Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumondo Infection - Posted Hjt Log File


  • This topic is locked This topic is locked
6 replies to this topic

#1 mtnbay

mtnbay

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 03 December 2007 - 02:10 PM

I have tried just about everything to get rid of Virtumondo and it keeps coming back. I also get popups on my desktop even when I am not in a browser. Any help would be greatly appreciated.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:31 AM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common" Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [c451b494] "rundll32.exe" "C:\WINDOWS\system32\geaoskji.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188176391312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188176327453
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9599 bytes

BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:12 PM

Posted 03 December 2007 - 02:34 PM

Hello mtnbay and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

I see that you are running two antivirus programs on your computer. It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time. Please uninstall one of them, either AVG, or Norton.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: If you don't have HijackThis installed on your computer, dss will prompt you to download and install it for you, please allow this to happen !

In your next post please include the following reports:
  • VundoFix report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#3 mtnbay

mtnbay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 03 December 2007 - 03:32 PM

Snow White thank you for your replay. I uninstalled AVG as requested. Here is where I am at now. A file named jkkll.dll keeps popping up again and again even after multiple removals. Here are my logs.



Deckard's System Scanner v20071014.68
Run by dj on 2007-12-03 12:22:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
127: 2007-12-03 20:22:49 UTC - RP559 - Deckard's System Scanner Restore Point
126: 2007-12-03 20:09:58 UTC - RP558 - Installed AVG 7.5
125: 2007-12-03 20:06:15 UTC - RP557 - Removed AVG 7.5
124: 2007-12-03 00:35:22 UTC - RP556 - System Checkpoint
123: 2007-12-02 00:22:18 UTC - RP555 - Installed Windows XP KB926239.


-- First Restore Point --
1: 2007-11-16 21:46:24 UTC - RP433 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as dj.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:26 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\dj\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\dj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F92E9705-546D-4BD2-A451-9EE8B6B1B679} - C:\WINDOWS\system32\skxsxsgs.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common" Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [c451b494] "rundll32.exe" "C:\WINDOWS\system32\geaoskji.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188176391312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188176327453
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: jkkll - C:\WINDOWS\system32\jkkll.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9918 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Achernar (Achernar - Storage Filter Drivers) - c:\windows\system32\drivers\achernar.sys <Not Verified; An Chen Computer Co., Ltd.; Achernar>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 Aldebaran (Aldebaran - Storage Filter Drivers) - c:\windows\system32\drivers\aldebaran.sys <Not Verified; An Chen Computer Co., Ltd.; Aldebaran>
R3 GoProto (GoProto Protocol Driver) - c:\windows\system32\drivers\goprot51.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics Network Module>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 SndTDriverV32 - c:\windows\system32\drivers\sndtdriverv32.sys <Not Verified; Windows ® 2000/XP; Windows ® 2000/XP Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: TI Technologies Inc.
Description: RADEON X300 SE 128MB HyperMemory Secondary
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X300 SE 128MB HyperMemory Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Service: ati2mtag

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_0D49&PID_3210\603010019334
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_0D49&PID_3210\603010019334
Service: USBSTOR


-- Scheduled Tasks -------------------------------------------------------------

2007-12-03 12:13:13 264 --a------ C:\WINDOWS\Tasks\HP Usg Login.job
2007-12-03 12:13:10 264 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2007-12-03 07:28:48 574 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - dj.job
2007-12-03 05:00:14 1702 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L94129405544B41ED822BA7A8AB3BE024.job
2007-12-01 07:42:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-03 08:29:11 0 d--h----- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Templates
2007-12-03 08:29:11 0 dr------- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Start Menu
2007-12-03 08:29:11 0 dr-h----- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\SendTo
2007-12-03 08:29:11 0 d--h----- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Recent
2007-12-03 08:29:11 0 d--h----- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\PrintHood
2007-12-03 08:29:11 0 d--h----- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\NetHood
2007-12-03 08:29:11 0 d-------- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\My Documents
2007-12-03 08:29:11 0 d--h----- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Local Settings
2007-12-03 08:29:11 0 d-------- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Favorites
2007-12-03 08:29:11 0 d-------- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Desktop
2007-12-03 08:29:11 0 d---s---- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Cookies
2007-12-03 08:29:11 0 dr-h----- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Application Data
2007-12-03 08:29:11 0 d---s---- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Application Data\Microsoft
2007-12-03 08:29:11 0 d-------- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Application Data\Gtek
2007-12-03 08:29:10 372736 --a------ C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\NTUSER.DAT
2007-12-03 01:06:32 86080 --a------ C:\WINDOWS\system32\geaoskji.dll
2007-12-03 00:05:54 86080 --a------ C:\WINDOWS\system32\qurrvtcw.dll
2007-12-02 23:24:11 0 d-------- C:\Documents and Settings\dj\Application Data\Tenebril
2007-12-02 22:23:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Tenebril
2007-12-02 22:23:22 40960 --a-s---- C:\WINDOWS\system32\ProcessKiller.dll
2007-12-02 22:23:21 0 d-------- C:\WINDOWS\system32\tenarchlib
2007-12-02 22:23:21 180224 --a-s---- C:\WINDOWS\system32\archlib.dll <Not Verified; Tenebril Incorporated; Tenebril architecture technology>
2007-12-02 22:23:20 0 d-------- C:\Program Files\SpyCatcher
2007-12-02 21:55:12 86080 --a------ C:\WINDOWS\system32\rkerfwjh.dll
2007-12-02 18:42:18 0 d-------- C:\VundoFix Backups
2007-12-01 15:27:48 0 d-------- C:\Program Files\Rhapsody
2007-12-01 11:45:29 86080 -----n--- C:\WINDOWS\system32\trawholu.dll
2007-12-01 10:42:59 86080 -----n--- C:\WINDOWS\system32\fenabxjp.dll
2007-12-01 09:37:44 86080 -----n--- C:\WINDOWS\system32\gaxmqklh.dll
2007-12-01 08:32:51 86080 -----n--- C:\WINDOWS\system32\hsiqeerl.dll
2007-12-01 07:27:19 86080 --a------ C:\WINDOWS\system32\vusfleqh.dll
2007-12-01 07:24:49 86080 -----n--- C:\WINDOWS\system32\qiuiyqfq.dll
2007-12-01 06:22:26 86080 -----n--- C:\WINDOWS\system32\jjmbtcjw.dll
2007-12-01 06:19:50 86080 -----n--- C:\WINDOWS\system32\bjrchtdt.dll
2007-12-01 05:17:16 86080 -----n--- C:\WINDOWS\system32\vovetygx.dll
2007-12-01 05:14:25 86080 -----n--- C:\WINDOWS\system32\pnyfibdl.dll
2007-12-01 04:11:42 86080 -----n--- C:\WINDOWS\system32\dqjwfobu.dll
2007-12-01 04:09:07 86080 -----n--- C:\WINDOWS\system32\tgnkitcr.dll
2007-12-01 03:06:16 86080 -----n--- C:\WINDOWS\system32\buuxwwdd.dll
2007-12-01 03:03:42 86080 -----n--- C:\WINDOWS\system32\duraycjg.dll
2007-12-01 02:01:27 86080 -----n--- C:\WINDOWS\system32\yedkbbsj.dll
2007-12-01 01:01:26 86080 -----n--- C:\WINDOWS\system32\icxnkkba.dll
2007-12-01 00:58:48 86080 -----n--- C:\WINDOWS\system32\rmcyomhk.dll
2007-12-01 00:01:27 86080 -----n--- C:\WINDOWS\system32\hrfrotfo.dll
2007-11-30 22:58:26 86080 -----n--- C:\WINDOWS\system32\kordndde.dll
2007-11-30 21:55:28 86080 -----n--- C:\WINDOWS\system32\ydtcimoo.dll
2007-11-30 20:55:27 86080 -----n--- C:\WINDOWS\system32\iuososgg.dll
2007-11-30 19:52:28 86080 -----n--- C:\WINDOWS\system32\ltcgouqi.dll
2007-11-30 18:52:28 86080 -----n--- C:\WINDOWS\system32\mxsrumca.dll
2007-11-30 17:52:26 86080 -----n--- C:\WINDOWS\system32\qslgigvn.dll
2007-11-30 16:52:26 86080 -----n--- C:\WINDOWS\system32\qagmgmga.dll
2007-11-30 15:49:26 86080 -----n--- C:\WINDOWS\system32\wkbffbjv.dll
2007-11-30 14:46:19 86080 -----n--- C:\WINDOWS\system32\lnrhedjw.dll
2007-11-30 13:43:36 86080 -----n--- C:\WINDOWS\system32\tukyvlrj.dll
2007-11-30 12:38:30 86080 --a------ C:\WINDOWS\system32\eqpckhyq.dll
2007-11-30 12:36:02 86080 -----n--- C:\WINDOWS\system32\stmvrdof.dll
2007-11-30 11:34:00 86080 -----n--- C:\WINDOWS\system32\qcaksqjs.dll
2007-11-30 11:31:01 86080 --a------ C:\WINDOWS\system32\fjopcrme.dll
2007-11-30 10:28:42 86080 -----n--- C:\WINDOWS\system32\lcbdjgcv.dll
2007-11-30 10:26:12 86080 -----n--- C:\WINDOWS\system32\vdgkbubh.dll
2007-11-30 09:23:38 86080 -----n--- C:\WINDOWS\system32\ojshrebx.dll
2007-11-30 09:21:05 86080 -----n--- C:\WINDOWS\system32\tvgqchai.dll
2007-11-29 21:22:14 86080 --a------ C:\WINDOWS\system32\pkxwgbsv.dll
2007-11-28 21:21:32 86080 --a------ C:\WINDOWS\system32\sotestuo.dll
2007-11-25 21:13:04 86080 --a------ C:\WINDOWS\system32\jcgfjtwe.dll
2007-11-25 03:15:06 775892 ---hs---- C:\WINDOWS\system32\spkputpr.ini2
2007-11-24 21:07:53 86080 --a------ C:\WINDOWS\system32\rptupkps.dll
2007-11-23 21:07:07 86080 --a------ C:\WINDOWS\system32\mjlqmcxk.dll
2007-11-23 18:19:03 0 d-------- C:\Documents and Settings\dj\Application Data\U3
2007-11-23 10:45:56 83520 --a------ C:\WINDOWS\system32\hqhkrkcn.dll
2007-11-23 10:45:36 90176 --a------ C:\WINDOWS\system32\kukkurqu.dll
2007-11-23 02:40:28 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan
2007-11-23 02:40:15 0 d-------- C:\Program Files\Security Task Manager
2007-11-22 21:05:44 86080 --a------ C:\WINDOWS\system32\olavwgxs.dll
2007-11-22 20:51:51 0 d-------- C:\Program Files\HP Photosmart 11
2007-11-21 16:37:37 0 d-------- C:\Program Files\ValuSoft
2007-11-21 14:32:02 0 d-------- C:\WINDOWS\system32\NtmsData
2007-11-21 14:31:02 249856 --a------ C:\WINDOWS\system32\hphsav04.exe <Not Verified; Hewlett-Packard; hp photosmart>
2007-11-21 14:31:02 348160 --a------ C:\WINDOWS\system32\hphmon04.exe <Not Verified; Hewlett-Packard; hp photosmart>
2007-11-21 14:31:02 36864 --a------ C:\WINDOWS\hpfsched.exe
2007-11-21 14:30:56 69632 -----n--- C:\WINDOWS\system32\hpodinet.dll <Not Verified; ; hpodinet Module>
2007-11-21 14:30:56 185344 --a------ C:\WINDOWS\system32\hpfinst.dll <Not Verified; Hewlett-Packard; hp photosmart>
2007-11-21 10:42:23 0 d-------- C:\Program Files\Trend Micro
2007-11-21 10:03:53 0 d-------- C:\Documents and Settings\Madeline\Application Data\Gtek
2007-11-21 10:03:53 0 d-------- C:\Documents and Settings\Default User.WINDOWS\Application Data\Gtek
2007-11-21 10:01:10 1851546 --a------ C:\WINDOWS\system32\gdql_lsa.dll <Not Verified; Linksys, a Division of Cisco Systems, Inc.; QDiagLib Module>
2007-11-21 10:01:08 29184 --a------ C:\WINDOWS\system32\drivers\goprot51.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics Network Module>
2007-11-21 10:00:58 135168 --a------ C:\WINDOWS\system32\GoProto.dll <Not Verified; Linksys, a Division of Cisco Systems, Inc.; Gteko Ltd GoProto>
2007-11-21 10:00:53 6656 --a------ C:\WINDOWS\system32\DLPT2.sys <Not Verified; GTek Technologies Ltd.; QDiag>
2007-11-21 10:00:53 6977 --a------ C:\WINDOWS\system32\DDMI2.sys <Not Verified; Gteko Ltd.; DDMI>
2007-11-21 10:00:52 0 d-------- C:\Program Files\Linksys EasyLink Advisor
2007-11-16 14:58:20 0 d-------- C:\Program Files\AVI MPEG RM WMV Splitter
2007-11-16 13:46:12 441746 --ahs---- C:\WINDOWS\system32\npqss.ini2
2007-11-16 13:46:05 326240 --a------ C:\WINDOWS\system32\ssqpn.dll
2007-11-16 13:42:33 0 d-------- C:\WINDOWS\system32\fibagbia
2007-11-16 13:36:57 0 d-------- C:\Program Files\Nwoqenez
2007-11-16 13:36:46 0 d-------- C:\Program Files\dgjepkji


-- Find3M Report ---------------------------------------------------------------

2007-12-03 12:24:47 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-01 17:13:52 4 --a------ C:\WINDOWS\system32\C06931
2007-12-01 15:28:47 0 d-------- C:\Program Files\Real
2007-12-01 15:27:20 0 d-------- C:\Documents and Settings\dj\Application Data\Real
2007-12-01 14:24:53 0 d-------- C:\Program Files\Common Files
2007-11-23 18:32:40 0 d-------- C:\Documents and Settings\dj\Application Data\Azureus
2007-11-22 16:29:31 0 d-------- C:\Documents and Settings\dj\Application Data\AVG7
2007-11-21 14:36:50 0 d-------- C:\Program Files\Hewlett-Packard
2007-11-21 10:03:53 0 d--h----- C:\Documents and Settings\dj\Application Data\GTek
2007-11-19 18:22:10 0 d-------- C:\Program Files\Winamp
2007-11-15 16:49:02 0 d-------- C:\Program Files\Norton Internet Security
2007-10-28 12:07:11 0 d-------- C:\Documents and Settings\dj\Application Data\Adobe
2007-10-28 11:52:56 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-27 22:58:58 0 d-------- C:\Program Files\Azureus
2007-10-21 07:58:42 0 d-------- C:\Documents and Settings\dj\Application Data\Share-to-Web Upload Folder
2007-10-06 14:29:08 0 d-------- C:\Program Files\Azureus Ultra Accelerator
2007-09-22 09:25:53 4096 --a------ C:\WINDOWS\d3dx.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F92E9705-546D-4BD2-A451-9EE8B6B1B679}]
C:\WINDOWS\system32\skxsxsgs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 12:56 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 10:59 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [10/16/2007 12:05 PM]
"c451b494"="rundll32.exe" [08/04/2004 12:56 AM C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [06/21/2007 05:57 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [04/02/2006 08:07 PM]

C:\Documents and Settings\dj\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [12/2/2007 10:23:24 PM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [12/2/2007 10:23:23 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkll]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqpn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp instant support.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hp instant support.lnk
backup=C:\WINDOWS\pss\hp instant support.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dj^Start Menu^Programs^Startup^Azureus Ultra Accelerator.lnk]
path=C:\Documents and Settings\dj\Start Menu\Programs\Startup\Azureus Ultra Accelerator.lnk
backup=C:\WINDOWS\pss\Azureus Ultra Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dj^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\dj\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dj^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\dj\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c451b494]
rundll32.exe "C:\WINDOWS\system32\olavwgxs.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common" Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgjepkji]
"rundll32.exe" "C:\Program Files\dgjepkji\dgrotwvk.dll",Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
"C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxcvkjyd]
regsvr32 /u "C:\Documents and Settings\All Users.WINDOWS\Application Data\kxcvkjyd.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
"C:\Program Files\SecCenter\scprot4.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-12-03 12:26:46 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 1022.07 MiB / 568.05 MiB
Pagefile Memory (total/avail): 2459.27 MiB / 2074.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.47 MiB

C: is Fixed (NTFS) - 144.32 GiB total, 48.92 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is CDROM (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE5 -

\\.\PHYSICALDRIVE0 - SAMSUNG HD160JJ/P - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 144.32 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntivirusOverride is set.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\dj\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DJ-KZJTYJLP6FRW
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\dj
LOGONSERVER=\\DJ-KZJTYJLP6FRW
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\dj\LOCALS~1\Temp
TMP=C:\DOCUME~1\dj\LOCALS~1\Temp
USERDOMAIN=DJ-KZJTYJLP6FRW
USERNAME=dj
USERPROFILE=C:\Documents and Settings\dj
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

dj (admin)
Madeline
Administrator.DJ-KZJTYJLP6FRW (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 8 Professional - English, Français, Deutsch --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Contribute CS3 --> C:\Program Files\Common Files\Adobe\Installers\c4c00451d35772e88ad87152169b2f3\Setup.exe
Adobe Contribute CS3 --> MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\7328fdfcb73660ec8b11d5a3d5c6232\Setup.exe
Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\5bc0f8414ec36c555a3e7e5ec2e225e\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{1BCEA516-B4C5-4B2D-BFA0-AB7910BAD862}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Setup --> MsiExec.exe /I{0650BB10-BCF4-400A-85EE-04097E3046C6}
Adobe Setup --> MsiExec.exe /I{11C10759-3BCC-4BF4-8EE6-9B545CB00E32}
Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup --> MsiExec.exe /I{D504303A-717D-414C-BA9F-FE01093E2EF8}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BlackBerry Desktop Software 4.2.1 --> MsiExec.exe /I{F804AE2A-92AD-4189-B8B1-7D4207F7AB13}
BlackBerry Desktop Software 4.2.1 --> MsiExec.exe /i{F804AE2A-92AD-4189-B8B1-7D4207F7AB13}
Bookworm Adventures (remove only) --> "C:\Program Files\Yahoo! Games\Bookworm Adventures\Uninstall.exe"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Chicken Invaders 3 Free Trial --> "C:\Program Files\ChickenInvaders3_at\unins000.exe"
CoffeeCup Free DHTML Menu Builder --> C:\PROGRA~1\COFFEE~1\DHTMLM~1\UNWISE.EXE C:\PROGRA~1\COFFEE~1\DHTMLM~1\sitemapper.log
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Power Burner --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{22B63674-C542-4CE0-8016-A1FE3C919B82} /l1033
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\setup.exe" -l0x9 -UnInstall
EPSON Event Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48F22622-1CC2-4A83-9C1E-644DD96F832D}\Setup.exe" -l0x9 -u
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Perf 3490 3590 Guide --> C:\Program Files\epson\guide\perf_3490_3590_e\uninstall.exe
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp instant support --> C:\PROGRA~1\HEWLET~1\HPINST~1\Uninstall.exe CeS
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® PRO Network Connections Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Linksys EasyLink Advisor 1.5 (1010) --> rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Fireworks MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia FreeHand 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D826618-59C6-11D4-976E-00C04F8EEB39}\Setup.exe" UNINSTALL
MagicDisc 2.5.74 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
Merriam-Webster's SPELL-JAM (remove only) --> "C:\Program Files\Yahoo! Games\Merriam-Webster's SPELL-JAM\Uninstall.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Nero 6 Enterprise Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Fast CD-Burning Plug-in --> C:\WINDOWS\UnWMPBurn.exe /UNINSTALL
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_0_0_86\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Pantheon (remove only) --> "C:\Program Files\Yahoo! Games\Pantheon\Uninstall.exe"
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Photosmart 130,230,7150,7345,7350,7550 (Remove only) --> C:\Program Files\HP Photosmart 11\Printer\hphuni04.exe
Pokémon Masters Arena --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ValuSoft\Pokemon\DeIsL1.isu"
Pop-Up Stopper Free Edition --> C:\PROGRA~1\PANICW~1\POP-UP~1\UNWISE.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\INSTALL.LOG
PowerDVD Ultra --> "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x000409 /z-uninstall
Presto! BizCard 4.1 Eng --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NewSoft\BizCard 4.1 Eng\Uninst.isu" -c"C:\WINDOWS\StiRegstEng.dll"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Snapshot Viewer --> C:\Program Files\Snapshot Viewer\Setup\Setup.exe /T snap90.stf
SoundTaxi 1.3.5 --> "C:\Program Files\SoundTaxi\unins000.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyCatcher Express 2007 --> "C:\Program Files\SpyCatcher\unins000.exe"
Symantec Technical Support Web Controls --> MsiExec.exe /X{C4868E88-F5B5-4E45-9592-C7062BD97441}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
ThinkTanks (remove only) --> "C:\Program Files\BraveTree\ThinkTanks\uninst-tt.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Word Slinger --> C:\PROGRA~1\YAHOO!~1\WORDSL~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!~1\WORDSL~1\INSTALL.LOG
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type11514 / Error
Event Submitted/Written: 12/03/2007 11:51:54 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ctfmon.exe, version 5.1.2600.2180, faulting module msctf.dll, version 5.1.2600.2180, fault address 0x00034743.
Processing media-specific event for [ctfmon.exe!ws!]

Event Record #/Type11454 / Error
Event Submitted/Written: 12/03/2007 08:36:16 AM
Event ID/Source: 1000 / Windows Product Activation
Event Description:
An error occurred while the wizard was checking the current Windows product license. Error Code: 4 0x80070005

Event Record #/Type11361 / Error
Event Submitted/Written: 12/01/2007 04:49:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rhapsody.exe, version 4.0.2.359, faulting module clntcore.dll, version 10.0.0.6302, fault address 0x00108ab4.
Processing media-specific event for [rhapsody.exe!ws!]

Event Record #/Type11360 / Error
Event Submitted/Written: 12/01/2007 04:34:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application rhapsody.exe, version 4.0.2.359, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type11359 / Error
Event Submitted/Written: 12/01/2007 04:04:14 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type52691 / Error
Event Submitted/Written: 12/03/2007 00:21:03 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type52690 / Error
Event Submitted/Written: 12/03/2007 00:21:03 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type52689 / Error
Event Submitted/Written: 12/03/2007 00:21:03 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type52671 / Error
Event Submitted/Written: 12/03/2007 00:19:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type52670 / Error
Event Submitted/Written: 12/03/2007 00:19:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.



-- End of Deckard's System Scanner: finished at 2007-12-03 12:26:46 ------------


VundoFix V6.5.10

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 6:42:18 PM 12/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\iaijmwct.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\llkkj.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\llkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.tmp
C:\WINDOWS\system32\llkkj.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 8:21:52 AM 12/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkkll.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 8:43:09 AM 12/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkkll.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.10

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 11:53:46 AM 12/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkkll.dll

Beginning removal...

Performing Repairs to the registry.
Done!

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:12 PM

Posted 03 December 2007 - 03:48 PM

mtnbay,

Please follow the steps below exactly in the order they are written:

1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
Post back with ComboFix report and new Hijackthis report. Let me know how the things will go.

Regards,
SNOWHITE
Posted Image

#5 mtnbay

mtnbay
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 03 December 2007 - 08:29 PM

OK here are my combofix and hijack this logs:



ComboFix 07-12-02.6 - dj 2007-12-03 13:49:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.534 [GMT -8:00]
Running from: C:\Documents and Settings\dj\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abkknxci.ini
C:\WINDOWS\system32\acmursxm.ini
C:\WINDOWS\system32\agmgmgaq.ini
C:\WINDOWS\system32\bjrchtdt.dll
C:\WINDOWS\system32\buuxwwdd.dll
C:\WINDOWS\system32\ddwwxuub.tmp
C:\WINDOWS\system32\dqjwfobu.dll
C:\WINDOWS\system32\duraycjg.dll
C:\WINDOWS\system32\eddndrok.ini
C:\WINDOWS\system32\emrcpojf.ini
C:\WINDOWS\system32\eqpckhyq.dll
C:\WINDOWS\system32\ewtjfgcj.ini
C:\WINDOWS\system32\fenabxjp.dll
C:\WINDOWS\system32\fjopcrme.dll
C:\WINDOWS\system32\fodrvmts.ini
C:\WINDOWS\system32\gaxmqklh.dll
C:\WINDOWS\system32\geaoskji.dll
C:\WINDOWS\system32\ggsosoui.ini
C:\WINDOWS\system32\gjcyarud.ini
C:\WINDOWS\system32\hbubkgdv.ini
C:\WINDOWS\system32\hjwfrekr.ini
C:\WINDOWS\system32\hlkqmxag.ini
C:\WINDOWS\system32\hqelfsuv.ini
C:\WINDOWS\system32\hqhkrkcn.dll
C:\WINDOWS\system32\hrfrotfo.dll
C:\WINDOWS\system32\hsiqeerl.dll
C:\WINDOWS\system32\iahcqgvt.ini
C:\WINDOWS\system32\icxnkkba.dll
C:\WINDOWS\system32\ijksoaeg.ini
C:\WINDOWS\system32\iquogctl.ini
C:\WINDOWS\system32\iuososgg.dll
C:\WINDOWS\system32\jcgfjtwe.dll
C:\WINDOWS\system32\jjmbtcjw.dll
C:\WINDOWS\system32\jrlvykut.ini
C:\WINDOWS\system32\jsbbkdey.ini
C:\WINDOWS\system32\khmoycmr.ini
C:\WINDOWS\system32\kordndde.dll
C:\WINDOWS\system32\kxcmqljm.ini
C:\WINDOWS\system32\lcbdjgcv.dll
C:\WINDOWS\system32\ldbifynp.ini
C:\WINDOWS\system32\lnrhedjw.dll
C:\WINDOWS\system32\lreeqish.ini
C:\WINDOWS\system32\ltcgouqi.dll
C:\WINDOWS\system32\mjlqmcxk.dll
C:\WINDOWS\system32\mxsrumca.dll
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\nvgiglsq.ini
C:\WINDOWS\system32\oftorfrh.ini
C:\WINDOWS\system32\ojshrebx.dll
C:\WINDOWS\system32\olavwgxs.dll
C:\WINDOWS\system32\oomictdy.ini
C:\WINDOWS\system32\outsetos.ini
C:\WINDOWS\system32\pjxbanef.ini
C:\WINDOWS\system32\pkxwgbsv.dll
C:\WINDOWS\system32\pnyfibdl.dll
C:\WINDOWS\system32\qagmgmga.dll
C:\WINDOWS\system32\qcaksqjs.dll
C:\WINDOWS\system32\qfqyiuiq.ini
C:\WINDOWS\system32\qiuiyqfq.dll
C:\WINDOWS\system32\qslgigvn.dll
C:\WINDOWS\system32\qurrvtcw.dll
C:\WINDOWS\system32\qyhkcpqe.ini
C:\WINDOWS\system32\rctikngt.ini
C:\WINDOWS\system32\rkerfwjh.dll
C:\WINDOWS\system32\rmcyomhk.dll
C:\WINDOWS\system32\rptupkps.dll
C:\WINDOWS\system32\sjqskacq.ini
C:\WINDOWS\system32\sotestuo.dll
C:\WINDOWS\system32\spkputpr.ini
C:\WINDOWS\system32\spkputpr.ini2
C:\WINDOWS\system32\spkputpr.tmp
C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\stmvrdof.dll
C:\WINDOWS\system32\sxgwvalo.ini
C:\WINDOWS\system32\tdthcrjb.ini
C:\WINDOWS\system32\tgnkitcr.dll
C:\WINDOWS\system32\trawholu.dll
C:\WINDOWS\system32\tukyvlrj.dll
C:\WINDOWS\system32\tvgqchai.dll
C:\WINDOWS\system32\ubofwjqd.ini
C:\WINDOWS\system32\ulohwart.ini
C:\WINDOWS\system32\vcgjdbcl.ini
C:\WINDOWS\system32\vdgkbubh.dll
C:\WINDOWS\system32\vjbffbkw.ini
C:\WINDOWS\system32\vovetygx.dll
C:\WINDOWS\system32\vsbgwxkp.ini
C:\WINDOWS\system32\vusfleqh.dll
C:\WINDOWS\system32\wctvrruq.ini
C:\WINDOWS\system32\wjctbmjj.ini
C:\WINDOWS\system32\wjdehrnl.ini
C:\WINDOWS\system32\wkbffbjv.dll
C:\WINDOWS\system32\xberhsjo.ini
C:\WINDOWS\system32\xgytevov.ini
C:\WINDOWS\system32\ydtcimoo.dll
C:\WINDOWS\system32\yedkbbsj.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 12:22 . 2007-12-03 12:22 <DIR> d-------- C:\Deckard
2007-12-03 08:29 . 2007-11-21 10:03 <DIR> d-------- C:\Documents and Settings\Administrator.DJ-KZJTYJLP6FRW\Application Data\Gtek
2007-12-02 23:24 . 2007-12-02 23:24 <DIR> d-------- C:\Documents and Settings\dj\Application Data\Tenebril
2007-12-02 23:00 . 2007-12-02 23:00 354 --ahs---- C:\WINDOWS\system32\fcjaotmk.ini
2007-12-02 22:57 . 2007-12-02 22:58 294 --ahs---- C:\WINDOWS\system32\sitcduet.ini
2007-12-02 22:23 . 2007-12-02 22:23 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-12-02 22:23 . 2007-12-02 22:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Tenebril
2007-12-02 22:23 . 2005-10-12 23:10 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-12-02 21:52 . 2007-12-02 21:52 796,904 --ahs---- C:\WINDOWS\system32\adjrmlbu.ini
2007-12-02 20:50 . 2007-12-02 20:50 796,844 --ahs---- C:\WINDOWS\system32\gvhkftwn.ini
2007-12-02 20:47 . 2007-12-02 20:48 796,784 --ahs---- C:\WINDOWS\system32\uvjtgsan.ini
2007-12-02 19:45 . 2007-12-02 20:32 796,742 --ahs---- C:\WINDOWS\system32\jcuvjkqf.ini
2007-12-02 18:42 . 2007-12-03 11:53 <DIR> d-------- C:\VundoFix Backups
2007-12-02 18:39 . 2007-12-02 19:45 796,622 --ahs---- C:\WINDOWS\system32\rnwndido.ini
2007-12-02 17:34 . 2007-12-02 18:39 796,562 --ahs---- C:\WINDOWS\system32\vabcoryb.ini
2007-12-02 16:29 . 2007-12-02 17:34 796,502 --ahs---- C:\WINDOWS\system32\gafusiog.ini
2007-12-02 16:26 . 2007-12-02 16:29 796,433 --ahs---- C:\WINDOWS\system32\duiwnvau.ini
2007-12-02 15:23 . 2007-12-02 16:26 796,373 --ahs---- C:\WINDOWS\system32\luppfiwj.ini
2007-12-02 15:21 . 2007-12-02 15:23 796,313 --ahs---- C:\WINDOWS\system32\xhqgnvpa.ini
2007-12-02 14:18 . 2007-12-02 15:21 796,253 --ahs---- C:\WINDOWS\system32\hgarrhhw.ini
2007-12-02 14:16 . 2007-12-02 14:18 796,193 --ahs---- C:\WINDOWS\system32\smocxaqx.tmp
2007-12-02 14:16 . 2007-12-02 14:18 796,193 --ahs---- C:\WINDOWS\system32\smocxaqx.ini
2007-12-02 13:14 . 2007-12-02 14:16 796,133 --ahs---- C:\WINDOWS\system32\axelidng.ini
2007-12-02 12:08 . 2007-12-02 12:08 796,073 --ahs---- C:\WINDOWS\system32\lmvdgvae.ini
2007-12-02 12:05 . 2007-12-02 12:06 796,013 --ahs---- C:\WINDOWS\system32\xaiaabdv.ini
2007-12-02 11:03 . 2007-12-02 11:03 795,953 --ahs---- C:\WINDOWS\system32\icbdtpgo.ini
2007-12-02 11:01 . 2007-12-02 11:01 795,893 --ahs---- C:\WINDOWS\system32\vahywdyn.ini
2007-12-02 11:01 . 2007-12-02 11:01 795,833 --ahs---- C:\WINDOWS\system32\tekcdncp.tmp
2007-12-02 09:58 . 2007-12-02 09:58 795,833 --ahs---- C:\WINDOWS\system32\tekcdncp.ini
2007-12-02 09:55 . 2007-12-02 09:55 795,773 --ahs---- C:\WINDOWS\system32\strtrwjh.ini
2007-12-02 08:52 . 2007-12-02 08:52 795,713 --ahs---- C:\WINDOWS\system32\mgmrpqfw.ini
2007-12-02 08:49 . 2007-12-02 08:49 795,653 --ahs---- C:\WINDOWS\system32\qfseimpi.ini
2007-12-02 07:47 . 2007-12-02 07:47 795,593 --ahs---- C:\WINDOWS\system32\fmsktgix.ini
2007-12-02 07:44 . 2007-12-02 07:44 795,533 --ahs---- C:\WINDOWS\system32\uicylopp.ini
2007-12-02 06:41 . 2007-12-02 06:41 795,473 --ahs---- C:\WINDOWS\system32\ndtlcgrm.ini
2007-12-02 06:38 . 2007-12-02 06:39 795,413 --ahs---- C:\WINDOWS\system32\icsumhwp.ini
2007-12-02 05:35 . 2007-12-02 05:36 795,353 --ahs---- C:\WINDOWS\system32\uwprvchn.ini
2007-12-02 05:33 . 2007-12-02 05:33 795,293 --ahs---- C:\WINDOWS\system32\lhoicsxo.ini
2007-12-02 04:29 . 2007-12-02 04:30 795,233 --ahs---- C:\WINDOWS\system32\knjiunfa.ini
2007-12-02 04:26 . 2007-12-02 04:27 795,173 --ahs---- C:\WINDOWS\system32\udtdjknw.ini
2007-12-02 03:23 . 2007-12-02 04:27 795,113 --ahs---- C:\WINDOWS\system32\xplhyqid.ini
2007-12-02 03:21 . 2007-12-02 03:21 795,053 --ahs---- C:\WINDOWS\system32\rcdiagkd.ini
2007-12-02 02:18 . 2007-12-02 02:18 794,993 --ahs---- C:\WINDOWS\system32\owjvbqyt.ini
2007-12-02 02:15 . 2007-12-02 02:16 794,933 --ahs---- C:\WINDOWS\system32\mdxxstny.ini
2007-12-02 01:13 . 2007-12-02 01:13 794,873 --ahs---- C:\WINDOWS\system32\rlhqcyfp.ini
2007-12-02 00:08 . 2007-12-02 00:08 794,813 --ahs---- C:\WINDOWS\system32\nhmxyvob.ini
2007-12-02 00:05 . 2007-12-02 00:06 794,753 --ahs---- C:\WINDOWS\system32\vdftolio.ini
2007-12-01 23:03 . 2007-12-01 23:05 794,693 --ahs---- C:\WINDOWS\system32\xlwsgkox.ini
2007-12-01 21:58 . 2007-12-01 21:58 794,624 --ahs---- C:\WINDOWS\system32\hbxfncwt.ini
2007-12-01 21:55 . 2007-12-01 21:55 794,564 --ahs---- C:\WINDOWS\system32\balslnfo.ini
2007-12-01 21:30 . 2007-12-01 21:31 794,504 --ahs---- C:\WINDOWS\system32\antjbifl.ini
2007-12-01 21:28 . 2007-12-01 21:28 794,444 --ahs---- C:\WINDOWS\system32\igechyis.ini
2007-12-01 20:26 . 2007-12-01 20:37 794,393 --ahs---- C:\WINDOWS\system32\vfbecbos.ini
2007-12-01 19:20 . 2007-12-01 19:20 794,324 --ahs---- C:\WINDOWS\system32\clswojwb.ini
2007-12-01 19:18 . 2007-12-01 19:18 794,264 --ahs---- C:\WINDOWS\system32\hebdkcsi.ini
2007-12-01 18:15 . 2007-12-01 18:15 794,204 --ahs---- C:\WINDOWS\system32\mihoworb.ini
2007-12-01 18:12 . 2007-12-01 18:13 794,144 --ahs---- C:\WINDOWS\system32\tepweldd.ini
2007-12-01 17:10 . 2007-12-01 17:10 794,084 --ahs---- C:\WINDOWS\system32\bnbxndid.ini
2007-12-01 16:05 . 2007-12-01 16:05 794,024 --ahs---- C:\WINDOWS\system32\xtsjabov.ini
2007-12-01 15:27 . 2007-12-01 15:31 <DIR> d-------- C:\Program Files\Rhapsody
2007-12-01 11:48 . 2007-12-01 15:54 793,964 --ahs---- C:\WINDOWS\system32\nwxuygxv.ini
2007-11-28 14:42 . 2007-11-28 13:37 294 --ahs---- C:\WINDOWS\system32\ocdwihhn.ini
2007-11-27 21:19 . 2007-11-28 03:13 294 --ahs---- C:\WINDOWS\system32\ocdwihhn.tmp
2007-11-23 18:19 . 2007-11-23 18:32 <DIR> d-------- C:\Documents and Settings\dj\Application Data\U3
2007-11-23 10:45 . 2007-11-23 10:46 775,832 --ahs---- C:\WINDOWS\system32\hhwroisw.ini
2007-11-23 10:45 . 2007-11-23 10:45 90,176 --a------ C:\WINDOWS\system32\kukkurqu.dll
2007-11-23 02:40 . 2007-11-23 02:40 <DIR> d-------- C:\Program Files\Security Task Manager
2007-11-23 02:40 . 2007-11-23 02:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan
2007-11-22 20:56 . 2007-11-25 22:43 564 --a------ C:\hpfr5550.xml
2007-11-22 20:51 . 2007-11-22 20:52 <DIR> d-------- C:\Program Files\HP Photosmart 11
2007-11-22 16:36 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-22 16:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-21 16:37 . 2007-11-21 16:37 <DIR> d-------- C:\Program Files\ValuSoft
2007-11-21 16:37 . 2007-11-26 20:24 377 --a------ C:\WINDOWS\PokeMon.ini
2007-11-21 14:32 . 2007-11-21 14:32 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-21 14:31 . 2006-01-06 11:07 348,160 --a------ C:\WINDOWS\system32\hphmon04.exe
2007-11-21 14:31 . 2006-01-06 11:07 249,856 --a------ C:\WINDOWS\system32\hphsav04.exe
2007-11-21 14:31 . 2006-01-06 11:07 50,896 --a------ C:\WINDOWS\system32\drivers\hphid411.sys
2007-11-21 14:31 . 2006-01-06 11:07 50,276 --a------ C:\WINDOWS\system32\drivers\hphs2k11.sys
2007-11-21 14:31 . 2006-01-06 11:07 36,864 --a------ C:\WINDOWS\hpfsched.exe
2007-11-21 14:31 . 2006-01-06 11:07 18,928 --a------ C:\WINDOWS\system32\drivers\hphius11.sys
2007-11-21 14:31 . 2006-01-06 11:07 16,112 --a------ C:\WINDOWS\system32\drivers\hphipr11.sys
2007-11-21 14:30 . 2007-11-22 20:48 <DIR> d-------- C:\Temp\photosmart
2007-11-21 14:30 . 2006-01-06 11:07 356,352 --a------ C:\WINDOWS\system32\Hphc3204.dll
2007-11-21 14:30 . 2006-01-06 11:07 270,336 --a------ C:\WINDOWS\system32\hpzcon07.dll
2007-11-21 14:30 . 2006-01-06 11:07 208,896 --a------ C:\WINDOWS\system32\hpzcoi07.dll
2007-11-21 14:30 . 2006-01-06 11:07 185,344 --a------ C:\WINDOWS\system32\hpfinst.dll
2007-11-21 14:30 . 2006-01-06 11:07 98,304 --a------ C:\WINDOWS\system32\hphidr11.dll
2007-11-21 14:30 . 2006-01-06 11:07 81,920 --a------ C:\WINDOWS\system32\hphipr11.dll
2007-11-21 14:30 . 2006-01-06 11:07 77,824 --a------ C:\WINDOWS\system32\hphipm11.exe
2007-11-21 14:30 . 2006-01-06 11:07 69,632 --a------ C:\WINDOWS\system32\hpodinet.dll
2007-11-21 14:30 . 2006-01-06 11:07 4,760 --------- C:\WINDOWS\hphmdl11.dat
2007-11-21 10:42 . 2007-11-21 10:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-21 10:03 . 2007-11-21 18:15 <DIR> d-------- C:\Documents and Settings\Madeline\Application Data\Gtek
2007-11-21 10:03 . 2007-11-21 10:03 <DIR> d-------- C:\Documents and Settings\Default User.WINDOWS\Application Data\Gtek
2007-11-21 10:01 . 2006-04-02 16:52 1,851,546 --a------ C:\WINDOWS\system32\gdql_lsa.dll
2007-11-21 10:01 . 2006-01-16 22:08 683,150 --a------ C:\WINDOWS\system32\qdiaglsa.ocx
2007-11-21 10:01 . 2007-11-23 10:40 29,184 --a------ C:\WINDOWS\system32\drivers\goprot51.sys
2007-11-21 10:00 . 2007-11-28 10:10 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2007-11-21 10:00 . 2005-08-30 12:23 208,896 --a------ C:\WINDOWS\system32\GTDownLS_125.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 22:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-03 20:09 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-12-01 23:28 --------- d-----w C:\Program Files\Real
2007-11-30 22:23 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2007-11-27 04:10 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-11-24 02:32 --------- d-----w C:\Documents and Settings\dj\Application Data\Azureus
2007-11-23 00:29 --------- d-----w C:\Documents and Settings\dj\Application Data\AVG7
2007-11-22 02:16 --------- d-----w C:\Documents and Settings\Madeline\Application Data\AVG7
2007-11-21 22:36 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-21 18:04 --------- d--ha-w C:\Documents and Settings\All Users.WINDOWS\Application Data\GTek
2007-11-21 18:03 --------- d--h--w C:\Documents and Settings\dj\Application Data\GTek
2007-11-20 02:22 --------- d-----w C:\Program Files\Winamp
2007-11-16 00:49 --------- d-----w C:\Program Files\Norton Internet Security
2007-10-28 19:52 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-28 06:58 --------- d-----w C:\Program Files\Azureus
2007-10-21 15:58 --------- d-----w C:\Documents and Settings\dj\Application Data\Share-to-Web Upload Folder
2007-10-06 22:29 --------- d-----w C:\Program Files\Azureus Ultra Accelerator
2007-08-26 23:01 561 ----a-w C:\Program Files\Uninstall Rhapsody.lnk
2007-08-26 23:01 535 ----a-w C:\Program Files\Update Windows Components.lnk
2007-08-26 23:01 535 ----a-w C:\Program Files\Delete Helix Licenses.lnk
2007-08-26 23:01 525 ----a-w C:\Program Files\Update Helix Components.lnk
2007-08-26 23:01 17,544 ----a-w C:\Program Files\INSTALL.LOG
2007-08-26 22:18 17,883 ----a-w C:\Program Files\install.001
2007-08-07 02:01 188,682 ----a-w C:\Program Files\WiseUpd2.exe
2007-08-07 02:01 1,522,683 ----a-w C:\Program Files\rhapsody.rsk
2007-08-06 23:51 671,744 ----a-w C:\Program Files\xviews.dll
2007-08-05 20:43 201,480 ----a-w C:\Program Files\language.xml
2007-06-21 23:40 86,016 ----a-w C:\Program Files\wpdhelper.dll
2007-06-02 09:20 733,184 ----a-w C:\Program Files\dtdr3260.dll
2007-06-02 09:19 39,424 ----a-w C:\Program Files\mmcdda32.dll
2007-06-02 09:19 102,400 ----a-w C:\Program Files\gdihelpr.dll
2007-06-02 09:18 372,736 ----a-w C:\Program Files\dbclient.exe
2007-06-02 09:16 192,512 ----a-w C:\Program Files\RhapDrmClean.exe
2007-06-02 09:13 13,824 ----a-w C:\Program Files\pnrs3260.dll
2007-06-02 09:00 53,248 ----a-w C:\Program Files\rnlog.dll
2007-03-27 18:28 245,760 ----a-w C:\Program Files\Uninstall Ask Toolbar.dll
2007-02-21 20:58 4,636 ----a-w C:\Program Files\print.htm
2007-01-31 00:32 266,240 ----a-w C:\Program Files\RhapSupport.exe
2006-09-12 21:50 1,901 ----a-w C:\Program Files\BackupDRMFolder.bat
2005-10-21 00:03 568 ----a-w C:\Program Files\fpsectbl
2005-04-22 02:20 5,344 ----a-w C:\Program Files\Unwise32.ini
2005-04-22 02:20 162,304 ----a-w C:\Program Files\Unwise32.exe
2005-01-06 01:45 719,360 ----a-w C:\Program Files\dbghelp.dll
2004-12-17 21:20 499,712 ----a-w C:\Program Files\msvcp71.dll
2004-12-17 21:20 348,160 ----a-w C:\Program Files\msvcr71.dll
2004-05-04 01:08 331,776 ----a-w C:\Program Files\CDDBRealControl.dll
2002-03-15 22:55 352,256 ----a-w C:\Program Files\xmencmp3.dll
2001-06-22 23:31 278,528 ----a-w C:\Program Files\pncrt.dll
2007-04-12 07:09 1,379,167 --sha-w C:\WINDOWS\system32\kjkkj.bak2
2007-04-12 07:44 1,377,351 --sha-w C:\WINDOWS\system32\kjkkj.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F92E9705-546D-4BD2-A451-9EE8B6B1B679}]
C:\WINDOWS\system32\skxsxsgs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 20:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:56]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkll]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp instant support.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\hp instant support.lnk
backup=C:\WINDOWS\pss\hp instant support.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dj^Start Menu^Programs^Startup^Azureus Ultra Accelerator.lnk]
path=C:\Documents and Settings\dj\Start Menu\Programs\Startup\Azureus Ultra Accelerator.lnk
backup=C:\WINDOWS\pss\Azureus Ultra Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dj^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\dj\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dj^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\dj\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-22 23:24 620152 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-09 21:05 344064 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c451b494]
rundll32.exe C:\WINDOWS\system32\olavwgxs.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgjepkji]
rundll32.exe C:\Program Files\dgjepkji\dgrotwvk.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2005-04-08 14:09 102400 --------- C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-06 11:07 188416 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2006-01-06 11:07 348160 --a------ C:\WINDOWS\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxcvkjyd]
regsvr32 /u C:\Documents and Settings\All Users.WINDOWS\Application Data\kxcvkjyd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-02-07 15:21 54832 --------- C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-04-14 16:56 1957888 --------- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
2006-09-05 17:22 26248 --a------ C:\Program Files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
2005-03-17 10:10 536576 --a------ C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-14 20:01 71216 --------- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
C:\Program Files\SecCenter\scprot4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-21 19:38 68856 --a------ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R0 Achernar;Achernar - Storage Filter Drivers;C:\WINDOWS\system32\Drivers\Achernar.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\C:\WINDOWS\system32\Drivers\Aldebaran.sys
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 15:42:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-04 01:19:18 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2007-12-04 01:19:18 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2007-12-03 15:28:48 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - dj.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exep/TASK:
"2007-12-03 13:00:14 C:\WINDOWS\Tasks\wrSpySweeper_L94129405544B41ED822BA7A8AB3BE024.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_L94129405544B41ED822BA7A8AB3BE024
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 17:19:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-03 17:21:30 - machine was rebooted
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:51 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F92E9705-546D-4BD2-A451-9EE8B6B1B679} - C:\WINDOWS\system32\skxsxsgs.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common" Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188176391312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188176327453
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O20 - Winlogon Notify: jkkll - C:\WINDOWS\system32\jkkll.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9550 bytes

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:12 PM

Posted 03 December 2007 - 10:16 PM

mtnbay,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\fcjaotmk.ini
C:\WINDOWS\system32\sitcduet.ini
C:\WINDOWS\system32\adjrmlbu.ini
C:\WINDOWS\system32\gvhkftwn.ini
C:\WINDOWS\system32\uvjtgsan.ini
C:\WINDOWS\system32\jcuvjkqf.ini
C:\WINDOWS\system32\rnwndido.ini
C:\WINDOWS\system32\vabcoryb.ini
C:\WINDOWS\system32\gafusiog.ini
C:\WINDOWS\system32\duiwnvau.ini
C:\WINDOWS\system32\luppfiwj.ini
C:\WINDOWS\system32\xhqgnvpa.ini
C:\WINDOWS\system32\hgarrhhw.ini
C:\WINDOWS\system32\smocxaqx.tmp
C:\WINDOWS\system32\smocxaqx.ini
C:\WINDOWS\system32\axelidng.ini
C:\WINDOWS\system32\lmvdgvae.ini
C:\WINDOWS\system32\xaiaabdv.ini
C:\WINDOWS\system32\icbdtpgo.ini
C:\WINDOWS\system32\vahywdyn.ini
C:\WINDOWS\system32\tekcdncp.tmp
C:\WINDOWS\system32\tekcdncp.ini
C:\WINDOWS\system32\strtrwjh.ini
C:\WINDOWS\system32\mgmrpqfw.ini
C:\WINDOWS\system32\qfseimpi.ini
C:\WINDOWS\system32\fmsktgix.ini
C:\WINDOWS\system32\uicylopp.ini
C:\WINDOWS\system32\ndtlcgrm.ini
C:\WINDOWS\system32\icsumhwp.ini
C:\WINDOWS\system32\uwprvchn.ini
C:\WINDOWS\system32\lhoicsxo.ini
C:\WINDOWS\system32\knjiunfa.ini
C:\WINDOWS\system32\udtdjknw.ini
C:\WINDOWS\system32\xplhyqid.ini
C:\WINDOWS\system32\rcdiagkd.ini
C:\WINDOWS\system32\owjvbqyt.ini
C:\WINDOWS\system32\mdxxstny.ini
C:\WINDOWS\system32\rlhqcyfp.ini
C:\WINDOWS\system32\nhmxyvob.ini
C:\WINDOWS\system32\vdftolio.ini
C:\WINDOWS\system32\xlwsgkox.ini
C:\WINDOWS\system32\hbxfncwt.ini
C:\WINDOWS\system32\balslnfo.ini
C:\WINDOWS\system32\antjbifl.ini
C:\WINDOWS\system32\igechyis.ini
C:\WINDOWS\system32\vfbecbos.ini
C:\WINDOWS\system32\clswojwb.ini
C:\WINDOWS\system32\hebdkcsi.ini
C:\WINDOWS\system32\mihoworb.ini
C:\WINDOWS\system32\tepweldd.ini
C:\WINDOWS\system32\bnbxndid.ini
C:\WINDOWS\system32\xtsjabov.ini
C:\WINDOWS\system32\nwxuygxv.ini
C:\WINDOWS\system32\ocdwihhn.ini
C:\WINDOWS\system32\ocdwihhn.tmp
C:\WINDOWS\system32\hhwroisw.ini
C:\WINDOWS\system32\kukkurqu.dll
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\skxsxsgs.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\olavwgxs.dll
C:\Documents and Settings\All Users.WINDOWS\Application Data\kxcvkjyd.dll

Folder::
C:\Program Files\dgjepkji
C:\Program Files\SecCenter

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F92E9705-546D-4BD2-A451-9EE8B6B1B679}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkll]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c451b494]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgjepkji]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxcvkjyd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step #2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • J2SE Runtime Environment 5.0 Update 8
      J2SE Runtime Environment 5.0 Update 9
      Javaâ„¢ 6 Update 2
      Javaâ„¢ SE Runtime Environment 6 Update 1

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Step #3

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Please post back with Combofix report, AVG Anti-Spyware report if available and new HijackThis report.

Regards,

Edited by SNOWHITE, 03 December 2007 - 10:18 PM.

SNOWHITE
Posted Image

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:12 PM

Posted 08 December 2007 - 11:45 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users