:43 23,552 --a------ C:\WINDOWS\system32\wzcsapi.dll
2007-11-24 20:43 13,312 --------- C:\WINDOWS\system32\dllcache\wship6.dll
2007-11-24 20:43 12,800 --a------ C:\WINDOWS\system32\mgmtapi.dll
2007-11-24 20:43 12,288 --a------ C:\WINDOWS\system32\lmhsvc.dll
2007-11-24 20:43 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-11-24 20:43 6,656 --a------ C:\WINDOWS\system32\ntlsapi.dll
2007-11-24 20:43 6,144 --a------ C:\WINDOWS\system32\sensapi.dll
2007-11-24 20:43 5,632 --a------ C:\WINDOWS\system32\security.dll
2007-11-24 20:43 4,864 --a------ C:\WINDOWS\system32\drivers\viaide.sys
2007-11-24 20:42 <DIR> d-------- C:\WINDOWS\EHome
2007-11-24 20:34 7,208 --------- C:\WINDOWS\system32\secupd.sig
2007-11-24 20:34 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-11-24 19:17 85,056 --a------ C:\WINDOWS\system32\sweeehvt.dll
2007-11-18 03:17 40,960 -----c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2007-11-17 09:01 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-11-17 08:31 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-11-17 08:31 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-11-17 08:31 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-11-17 08:31 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-11-17 08:31 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-11-17 08:31 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-11-17 08:31 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-11-17 08:31 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-11-17 08:31 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-11-17 08:31 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-11-17 08:31 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-11-17 00:51 <DIR> d-------- C:\WINDOWS\system32\bits
2007-11-17 00:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 00:18 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2007-11-16 23:03 <DIR> d-------- C:\Intel
2007-11-16 22:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-16 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 09:59 33,792 ----a-w C:\WINDOWS\system32\drivers\cledx.sys
2007-11-25 06:10 --------- d-----w C:\Documents and Settings\Leeann Griffin\Application Data\bibble
2007-11-17 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-15 16:18 --------- d-----w C:\Program Files\Coding Workshop Ringtone Converter
2007-11-14 08:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-14 08:08 --------- d-----w C:\Program Files\McAfee
2007-10-31 20:33 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-31 20:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-31 20:33 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-26 00:10 --------- d-----w C:\Program Files\Kodak
.

((((((((((((((((((((((((((((( snapshot@2007-11-24_20.05.44.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-28 18:28:54 78,535 -c--a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
+ 2007-11-25 03:01:52 78,535 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
- 2007-11-14 07:48:37 4,890 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2007-11-25 03:01:52 4,584 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
- 2007-11-17 06:42:14 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-25 02:59:47 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-17 06:42:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-25 02:59:47 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-25 02:59:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-08-29 12:00:00 68,992 ------w C:\WINDOWS\system32\drivers\_002491_.tmp.dll
+ 2002-08-29 12:00:00 30,592 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\processr.sys
+ 2004-08-04 11:00:00 67,584 ----a-w C:\WINDOWS\system32\ReinstallBackups\0017\DriverFiles\sdbus.sys
+ 2004-08-04 07:56:56 8,192 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
+ 2004-08-04 11:00:00 1,712,128 ----a-w C:\WINDOWS\WinSxS\InstallTemp\6409488\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-31 14:28 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49]
"Tracks Eraser Pro"="C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe" [2007-04-14 22:09]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 08:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 15:43]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2002-08-29 06:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 05:00]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 23:07]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-11-28 12:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-28 12:41]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 12:46]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 12:46]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 03:59]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 08:57]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 11:06]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WLuSetup"="C:\Program Files\Symantec\LiveUpdate\luupdate.exe" [2007-08-30 23:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-11-28 12:35:47]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 04:31:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\System32\DRIVERS\cledx.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\System32\DRIVERS\SymIM.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\System32\Drivers\COH_Mon.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\System32\DRIVERS\cvspydr2.sys
S3 EWAVE;EWAVE;\??\C:\WINDOWS\system32\drivers\ew.sys
S3 FILESPY;FILESPY;\??\C:\WINDOWS\system32\drivers\FILESPY.sys
S3 NSTATION;NSTATION;\??\C:\WINDOWS\system32\drivers\nstation.sys
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\System32\DRIVERS\SaiHFF0C.sys
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\System32\DRIVERS\SaiUFF0C.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\System32\DRIVERS\SymIM.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a553fda2-0a1f-11dc-a15f-001422df6e15}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9238638-fa4c-11db-a11e-001422df6e15}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-10-31 22:18:29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Leeann Griffin.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 14:46:50
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-25 14:50:26 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-24 20:07
C:\ComboFix3.txt ... 2007-11-17 13:20
.
--- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users