Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tons Of Pop-ups, Virus Warnings


  • This topic is locked This topic is locked
17 replies to this topic

#1 spunks3

spunks3

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 26 November 2007 - 10:20 PM

im having horrible trouble with this computer. i had security toolbar, but i read around and figured out how to get rid of it. the po-ups stopped for a bit, but now im getting tons and tons of pop-ups that give me an option to download sumthin, and also other Web pop-ups and warnings that i am imfected with trojans and other viruses... i have a HijackThis log. pleaaaaaaaassse help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:20 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\GEARSec.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Admin\APPLIC~1\SSTEM3~1\netdde.exe
C:\Program Files\QdrModule\QdrModule9.exe
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mrofinu.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\T?sks\n?tdde.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dxgyijds.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ptcpmuwg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DBE80DC744B6CDE3F546CAC59B6
O4 - HKLM\..\Run: [8cc2f7f0] rundll32.exe "C:\WINDOWS\system32\wnhxhgmm.dll",b
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Admin\APPLIC~1\SSTEM3~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [QdrPack9] "C:\Program Files\QdrPack\QdrPack9.exe"
O4 - HKCU\..\Run: [Gnorjv] C:\WINDOWS\system32\T?sks\n?tdde.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/pl...IM.9.5.1.8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11154 bytes

BC AdBot (Login to Remove)

 


#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 27 November 2007 - 12:58 AM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 27 November 2007 - 02:05 AM

thank you so much in advance, i have tried several other forums and no1 has gotten back to me at all. i will be waiting patiently

#4 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 27 November 2007 - 09:03 AM

i just wanted to add that i have a yellow triangular icon with "!" in it that says find and fix errors. im pretty sure its malware.

another problem that i am having after running ad-aware is that i get an error when i start up windows (once i get to the desktop) saying "error loading c:\windows\system32\rllhqfhl.dll" access denied... anyway, just trying to help u so u can help me. thanks again

#5 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 27 November 2007 - 01:11 PM

sorry, heres an updated log for u...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:48 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {39d8e69d-5f7a-f79a-36d4-9887da426764} - {467624ad-7889-4d63-a97f-a7f5d96e8d93} - C:\WINDOWS\system32\kgdkleue.dll (file missing)
O2 - BHO: (no name) - {508C575A-E493-4BCC-8406-FD7996E257D0} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\xxyyywu.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [8cc2f7f0] rundll32.exe "C:\WINDOWS\system32\rllhqfhl.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Admin\APPLIC~1\SSTEM3~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Tvqr] "C:\Program Files\Common Files\??pPatch\??rss.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: jlgvoyxj - jlgvoyxj.dll (file missing)
O20 - Winlogon Notify: xxyyywu - xxyyywu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\yctojwlq.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11114 bytes


the same problems are happenng, i still have that icon n pop-ups. also im having a problem with crssrs.exe (i think thats what it is)

#6 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 27 November 2007 - 07:33 PM

here is active scan log


Incident Status Location

Virus:Generic Malware Disinfected Operating system
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Admin\Desktop\Click to Find and Fix Errors.url
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Admin\Cookies\admin@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Admin\Cookies\admin@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Admin\Cookies\admin@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Admin\Cookies\admin@com[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Admin\Cookies\admin@did-it[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Admin\Cookies\admin@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Admin\Cookies\admin@go[3].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Admin\Cookies\admin@mediaplex[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Admin\Cookies\admin@target[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Admin\Cookies\admin@tribalfusion[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Admin\Cookies\admin@web.tickle[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Admin\Cookies\admin@xiti[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Admin\Local Settings\Temp\Cookies\admin@go[2].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VD2UPTQD\!update-4395[1].0000
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Admin\My Documents\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Admin\My Documents\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Admin\My Documents\SmitfraudFix\restart.exe

#7 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 28 November 2007 - 02:41 AM

Hello spunks3,

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Posted Image


#8 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 November 2007 - 10:10 PM

its detecting two problems but it wont reset the computer. i ran it in safe mode and it did reset but the program never ran again when it booted back up. my card readerwont work as well... any suggestions?

#9 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 01 December 2007 - 05:16 PM

Hello,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Posted Image


#10 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 02 December 2007 - 07:38 PM

When i tried to run both Combofix and Hijackthis I recieved an error saying they are not valid win32 programs, I restarted into safe mood and I was able to run both.



ComboFix 07-12-02.7 - Admin 2007-12-02 19:12:50.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\SSTEM3~1
C:\Documents and Settings\Admin\Application Data\SSTEM3~1\s?stem32\
C:\Documents and Settings\Admin\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Program Files\Common Files\ppatch~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-11-30 21:29 . 2007-11-30 21:54 <DIR> d-------- C:\VundoFix Backups
2007-11-27 18:57 . 2007-11-27 18:57 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-27 18:57 . 2007-11-27 18:57 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-27 18:57 . 2007-11-27 18:57 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-27 18:03 . 2007-11-27 18:28 3,946 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-27 17:11 . 2007-11-27 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 17:08 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-11-27 17:08 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-11-27 08:31 . 2007-11-27 08:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-11-27 08:29 . 2007-11-27 08:30 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2007-11-26 23:33 . 2007-11-26 23:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Grisoft
2007-11-26 23:28 . 2007-11-26 23:28 <DIR> d-------- C:\Program Files\COMODO
2007-11-26 23:28 . 2007-11-26 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-11-26 23:28 . 2007-11-26 23:28 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Comodo
2007-11-26 23:28 . 2007-11-26 23:28 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2007-11-26 23:28 . 2007-11-26 23:28 79,096 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-11-26 23:28 . 2007-11-26 23:28 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-11-26 23:23 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-26 23:09 . 2007-11-27 08:59 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AVG7
2007-11-26 23:08 . 2007-11-26 23:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-26 23:07 . 2007-11-26 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-26 23:07 . 2007-12-02 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-26 23:04 . 2007-11-25 11:02 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-11-26 22:12 . 2007-11-26 23:03 780,353 --ahs---- C:\WINDOWS\system32\lhfqhllr.ini
2007-11-25 20:40 . 2007-11-25 20:40 2 --a------ C:\WINDOWS\msoffice.ini
2007-11-25 20:27 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-25 19:08 . 2007-11-26 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-25 19:08 . 2007-11-25 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-25 19:07 . 2007-11-26 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 17:47 . 2007-11-25 19:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 17:47 . 2007-11-25 17:47 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-11-25 15:41 . 2007-11-25 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 15:06 . 2007-11-25 19:07 <DIR> d-------- C:\Program Files\SpyNoMore
2007-11-25 14:25 . 2007-11-27 19:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 13:40 . 2007-11-27 17:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 11:23 . 2007-11-25 19:07 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-11-25 11:23 . 2007-11-25 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-11-18 05:41 . 2007-11-26 23:14 444,537 --ahs---- C:\WINDOWS\system32\ijjlm.ini2
2007-11-18 05:41 . 2007-11-26 23:16 444,537 --ahs---- C:\WINDOWS\system32\ijjlm.ini
2007-11-07 16:07 . 2007-11-25 11:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-07 16:07 . 2007-11-07 16:07 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 19:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2007-11-28 00:21 --------- d-----w C:\Program Files\NetWaiting
2007-11-28 00:20 --------- d-----w C:\Program Files\iTunes
2007-11-28 00:18 --------- d-----w C:\Program Files\Google
2007-11-28 00:18 --------- d-----w C:\Program Files\Digital Line Detect
2007-11-28 00:18 --------- d-----w C:\Program Files\DellSupport
2007-11-28 00:16 --------- d-----w C:\Program Files\America Online 9.0
2007-11-28 00:16 --------- d-----w C:\Program Files\AIM
2007-11-27 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-27 23:37 --------- d-----w C:\Program Files\Viewpoint
2007-11-27 23:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-27 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 01:41 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-26 01:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-26 01:37 --------- d-----w C:\Program Files\RealArcade
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467624ad-7889-4d63-a97f-a7f5d96e8d93}]
C:\WINDOWS\system32\kgdkleue.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{508C575A-E493-4BCC-8406-FD7996E257D0}]
C:\WINDOWS\system32\mljji.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 16:48]
"Sen"="C:\DOCUME~1\Admin\APPLIC~1\SSTEM3~1\netdde.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Tvqr"="C:\Program Files\Common Files\??pPatch\??rss.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-22 17:35]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 12:29]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 15:32]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-06-06 18:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 14:53]
"8cc2f7f0"="C:\WINDOWS\system32\rllhqfhl.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-26 23:07]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-11-26 23:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-26 23:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jlgvoyxj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyywu]
xxyyywu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 03:10:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 19:19:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 19:21:38 - machine was rebooted
.
--- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:49 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {39d8e69d-5f7a-f79a-36d4-9887da426764} - {467624ad-7889-4d63-a97f-a7f5d96e8d93} - C:\WINDOWS\system32\kgdkleue.dll (file missing)
O2 - BHO: (no name) - {508C575A-E493-4BCC-8406-FD7996E257D0} - C:\WINDOWS\system32\mljji.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [8cc2f7f0] rundll32.exe "C:\WINDOWS\system32\rllhqfhl.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Admin\APPLIC~1\SSTEM3~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tvqr] "C:\Program Files\Common Files\??pPatch\??rss.exe"
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: jlgvoyxj - C:\WINDOWS\
O20 - Winlogon Notify: xxyyywu - xxyyywu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7960 bytes

#11 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 04 December 2007 - 11:23 PM

Hello,

Step 1
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Step 2
Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: {39d8e69d-5f7a-f79a-36d4-9887da426764} - {467624ad-7889-4d63-a97f-a7f5d96e8d93} - C:\WINDOWS\system32\kgdkleue.dll (file missing)
O2 - BHO: (no name) - {508C575A-E493-4BCC-8406-FD7996E257D0} - C:\WINDOWS\system32\mljji.dll (file missing)
O4 - HKLM\..\Run: [8cc2f7f0] rundll32.exe "C:\WINDOWS\system32\rllhqfhl.dll",b
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Admin\APPLIC~1\SSTEM3~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Tvqr] "C:\Program Files\Common Files\??pPatch\??rss.exe"
O20 - Winlogon Notify: jlgvoyxj - C:\WINDOWS\
O20 - Winlogon Notify: xxyyywu - xxyyywu.dll (file missing)


Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 3
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\kgdkleue.dll
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\rllhqfhl.dll
C:\WINDOWS\jlgvoyxj.dll
C:\WINDOWS\system32\lhfqhllr.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\xxyyywu.dll

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step 4
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Step 5
Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
Step 6
Please post the following in your next reply
  • ComboFix log
  • Blacklight log
  • Fresh HJT log
  • Update on how everything is running


Posted Image


#12 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 08 December 2007 - 12:57 AM

okay, i tried my best here. i have some problems though. when i downloaded the new java it didnt appear on my desktop until i restarted my computer. then it gave me an error when i went to install it.

problem #2 - when i try to install programs, i get an error that tells me hey are not win32 applications or programs. it happend when i tried to install the last program you asked me to. i went into safe mode and it told me i couldnt run it there, i restarted and it appeared on my desktop and worked this time.

i still have the "click to find and fix errors" icon on my desktop.

also when i try to open internet exploer, it doesnt opn the first couple times i try. and when i shut donw my computer i get the End Program error fo Iexplorer.exe


here are the logs you asked for....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:10 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7331 bytes












ComboFix 07-12-02.7 - Admin 2007-12-02 19:12:50.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\SSTEM3~1
C:\Documents and Settings\Admin\Application Data\SSTEM3~1\s?stem32\
C:\Documents and Settings\Admin\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Program Files\Common Files\ppatch~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-11-03 to 2007-12-03 )))))))))))))))))))))))))))))))
.

2007-11-30 21:29 . 2007-11-30 21:54 <DIR> d-------- C:\VundoFix Backups
2007-11-27 18:57 . 2007-11-27 18:57 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-27 18:57 . 2007-11-27 18:57 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-27 18:57 . 2007-11-27 18:57 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-27 18:03 . 2007-11-27 18:28 3,946 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-27 17:11 . 2007-11-27 17:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-27 17:08 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2007-11-27 17:08 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-11-27 08:31 . 2007-11-27 08:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Lavasoft
2007-11-27 08:29 . 2007-11-27 08:30 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2007-11-26 23:33 . 2007-11-26 23:33 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Grisoft
2007-11-26 23:28 . 2007-11-26 23:28 <DIR> d-------- C:\Program Files\COMODO
2007-11-26 23:28 . 2007-11-26 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-11-26 23:28 . 2007-11-26 23:28 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Comodo
2007-11-26 23:28 . 2007-11-26 23:28 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2007-11-26 23:28 . 2007-11-26 23:28 79,096 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-11-26 23:28 . 2007-11-26 23:28 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-11-26 23:23 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-26 23:09 . 2007-11-27 08:59 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AVG7
2007-11-26 23:08 . 2007-11-26 23:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-26 23:07 . 2007-11-26 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-26 23:07 . 2007-12-02 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-26 23:04 . 2007-11-25 11:02 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-11-26 22:12 . 2007-11-26 23:03 780,353 --ahs---- C:\WINDOWS\system32\lhfqhllr.ini
2007-11-25 20:40 . 2007-11-25 20:40 2 --a------ C:\WINDOWS\msoffice.ini
2007-11-25 20:27 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-25 19:08 . 2007-11-26 22:42 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-25 19:08 . 2007-11-25 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-25 19:07 . 2007-11-26 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 17:47 . 2007-11-25 19:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 17:47 . 2007-11-25 17:47 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2007-11-25 15:41 . 2007-11-25 15:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-25 15:06 . 2007-11-25 19:07 <DIR> d-------- C:\Program Files\SpyNoMore
2007-11-25 14:25 . 2007-11-27 19:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 13:40 . 2007-11-27 17:09 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 11:23 . 2007-11-25 19:07 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-11-25 11:23 . 2007-11-25 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft(2)
2007-11-18 05:41 . 2007-11-26 23:14 444,537 --ahs---- C:\WINDOWS\system32\ijjlm.ini2
2007-11-18 05:41 . 2007-11-26 23:16 444,537 --ahs---- C:\WINDOWS\system32\ijjlm.ini
2007-11-07 16:07 . 2007-11-25 11:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-07 16:07 . 2007-11-07 16:07 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 19:45 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2007-11-28 00:21 --------- d-----w C:\Program Files\NetWaiting
2007-11-28 00:20 --------- d-----w C:\Program Files\iTunes
2007-11-28 00:18 --------- d-----w C:\Program Files\Google
2007-11-28 00:18 --------- d-----w C:\Program Files\Digital Line Detect
2007-11-28 00:18 --------- d-----w C:\Program Files\DellSupport
2007-11-28 00:16 --------- d-----w C:\Program Files\America Online 9.0
2007-11-28 00:16 --------- d-----w C:\Program Files\AIM
2007-11-27 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-27 23:37 --------- d-----w C:\Program Files\Viewpoint
2007-11-27 23:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-27 23:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 01:41 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-26 01:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-26 01:37 --------- d-----w C:\Program Files\RealArcade
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467624ad-7889-4d63-a97f-a7f5d96e8d93}]
C:\WINDOWS\system32\kgdkleue.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{508C575A-E493-4BCC-8406-FD7996E257D0}]
C:\WINDOWS\system32\mljji.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 02:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 16:48]
"Sen"="C:\DOCUME~1\Admin\APPLIC~1\SSTEM3~1\netdde.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"Tvqr"="C:\Program Files\Common Files\??pPatch\??rss.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-22 17:35]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-02-20 12:29]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 11:48]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 15:32]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-06-06 18:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 19:20]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 14:53]
"8cc2f7f0"="C:\WINDOWS\system32\rllhqfhl.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-26 23:07]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-11-26 23:28]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-26 23:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jlgvoyxj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyywu]
xxyyywu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 03:10:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 19:19:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 19:21:38 - machine was rebooted
.
--- E O F ---










12/08/07 00:37:00 [Info]: BlackLight Engine 1.0.67 initialized
12/08/07 00:37:00 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/08/07 00:37:01 [Note]: 7019 4
12/08/07 00:37:01 [Note]: 7005 0
12/08/07 00:37:30 [Note]: 7006 0
12/08/07 00:37:30 [Note]: 7022 0
12/08/07 00:37:30 [Note]: 7011 196
12/08/07 00:37:31 [Note]: 7026 0
12/08/07 00:37:32 [Note]: 7026 0
12/08/07 00:37:44 [Note]: FSRAW library version 1.7.1024
12/08/07 00:44:48 [Note]: 7007 0

#13 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 11 December 2007 - 10:09 PM

Hello again,

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Step 1
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
Go to Start > Run
Type:regedit
Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
Registry Modifications

Downlad and save the following reg file to your desktop.

Attached File  fixforSpunks3.reg   540bytes   4 downloads

It should look like this: Posted Image
Go to your desktop and double-click "fixforSpunks3.reg" and merge the infomation with the registry.
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Step 2
Open notepad and copy and paste the following code box in it starting with @echo off

@echo off
echo Delitor by wng_z3r0 >deleteOutput.txt
echo. >>deleteOutput.txt
echo Files to delete: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
echo "C:\WINDOWS\system32\pavas.ico" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\pavas.ico" -h -r -s
del /f /q "C:\WINDOWS\system32\pavas.ico"
echo "C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" >>deleteOutput.txt
attrib "C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" -h -r -s
del /f /q "C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP"
echo "C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico" -h -r -s
del /f /q "C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico"
echo "C:\WINDOWS\system32\lhfqhllr.ini" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\lhfqhllr.ini" -h -r -s
del /f /q "C:\WINDOWS\system32\lhfqhllr.ini"
echo "C:\WINDOWS\system32\ijjlm.ini2" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\ijjlm.ini2" -h -r -s
del /f /q "C:\WINDOWS\system32\ijjlm.ini2"
echo "C:\WINDOWS\system32\ijjlm.ini" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\ijjlm.ini" -h -r -s
del /f /q "C:\WINDOWS\system32\ijjlm.ini"
echo "C:\WINDOWS\system32\kgdkleue.dll" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\kgdkleue.dll" -h -r -s
del /f /q "C:\WINDOWS\system32\kgdkleue.dll"
echo "C:\WINDOWS\system32\mljji.dll" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\mljji.dll" -h -r -s
del /f /q "C:\WINDOWS\system32\mljji.dll"
echo "C:\WINDOWS\system32\rllhqfhl.dll" >>deleteOutput.txt
attrib "C:\WINDOWS\system32\rllhqfhl.dll" -h -r -s
del /f /q "C:\WINDOWS\system32\rllhqfhl.dll"
echo. >>deleteOutput.txt
echo END Files to delete: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
echo. >>deleteOutput.txt
echo. >>deleteOutput.txt
echo. >>deleteOutput.txt
echo Files remaining after deletion: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
if exist "C:\WINDOWS\system32\pavas.ico" echo "C:\WINDOWS\system32\pavas.ico" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\pavas.ico" dir /q "C:\WINDOWS\system32\pavas.ico" >>deleteOutput.txt
if exist "C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" echo "C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" dir /q "C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" >>deleteOutput.txt
if exist "C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico" echo "C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico" dir /q "C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico" >>deleteOutput.txt
if exist "C:\WINDOWS\system32\lhfqhllr.ini" echo "C:\WINDOWS\system32\lhfqhllr.ini" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\lhfqhllr.ini" dir /q "C:\WINDOWS\system32\lhfqhllr.ini" >>deleteOutput.txt
if exist "C:\WINDOWS\system32\ijjlm.ini2" echo "C:\WINDOWS\system32\ijjlm.ini2" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\ijjlm.ini2" dir /q "C:\WINDOWS\system32\ijjlm.ini2" >>deleteOutput.txt
if exist "C:\WINDOWS\system32\ijjlm.ini" echo "C:\WINDOWS\system32\ijjlm.ini" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\ijjlm.ini" dir /q "C:\WINDOWS\system32\ijjlm.ini" >>deleteOutput.txt
if exist "C:\WINDOWS\system32\kgdkleue.dll" echo "C:\WINDOWS\system32\kgdkleue.dll" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\kgdkleue.dll" dir /q "C:\WINDOWS\system32\kgdkleue.dll" >>deleteOutput.txt
if exist "C:\WINDOWS\system32\mljji.dll" echo "C:\WINDOWS\system32\mljji.dll" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\mljji.dll" dir /q "C:\WINDOWS\system32\mljji.dll" >>deleteOutput.txt
if exist "C:\WINDOWS\system32\rllhqfhl.dll" echo "C:\WINDOWS\system32\rllhqfhl.dll" is STILL present >>deleteOutput.txt
if exist "C:\WINDOWS\system32\rllhqfhl.dll" dir /q "C:\WINDOWS\system32\rllhqfhl.dll" >>deleteOutput.txt
echo. >>deleteOutput.txt
echo END of file: >>deleteOutput.txt
echo ************************** >>deleteOutput.txt
start notepad "%cd%\deleteOutput.txt"
exit

Save this as replace.bat , choose to save as *all files and place it on your desktop.
It should look like this:Posted Image
(In case you are unsure how to create a bat file, take a look here with screenshots.)

* Reboot into Safe Mode: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Once in Safe mode, doubleclick replace.bat you created previously.
The data needed then should be merged.
Then please boot back to normal Windows.

Step 3
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Edited by MoNsTeReNeRgY22, 11 December 2007 - 10:10 PM.


Posted Image


#14 spunks3

spunks3
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 13 December 2007 - 01:17 AM

my computer never allowed me to install java. when i went to click on the winpfind3u.exe it did not show up on my desktop at first so i had to reboot in safe mood and run it, also i am having problems opening internet explorer i have to click it numerous times to get it to open a web page also when i shut down i still get the end program error for iexplorer.exe. the icon that said "click to find and fix errors" did not dissappear completely but it looks like it is unrecognizable because the icon changed. - also my computer still wont read my SD card from my camera



Here are the logs you asked for:

Delitor by wng_z3r0

Files to delete:
**************************
"C:\WINDOWS\system32\pavas.ico"
"C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP"
"C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico"
"C:\WINDOWS\system32\lhfqhllr.ini"
"C:\WINDOWS\system32\ijjlm.ini2"
"C:\WINDOWS\system32\ijjlm.ini"
"C:\WINDOWS\system32\kgdkleue.dll"
"C:\WINDOWS\system32\mljji.dll"
"C:\WINDOWS\system32\rllhqfhl.dll"

END Files to delete:
**************************



Files remaining after deletion:
**************************
"C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" is STILL present
Volume in drive C has no label.
Volume Serial Number is 8CC2-F75F

Directory of C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP

12/13/2007 12:32 AM <DIR> JESSICA\Admin .
12/13/2007 12:32 AM <DIR> BUILTIN\Administrators ..
0 File(s) 0 bytes
2 Dir(s) 46,684,356,608 bytes free

END of file:
**************************





WinPFind3 logfile created on: 12/13/2007 12:56:15 AM
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\Admin\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

1014.37 Mb Total Physical Memory | 814.85 Mb Available Physical Memory | 80.33% Memory free
2.39 Gb Paging File | 2.29 Gb Available in Paging File | 96.14% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.87 Gb Total Space | 43.48 Gb Free Space | 77.81% Space Free
Drive D: | 12.92 Gb Total Space | 12.86 Gb Free Space | 99.51% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: JESSICA
Current User Name: Admin
Logged in as Administrator.
Cannot determine boot mode.


[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 1 | Size = 566616 bytes | Modified Date = 8/27/2007 1:38:50 PM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 7:31:10 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 1 | Size = 566616 bytes | Modified Date = 8/27/2007 1:38:50 PM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 7:31:10 AM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.496 | Size = 418816 bytes | Modified Date = 11/26/2007 11:07:56 PM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 11/26/2007 11:07:58 PM | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.494 | Size = 406528 bytes | Modified Date = 11/26/2007 11:07:58 PM | Attr = ]
(cmdAgent) COMODO Firewall Pro Helper Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\COMODO\Firewall\cmdagent.exe -> COMODO [Ver = 2.4.0.19 | Size = 544512 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 5:00:00 AM | Attr = ]
(DSBrokerService) DSBrokerService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\DellSupport\brkrsvc.exe -> [Ver = 1, 0, 0, 8 | Size = 76848 bytes | Modified Date = 3/7/2007 2:47:46 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 6/26/2007 5:39:36 PM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 501312 bytes | Modified Date = 6/1/2007 3:51:22 PM | Attr = ]
(wltrysvc) Dell Wireless WLAN Tray Service [Win32_Own | Auto | Stopped] -> %System32%\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe -> File not found

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 6/11/2007 4:25:42 AM | Attr = ]
AAWTray -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\AAWTray.exe -> [Ver = 1, 0, 0, 1 | Size = 88024 bytes | Modified Date = 8/8/2007 2:53:16 PM | Attr = ]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.497 | Size = 579072 bytes | Modified Date = 11/26/2007 11:07:56 PM | Attr = ]
Broadcom Wireless Manager UI -> %System32%\WLTRAY.EXE -> Dell Inc. [Ver = 4.100.15.8 | Size = 1392640 bytes | Modified Date = 11/22/2006 5:35:50 PM | Attr = ]
COMODO Firewall Pro -> %ProgramFiles%\COMODO\Firewall\cfp.exe -> COMODO [Ver = 1.0.0.1 | Size = 1481984 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
Corel Photo Downloader -> %ProgramFiles%\Corel\Corel Photo Album 6\MediaDetect.exe -> Corel, Inc. [Ver = 6.3.3 (20060209.16) | Size = 106496 bytes | Modified Date = 2/9/2006 5:34:54 PM | Attr = ]
Dell QuickSet -> %ProgramFiles%\Dell\QuickSet\quickset.exe -> Dell Inc [Ver = 8, 1, 10, 0 | Size = 1191936 bytes | Modified Date = 2/20/2007 12:29:08 PM | Attr = ]
dla -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.08a | Size = 127035 bytes | Modified Date = 12/6/2004 1:05:00 AM | Attr = ]
DVDLauncher -> %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe -> CyberLink Corp. [Ver = 3.00.0000 | Size = 49152 bytes | Modified Date = 12/9/2005 8:29:52 PM | Attr = ]
igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 77824 bytes | Modified Date = 12/13/2005 4:41:08 PM | Attr = ]
igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 118784 bytes | Modified Date = 12/13/2005 4:45:00 PM | Attr = ]
igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4446 | Size = 98304 bytes | Modified Date = 12/13/2005 4:44:18 PM | Attr = ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 249856 bytes | Modified Date = 6/10/2005 10:44:02 AM | Attr = ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 81920 bytes | Modified Date = 6/10/2005 10:44:02 AM | Attr = ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.2.0.35 | Size = 257088 bytes | Modified Date = 6/1/2007 3:51:26 PM | Attr = ]
MimBoot -> %ProgramFiles%\MUSICMATCH\Musicmatch Jukebox\mimboot.exe -> Musicmatch, Inc. [Ver = 10.10.0097 | Size = 8192 bytes | Modified Date = 9/8/2005 7:20:46 PM | Attr = ]
MMTray -> %ProgramFiles%\Musicmatch\Musicmatch Jukebox\mm_tray.exe -> Musicmatch, Inc. [Ver = 10.10.0097 | Size = 110592 bytes | Modified Date = 9/8/2005 7:20:46 PM | Attr = ]
PCMService -> %ProgramFiles%\Dell\MediaDirect\PCMService.exe -> CyberLink Corp. [Ver = 4, 5, 0, 0 | Size = 184320 bytes | Modified Date = 8/22/2006 3:32:18 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Inc. [Ver = 7.1.6 | Size = 282624 bytes | Modified Date = 4/27/2007 8:41:54 AM | Attr = ]
RealTray -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 6/6/2007 6:28:42 PM | Attr = ]
SigmatelSysTrayApp -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4995.1 nd446 cp1 | Size = 282624 bytes | Modified Date = 3/24/2006 4:30:44 PM | Attr = ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.4.6 08Mar06 | Size = 761947 bytes | Modified Date = 3/8/2006 11:48:02 AM | Attr = ]
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
AIM -> %ProgramFiles%\AIM\aim.exe -cnetwait.odl -> File not found
DellSupport -> %ProgramFiles%\DellSupport\DSAgnt.exe -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 3/15/2007 10:09:36 AM | Attr = ]
ModemOnHold -> %ProgramFiles%\NetWaiting\netWaiting.exe -> [Ver = | Size = 20480 bytes | Modified Date = 9/10/2003 2:24:00 AM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/25/2007 4:48:30 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Digital Line Detect.lnk -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 10/29/2003 2:06:00 AM | Attr = ]
%AllUsersStartup%\QuickBooks Update Agent.lnk -> %CommonProgramFiles%\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> Intuit, Inc. [Ver = 15.0 R2 | Size = 806912 bytes | Modified Date = 11/11/2004 11:59:36 AM | Attr = ]
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
C:\WINDOWS\system32\guard32.dll -> %System32%\guard32.dll -> [Ver = | Size = 139008 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 7:29:58 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> %System32%\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4446 | Size = 139264 bytes | Modified Date = 12/13/2005 4:40:12 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
online_musicmatch.com [https] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.1.2003110300 | Size = 54248 bytes | Modified Date = 11/3/2003 2:17:44 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %System32%\dla\tfswshx.dll [DriveLetterAccess] -> Sonic Solutions [Ver = 1.04.08a | Size = 118842 bytes | Modified Date = 12/6/2004 1:05:00 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 6/26/2007 5:39:36 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 7/25/2007 4:48:30 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 6/26/2007 5:39:36 PM | Attr = R ]
{BA52B914-B692-46c4-B683-905236F6F655} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 6/26/2007 5:39:36 PM | Attr = R ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.6089 | Size = 67112 bytes | Modified Date = 8/1/2006 2:35:36 PM | Attr = ]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{d81ca86b-ef63-42af-bee3-4502d9a03c2d} -> http:\wwws.musicmatch.com\mmz\openWebRadio.htm [ButtonText: MUSICMATCH MX Web Player] -> File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [MenuText: Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{9A50EBA6-5200-42D8-8C0F-ED31498B1DE2} -> (1394 Net Adapter) ->
{C22C09FB-9005-4143-8ADD-E185AE83F808} -> (Dell Wireless 1390 WLAN Mini-Card) ->
{DEA00628-ADFC-472F-AEE3-F2696CBB4235} -> (Broadcom 440x 10/100 Integrated Controller) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab ->
{48DD0448-9209-4F81-9F6D-D83562940134} -> MySpace Uploader Control - CodeBase = http://lads.myspace.com/upload/MySpaceUploader1005.cab ->
{5F8469B4-B055-49DD-83F7-62B522420ECC} -> Facebook Photo Uploader Control - CodeBase = http://upload.facebook.com/controls/Facebo...otoUploader.cab ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -> - CodeBase = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab ->
{9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} -> AIM UPF Control - CodeBase = http://pictures06.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab ->


[Files/Folders - Created Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Created Date = 11/26/2007 11:10:07 PM | Attr = RH ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 12/2/2007 7:11:25 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 11/25/2007 7:07:37 PM | Attr = ]
fsbl.exe -> %SystemDrive%\fsbl.exe -> F-Secure Corporation [Ver = 2, 2, 1067, 0 | Size = 916072 bytes | Created Date = 12/8/2007 12:25:17 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\fsbl.exe:Zone.Identifier ->
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 12/2/2007 7:12:14 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 11/30/2007 9:29:59 PM | Attr = ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Created Date = 11/26/2007 3:01:33 AM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 11/26/2007 3:03:23 AM | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Created Date = 11/26/2007 3:02:18 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 11/26/2007 3:01:57 AM | Attr = H ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ -> [Folder | Created Date = 11/26/2007 3:03:42 AM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 140288 bytes | Created Date = 12/2/2007 7:11:30 PM | Attr = ]
DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP -> %SystemRoot%\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP -> [Folder | Created Date = 11/27/2007 8:29:39 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 12/2/2007 7:14:59 PM | Attr = ]
msoffice.ini -> %SystemRoot%\msoffice.ini -> [Ver = | Size = 2 bytes | Created Date = 11/25/2007 8:40:02 PM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 12/2/2007 7:11:30 PM | Attr = ]
TEMP -> %SystemRoot%\TEMP -> [Folder | Created Date = 12/7/2007 11:28:13 PM | Attr = ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Created Date = 11/25/2007 2:25:49 PM | Attr = ]
asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 11/27/2007 6:58:42 PM | Attr = ]
guard32.dll -> %System32%\guard32.dll -> [Ver = | Size = 139008 bytes | Created Date = 11/26/2007 11:28:47 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 11/27/2007 6:57:22 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 12/2/2007 7:11:30 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 12/2/2007 7:11:30 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 12/2/2007 7:11:30 PM | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3946 bytes | Created Date = 11/27/2007 6:03:17 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 11/27/2007 6:57:22 PM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 12/2/2007 7:11:30 PM | Attr = ]
ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 11/27/2007 6:58:41 PM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Created Date = 11/26/2007 11:08:00 PM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Created Date = 11/26/2007 11:08:05 PM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Created Date = 11/26/2007 11:08:06 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 11/26/2007 11:23:55 PM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 11/26/2007 11:08:09 PM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.473 | Size = 19904 bytes | Created Date = 11/26/2007 11:08:07 PM | Attr = ]
avgtdi.sys -> %System32%\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Created Date = 11/26/2007 11:08:07 PM | Attr = ]
cmdGuard.sys -> %System32%\drivers\cmdGuard.sys -> COMODO [Ver = 3.0.11.239 built by: WinDDK | Size = 79096 bytes | Created Date = 11/26/2007 11:28:47 PM | Attr = ]
cmdhlp.sys -> %System32%\drivers\cmdhlp.sys -> COMODO [Ver = 3.0.11.239 built by: WinDDK | Size = 23672 bytes | Created Date = 11/26/2007 11:28:47 PM | Attr = ]
inspect.sys -> %System32%\drivers\inspect.sys -> COMODO [Ver = 3.0.11.239 | Size = 74616 bytes | Created Date = 11/26/2007 11:28:47 PM | Attr = ]
hosts.20071127-171453.backup -> %System32%\drivers\etc\hosts.20071127-171453.backup -> [Ver = | Size = 734 bytes | Created Date = 11/27/2007 5:14:59 PM | Attr = ]
hosts.20071127-171553.backup -> %System32%\drivers\etc\hosts.20071127-171553.backup -> [Ver = | Size = 213351 bytes | Created Date = 11/27/2007 5:15:53 PM | Attr = R ]

[Files/Folders - Modified Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Modified Date = 12/5/2007 3:25:24 AM | Attr = RH ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 12/7/2007 11:28:16 PM | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 12/8/2007 12:27:20 AM | Attr = ]
dell -> %SystemDrive%\dell -> [Folder | Modified Date = 12/2/2007 9:34:20 PM | Attr = ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 12/8/2007 12:07:44 AM | Attr = ]
fsbl.exe -> %SystemDrive%\fsbl.exe -> F-Secure Corporation [Ver = 2, 2, 1067, 0 | Size = 916072 bytes | Modified Date = 12/8/2007 12:25:28 AM | Attr = ]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\fsbl.exe:Zone.Identifier ->
MDT -> %SystemDrive%\MDT -> [Folder | Modified Date = 12/13/2007 12:48:02 AM | Attr = ]
My Games -> %SystemDrive%\My Games -> [Folder | Modified Date = 11/25/2007 8:36:26 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 12/8/2007 1:12:40 AM | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 12/7/2007 11:26:04 PM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 11/27/2007 12:43:16 PM | Attr = HS]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 11/27/2007 10:21:20 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 11/30/2007 9:54:10 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 12/13/2007 12:47:36 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 12/11/2007 10:17:58 PM | Attr = H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ -> [Folder | Modified Date = 11/26/2007 3:01:36 AM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 11/26/2007 3:03:26 AM | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Modified Date = 11/26/2007 3:02:24 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 11/26/2007 3:02:00 AM | Attr = H ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ -> [Folder | Modified Date = 11/26/2007 3:03:44 AM | Attr = H ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 11/27/2007 7:24:02 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 12/13/2007 12:52:14 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 140288 bytes | Modified Date = 11/27/2007 3:58:12 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 12/8/2007 3:36:26 PM | Attr = ]
DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP -> %SystemRoot%\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP -> [Folder | Modified Date = 12/13/2007 12:32:34 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 11/27/2007 6:57:16 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 12/2/2007 7:15:00 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1943 bytes | Modified Date = 11/26/2007 10:48:24 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 12/12/2007 5:10:30 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 12/8/2007 12:31:44 AM | Attr = HS]
msoffice.ini -> %SystemRoot%\msoffice.ini -> [Ver = | Size = 2 bytes | Modified Date = 11/25/2007 8:40:04 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 12/13/2007 12:41:30 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 12/8/2007 1:00:24 AM | Attr = H ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 12/8/2007 1:17:38 AM | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 11/25/2007 5:30:56 PM | Attr = ]
setupapi.log.0.old -> %SystemRoot%\setupapi.log.0.old -> [Ver = | Size = 1025331 bytes | Modified Date = 12/8/2007 12:13:20 AM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 11/27/2007 7:27:06 PM | Attr = ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 11/26/2007 11:06:28 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 12/7/2007 11:26:10 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 12/13/2007 12:32:36 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 11/26/2007 10:52:10 PM | Attr = S]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 12/13/2007 12:47:42 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 536 bytes | Modified Date = 11/25/2007 8:41:28 PM | Attr = ]
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [Ver = | Size = 284 bytes | Modified Date = 12/6/2007 4:16:02 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 12/13/2007 12:51:12 AM | Attr = H ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 11/27/2007 7:27:10 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 12/12/2007 5:08:22 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 12/2/2007 7:16:30 PM | Attr = ]
dla -> %System32%\dla -> [Folder | Modified Date = 11/27/2007 7:27:34 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 11/26/2007 3:10:06 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 12/7/2007 11:25:50 PM | Attr = ]
E97025690D.sys -> %System32%\E97025690D.sys -> [Ver = | Size = 88 bytes | Modified Date = 11/30/2007 7:41:34 AM | Attr = RHS]
guard32.dll -> %System32%\guard32.dll -> [Ver = | Size = 139008 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 11/27/2007 6:57:24 PM | Attr = ]
KGyGaAvL.sys -> %System32%\KGyGaAvL.sys -> [Ver = | Size = 3766 bytes | Modified Date = 11/30/2007 7:41:40 AM | Attr = HS]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3946 bytes | Modified Date = 11/27/2007 6:28:50 PM | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 11/27/2007 6:57:24 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 11/27/2007 7:28:48 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 11/25/2007 10:56:44 AM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 11/26/2007 11:08:02 PM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 11/26/2007 11:08:06 PM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 11/26/2007 11:08:08 PM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 11/26/2007 11:08:12 PM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.473 | Size = 19904 bytes | Modified Date = 11/26/2007 11:08:08 PM | Attr = ]
avgtdi.sys -> %System32%\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Modified Date = 11/26/2007 11:08:08 PM | Attr = ]
cmdGuard.sys -> %System32%\drivers\cmdGuard.sys -> COMODO [Ver = 3.0.11.239 built by: WinDDK | Size = 79096 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
cmdhlp.sys -> %System32%\drivers\cmdhlp.sys -> COMODO [Ver = 3.0.11.239 built by: WinDDK | Size = 23672 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 12/2/2007 7:18:50 PM | Attr = ]
inspect.sys -> %System32%\drivers\inspect.sys -> COMODO [Ver = 3.0.11.239 | Size = 74616 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
hosts.20071127-171453.backup -> %System32%\drivers\etc\hosts.20071127-171453.backup -> [Ver = | Size = 734 bytes | Modified Date = 11/25/2007 5:27:40 PM | Attr = ]
hosts.20071127-171553.backup -> %System32%\drivers\etc\hosts.20071127-171553.backup -> [Ver = | Size = 213351 bytes | Modified Date = 11/27/2007 5:15:00 PM | Attr = R ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\fsbl.exe:Zone.Identifier ->
abetterinternet.com , web-nex , ad-w-a-r-e.com , -> %SystemDrive%\rapport.txt -> [Ver = | Size = 213700 bytes | Modified Date = 11/27/2007 6:29:08 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/4/2004 5:00:00 AM | Attr = ]
USERTRUST , -> %System32%\guard32.dll -> [Ver = | Size = 139008 bytes | Modified Date = 11/26/2007 11:28:48 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/4/2004 5:00:00 AM | Attr = ]
Thawte Consulting , -> %System32%\XceedFtp.dll -> Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 1.1.129.0 | Size = 279392 bytes | Modified Date = 8/31/2005 10:35:40 AM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.498 | Size = 821856 bytes | Modified Date = 11/26/2007 11:08:02 PM | Attr = ]
abetterinternet.com , web-nex , ad-w-a-r-e.com , -> %System32%\drivers\etc\hosts.20071127-171553.backup -> [Ver = | Size = 213351 bytes | Modified Date = 11/27/2007 5:15:00 PM | Attr = R ]

< End of report >

Edited by spunks3, 13 December 2007 - 01:18 AM.


#15 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 14 December 2007 - 12:42 AM

Hello again,

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users