Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/virtumonde


  • This topic is locked This topic is locked
15 replies to this topic

#1 Gilthantis

Gilthantis

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 24 March 2008 - 03:00 PM

I ran through the process suggested before posting and I believe I have removed the Trojan-downloader.conhook that continued to infect my computed even after I removed it with SWdoctor about 30 times. Every time I started a file explore or mycomputer it reinstalled MS Juan in my registry. I just wanted to post my Hjthis file to see if you had any input cause my cpu is still running a bit slow. Thanks for your time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:13 PM, on 3/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\Program Files\DAP\DAP.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] "D:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [BMf305ad30] Rundll32.exe "C:\WINNT\system32\qoycgukl.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayawvw - C:\WINNT\SYSTEM32\yayawvw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINNT\system32\windows (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 4915 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 AM

Posted 24 March 2008 - 05:34 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 24 March 2008 - 11:13 PM

ComboFix 08-03-24.1 - Administrator 03/24/2008 23:04:51.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\BMf305ad30.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\bbjwbcjp.ini
C:\WINNT\system32\biwkoohv.ini
C:\WINNT\system32\cfrsytsl.ini
C:\WINNT\system32\ddyvrktx.ini
C:\WINNT\system32\dihakwsx.ini
C:\WINNT\system32\dotjnkso.ini
C:\WINNT\system32\dxqlixmi.ini
C:\WINNT\system32\eyskonal.ini
C:\WINNT\system32\ftdxnwba.ini
C:\WINNT\system32\gjkkj.ini2
C:\WINNT\system32\hdawjelw.ini
C:\WINNT\system32\hgghfeb.dll
C:\WINNT\system32\hxaxkjda.ini
C:\WINNT\system32\isqedill.ini
C:\WINNT\system32\iwelfyfa.ini
C:\WINNT\system32\iwuyoaxv.ini
C:\WINNT\system32\jkkjg.exe
C:\WINNT\system32\jkkjigh.dll
C:\WINNT\system32\jlmianyb.ini
C:\WINNT\system32\jqahfbsn.ini
C:\WINNT\system32\khffday.dll
C:\WINNT\system32\kxceosss.ini
C:\WINNT\system32\ljjkhii.dll
C:\WINNT\system32\llrdoggn.ini
C:\WINNT\system32\lmnysoyu.ini
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\mjkoabjm.ini
C:\WINNT\system32\ocoitfbh.ini
C:\WINNT\system32\ppdofrbi.ini
C:\WINNT\system32\pspiqjxq.ini
C:\WINNT\system32\qbgodrrc.ini
C:\WINNT\system32\ruvxydnr.ini
C:\WINNT\system32\tccqmupv.ini
C:\WINNT\system32\tdomjpro.ini
C:\WINNT\system32\tnmsatgs.ini
C:\WINNT\system32\ttvwa.ini
C:\WINNT\system32\ttvwa.ini2
C:\WINNT\system32\ugefpfab.ini
C:\WINNT\system32\vacqsxvj.ini
C:\WINNT\system32\vpkbifmp.ini
C:\WINNT\system32\vtusqon.dll
C:\WINNT\system32\woyhhrlf.ini
C:\WINNT\system32\wuoqgswl.ini
C:\WINNT\system32\xnxyycdc.ini
C:\WINNT\system32\yayawvw.dll
C:\WINNT\system32\ydyfxwhc.ini
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-24 23:06 . 03-06-19 13:05 17,680 --a------ C:\WINNT\system32\CF_init.exe
2008-03-24 14:14 . 08-03-24 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-24 13:57 . 08-03-24 14:31 478 --a------ C:\WINNT\wininit.ini
2008-03-24 13:16 . 08-03-24 13:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-24 13:07 . 08-03-24 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 11:34 . 08-03-24 11:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-14 17:32 . 08-03-14 17:32 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-03-14 17:31 . 08-03-15 15:52 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\ijjigame
2008-03-14 16:53 . 08-03-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-03-13 18:31 . 08-03-13 18:31 215 --a------ C:\WINNT\system32\MRT.INI
2008-03-13 14:55 . 08-03-18 08:07 51 --a------ C:\WINNT\GunzLauncher.INI
2008-03-02 12:26 . 08-03-10 01:55 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-02 12:26 . 08-03-02 12:26 1,409 --a------ C:\WINNT\QTFont.for
2008-03-01 09:09 . 08-03-01 09:09 338,432 --a------ C:\WINNT\system32\RCX46A.tmp
2008-02-29 13:33 . 08-02-29 13:33 338,432 --a------ C:\WINNT\system32\RCX4AE.tmp
2008-02-28 08:58 . 08-02-28 08:58 338,432 --a------ C:\WINNT\system32\RCX6CA.tmp
2008-02-27 12:04 . 08-02-27 12:04 338,432 --a------ C:\WINNT\system32\RCX3F4A.tmp
2008-02-27 09:03 . 08-02-27 09:03 338,432 --a------ C:\WINNT\system32\RCXB73.tmp
2008-02-26 10:12 . 08-02-26 10:12 338,432 --a------ C:\WINNT\system32\RCX11.tmp
2008-02-25 09:11 . 08-02-25 09:11 338,432 --a------ C:\WINNT\system32\RCX8B2.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 20:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-24 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-03-24 19:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 19:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-04 14:41 --------- d-----w C:\Program Files\QuickTime
2008-03-04 14:40 --------- d-----w C:\Program Files\iTunes
2008-03-01 15:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-22 17:05 --------- d-----w C:\Program Files\Temp
2008-02-07 16:03 --------- d-----w C:\Program Files\speed-bit
2008-02-06 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 17:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-01-26 18:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-25 15:39 90,112 -c--a-w C:\WINNT\UpdReg .EXE
2006-11-12 05:34 271 ---h--w C:\Program Files\desktop.ini
2006-11-12 05:34 21,952 -c-h--w C:\Program Files\folder.htt
2007-12-11 22:33 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-12-11 22:33 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-12-11 22:33 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.
<pre>
----a-w			28,672 2008-02-10 08:07:25  C:\Program Files\Creative\SBLive\Program\ADGJDet .exe
----a-w		   256,576 2008-03-04 14:41:14  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			83,608 2008-01-29 16:24:34  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w		   282,624 2008-03-04 14:41:12  C:\Program Files\QuickTime\qttask												.exe
----a-w		   648,192 2008-03-04 14:40:57  C:\Program Files\QuickTime\qttask											   .exe
----a-w		   648,192 2008-03-04 01:55:20  C:\Program Files\QuickTime\qttask											  .exe
----a-w		   648,192 2008-03-03 19:22:41  C:\Program Files\QuickTime\qttask											 .exe
----a-w		   648,192 2008-03-03 05:03:09  C:\Program Files\QuickTime\qttask											.exe
----a-w		   648,192 2008-03-03 04:59:45  C:\Program Files\QuickTime\qttask										   .exe
----a-w		   648,192 2008-03-03 04:54:51  C:\Program Files\QuickTime\qttask										  .exe
----a-w		   648,192 2008-03-03 04:45:22  C:\Program Files\QuickTime\qttask										 .exe
----a-w		   648,192 2008-03-02 18:15:45  C:\Program Files\QuickTime\qttask										.exe
----a-w		   648,192 2008-03-01 19:27:01  C:\Program Files\QuickTime\qttask									   .exe
----a-w		   648,192 2008-03-01 15:09:16  C:\Program Files\QuickTime\qttask									  .exe
----a-w		   648,192 2008-02-29 19:33:28  C:\Program Files\QuickTime\qttask									 .exe
----a-w		   648,192 2008-02-28 14:58:44  C:\Program Files\QuickTime\qttask									.exe
----a-w		   648,192 2008-02-26 16:12:56  C:\Program Files\QuickTime\qttask								   .exe
----a-w		   648,192 2008-02-25 15:11:42  C:\Program Files\QuickTime\qttask								  .exe
----a-w		   648,192 2008-02-25 02:18:21  C:\Program Files\QuickTime\qttask								 .exe
----a-w		   648,192 2008-02-23 16:25:17  C:\Program Files\QuickTime\qttask								.exe
----a-w		   648,192 2008-02-22 15:08:34  C:\Program Files\QuickTime\qttask							   .exe
----a-w		   648,192 2008-02-22 15:01:20  C:\Program Files\QuickTime\qttask							  .exe
----a-w		   648,192 2008-02-22 14:59:44  C:\Program Files\QuickTime\qttask							 .exe
----a-w		   648,192 2008-02-15 19:02:05  C:\Program Files\QuickTime\qttask							.exe
----a-w		   648,192 2008-02-14 19:23:21  C:\Program Files\QuickTime\qttask						   .exe
----a-w		   648,192 2008-02-14 18:54:16  C:\Program Files\QuickTime\qttask						  .exe
----a-w		   648,192 2008-02-13 17:48:12  C:\Program Files\QuickTime\qttask						 .exe
----a-w		   648,192 2008-02-13 15:44:45  C:\Program Files\QuickTime\qttask						.exe
----a-w		   648,192 2008-02-10 08:07:09  C:\Program Files\QuickTime\qttask					   .exe
----a-w		   648,192 2008-02-09 17:53:14  C:\Program Files\QuickTime\qttask					  .exe
----a-w		   648,192 2008-02-07 16:06:44  C:\Program Files\QuickTime\qttask					 .exe
----a-w		   648,192 2008-02-06 19:49:05  C:\Program Files\QuickTime\qttask					.exe
----a-w		   648,192 2008-02-06 18:23:29  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   648,192 2008-02-06 17:54:07  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   648,192 2008-02-06 17:45:05  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   648,192 2008-02-05 16:24:56  C:\Program Files\QuickTime\qttask				.exe
----a-w		   648,192 2008-02-02 17:14:33  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   648,192 2008-02-01 17:37:04  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   648,192 2008-01-31 17:10:05  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   648,192 2008-01-29 16:24:19  C:\Program Files\QuickTime\qttask			.exe
----a-w		   648,192 2008-01-28 20:09:10  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   648,192 2008-01-28 16:20:24  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   648,192 2008-01-27 22:58:09  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   648,192 2008-01-27 22:56:35  C:\Program Files\QuickTime\qttask		.exe
----a-w		   648,192 2008-01-26 18:47:16  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   648,192 2008-01-25 15:39:06  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   648,192 2008-01-25 05:35:26  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   648,192 2008-01-24 16:19:22  C:\Program Files\QuickTime\qttask	.exe
----a-w		   648,192 2008-01-23 17:02:24  C:\Program Files\QuickTime\qttask   .exe
----a-w		   648,192 2008-01-23 16:57:20  C:\Program Files\QuickTime\qttask  .exe
----a-w		   648,192 2008-01-23 03:17:29  C:\Program Files\QuickTime\qttask .exe
----a-w		25,268,776 2008-03-01 15:10:16  C:\Program Files\Skype\Phone\Skype .exe
-c--a-w			90,112 2008-01-25 15:39:22  C:\WINNT\UpdReg .EXE
----a-w			24,576 2008-03-13 15:10:04  C:\WINNT\system32\CTHELPER .EXE
----a-w		 1,626,112 2008-03-13 15:10:03  C:\WINNT\system32\nwiz .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [07-03-23 12:49 2526776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [07-04-19 13:26 7700480]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [07-04-19 13:26 86016]
"DownloadAccelerator"="D:\Program Files\DAP\DAP.exe" [07-12-04 11:08 4568576]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [08-01-23 14:47 847872]
"BMf305ad30"="C:\WINNT\system32\qoycgukl.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayawvw]
yayawvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 08-03-04 08:40 686592 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 08-03-04 08:41 282624 C:\Program Files\QuickTime\qttask .exe

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 13:05 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 06:22 ]
S3 MSControlService;Microsoft cache control;C:\WINNT\system32\windows []
S3 XDva032;XDva032;C:\WINNT\system32\XDva032.sys []

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:00:06 C:\WINNT\Tasks\RegCure Program Check.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-03-20 19:36:57 C:\WINNT\Tasks\RegCure.job"
- D:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 23:09:16
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINNT\system32\windows"
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
.
**************************************************************************
.
Completion time: 2008-03-24 23:10:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 05:10:09
.
2008-03-14 00:31:13 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 AM

Posted 25 March 2008 - 07:00 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Renv::
----a-w			28,672 2008-02-10 08:07:25  C:\Program Files\Creative\SBLive\Program\ADGJDet .exe
----a-w		   256,576 2008-03-04 14:41:14  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			83,608 2008-01-29 16:24:34  C:\Program Files\Java\jre1.6.0_01\bin\jusched .exe
----a-w		   282,624 2008-03-04 14:41:12  C:\Program Files\QuickTime\qttask												.exe
----a-w		   648,192 2008-03-04 14:40:57  C:\Program Files\QuickTime\qttask											   .exe
----a-w		   648,192 2008-03-04 01:55:20  C:\Program Files\QuickTime\qttask											  .exe
----a-w		   648,192 2008-03-03 19:22:41  C:\Program Files\QuickTime\qttask											 .exe
----a-w		   648,192 2008-03-03 05:03:09  C:\Program Files\QuickTime\qttask											.exe
----a-w		   648,192 2008-03-03 04:59:45  C:\Program Files\QuickTime\qttask										   .exe
----a-w		   648,192 2008-03-03 04:54:51  C:\Program Files\QuickTime\qttask										  .exe
----a-w		   648,192 2008-03-03 04:45:22  C:\Program Files\QuickTime\qttask										 .exe
----a-w		   648,192 2008-03-02 18:15:45  C:\Program Files\QuickTime\qttask										.exe
----a-w		   648,192 2008-03-01 19:27:01  C:\Program Files\QuickTime\qttask									   .exe
----a-w		   648,192 2008-03-01 15:09:16  C:\Program Files\QuickTime\qttask									  .exe
----a-w		   648,192 2008-02-29 19:33:28  C:\Program Files\QuickTime\qttask									 .exe
----a-w		   648,192 2008-02-28 14:58:44  C:\Program Files\QuickTime\qttask									.exe
----a-w		   648,192 2008-02-26 16:12:56  C:\Program Files\QuickTime\qttask								   .exe
----a-w		   648,192 2008-02-25 15:11:42  C:\Program Files\QuickTime\qttask								  .exe
----a-w		   648,192 2008-02-25 02:18:21  C:\Program Files\QuickTime\qttask								 .exe
----a-w		   648,192 2008-02-23 16:25:17  C:\Program Files\QuickTime\qttask								.exe
----a-w		   648,192 2008-02-22 15:08:34  C:\Program Files\QuickTime\qttask							   .exe
----a-w		   648,192 2008-02-22 15:01:20  C:\Program Files\QuickTime\qttask							  .exe
----a-w		   648,192 2008-02-22 14:59:44  C:\Program Files\QuickTime\qttask							 .exe
----a-w		   648,192 2008-02-15 19:02:05  C:\Program Files\QuickTime\qttask							.exe
----a-w		   648,192 2008-02-14 19:23:21  C:\Program Files\QuickTime\qttask						   .exe
----a-w		   648,192 2008-02-14 18:54:16  C:\Program Files\QuickTime\qttask						  .exe
----a-w		   648,192 2008-02-13 17:48:12  C:\Program Files\QuickTime\qttask						 .exe
----a-w		   648,192 2008-02-13 15:44:45  C:\Program Files\QuickTime\qttask						.exe
----a-w		   648,192 2008-02-10 08:07:09  C:\Program Files\QuickTime\qttask					   .exe
----a-w		   648,192 2008-02-09 17:53:14  C:\Program Files\QuickTime\qttask					  .exe
----a-w		   648,192 2008-02-07 16:06:44  C:\Program Files\QuickTime\qttask					 .exe
----a-w		   648,192 2008-02-06 19:49:05  C:\Program Files\QuickTime\qttask					.exe
----a-w		   648,192 2008-02-06 18:23:29  C:\Program Files\QuickTime\qttask				   .exe
----a-w		   648,192 2008-02-06 17:54:07  C:\Program Files\QuickTime\qttask				  .exe
----a-w		   648,192 2008-02-06 17:45:05  C:\Program Files\QuickTime\qttask				 .exe
----a-w		   648,192 2008-02-05 16:24:56  C:\Program Files\QuickTime\qttask				.exe
----a-w		   648,192 2008-02-02 17:14:33  C:\Program Files\QuickTime\qttask			   .exe
----a-w		   648,192 2008-02-01 17:37:04  C:\Program Files\QuickTime\qttask			  .exe
----a-w		   648,192 2008-01-31 17:10:05  C:\Program Files\QuickTime\qttask			 .exe
----a-w		   648,192 2008-01-29 16:24:19  C:\Program Files\QuickTime\qttask			.exe
----a-w		   648,192 2008-01-28 20:09:10  C:\Program Files\QuickTime\qttask		   .exe
----a-w		   648,192 2008-01-28 16:20:24  C:\Program Files\QuickTime\qttask		  .exe
----a-w		   648,192 2008-01-27 22:58:09  C:\Program Files\QuickTime\qttask		 .exe
----a-w		   648,192 2008-01-27 22:56:35  C:\Program Files\QuickTime\qttask		.exe
----a-w		   648,192 2008-01-26 18:47:16  C:\Program Files\QuickTime\qttask	   .exe
----a-w		   648,192 2008-01-25 15:39:06  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   648,192 2008-01-25 05:35:26  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   648,192 2008-01-24 16:19:22  C:\Program Files\QuickTime\qttask	.exe
----a-w		   648,192 2008-01-23 17:02:24  C:\Program Files\QuickTime\qttask   .exe
----a-w		   648,192 2008-01-23 16:57:20  C:\Program Files\QuickTime\qttask  .exe
----a-w		   648,192 2008-01-23 03:17:29  C:\Program Files\QuickTime\qttask .exe
----a-w		25,268,776 2008-03-01 15:10:16  C:\Program Files\Skype\Phone\Skype .exe
-c--a-w			90,112 2008-01-25 15:39:22  C:\WINNT\UpdReg .EXE
----a-w			24,576 2008-03-13 15:10:04  C:\WINNT\system32\CTHELPER .EXE
----a-w		 1,626,112 2008-03-13 15:10:03  C:\WINNT\system32\nwiz .exe

File::
C:\WINNT\system32\RCX46A.tmp
C:\WINNT\system32\RCX4AE.tmp
C:\WINNT\system32\RCX6CA.tmp
C:\WINNT\system32\RCX3F4A.tmp
C:\WINNT\system32\RCXB73.tmp
C:\WINNT\system32\RCX11.tmp
C:\WINNT\system32\RCX8B2.tmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMf305ad30"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 29 March 2008 - 05:16 PM

Kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 29, 2008 5:12:45 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 672536
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Z:\

Scan Statistics:
Total number of scanned objects: 161696
Number of viruses found: 6
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 01:38:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008032920080330\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\Downloads\Adobe Photoshop CS3 Extended + Keygen.rar/Adobe Photoshop CS3 Extended + Keygen/Keygen (Adobe).exe Infected: Trojan-Dropper.Win32.Agent.bzl skipped
C:\Documents and Settings\Administrator\My Documents\Downloads\Adobe Photoshop CS3 Extended + Keygen.rar RAR: infected - 1 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock Object is locked skipped
C:\Program Files\QuickTime\qttask.exe Infected: Virus.Win32.Trats.d skipped
C:\Program Files\Temp\setup_en.exe Infected: not-a-virus:Downloader.Win32.WinFixer.dq skipped
C:\QooBox\Quarantine\C\WINNT\system32\hgghfeb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi skipped
C:\QooBox\Quarantine\C\WINNT\system32\jkkjg.exe.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\jkkjigh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi skipped
C:\QooBox\Quarantine\C\WINNT\system32\khffday.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi skipped
C:\QooBox\Quarantine\C\WINNT\system32\ljjkhii.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX10.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX11.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX12.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX13.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX14.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX15.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX16.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX17.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX18.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX19.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX1A.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX2E.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX31.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX3F4A.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX46A.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX4AE.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX6CA.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCX8B2.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\RCXB73.tmp.vir Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINNT\system32\vtusqon.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi skipped
C:\QooBox\Quarantine\C\WINNT\system32\yayawvw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{1666CCC1-AB5F-4B21-982E-2258B537A158}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\RCX102A.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX1218.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX160A.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX1614.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX1C01.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX23A8.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX27EB.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX2DD8.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX3153.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX380.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCX6E3.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCXD39.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCXDF6.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\system32\RCXF56.tmp Infected: Virus.Win32.Trats.d skipped
C:\WINNT\Temporary Internet Files\Content.IE5\GLYR4PAF\CA0LMVCH Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\Program Files\Adobe\Adobe Photoshop CS3 Extended + Keygen\Keygen (Adobe).exe Infected: Trojan-Dropper.Win32.Agent.bzl skipped
D:\Program Files\DAP\Log\DAP_REPORT.LOG Object is locked skipped
D:\Program Files\Spyware Doctor Antivirus V5.2.0 + Crack\sdsetup.exe/data0000.cab/is68680.exe Infected: Trojan.Win32.BHO.atj skipped
D:\Program Files\Spyware Doctor Antivirus V5.2.0 + Crack\sdsetup.exe/data0000.cab Infected: Trojan.Win32.BHO.atj skipped
D:\Program Files\Spyware Doctor Antivirus V5.2.0 + Crack\sdsetup.exe Rsrc-Package: infected - 2 skipped

Scan process completed.

Combofix


ComboFix 08-03-24.1 - Administrator 2008-03-25 8:24:10.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.756 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\RCX11.tmp
C:\WINNT\system32\RCX3F4A.tmp
C:\WINNT\system32\RCX46A.tmp
C:\WINNT\system32\RCX4AE.tmp
C:\WINNT\system32\RCX6CA.tmp
C:\WINNT\system32\RCX8B2.tmp
C:\WINNT\system32\RCXB73.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\RCX10.tmp
C:\WINNT\system32\RCX11.tmp
C:\WINNT\system32\RCX12.tmp
C:\WINNT\system32\RCX13.tmp
C:\WINNT\system32\RCX14.tmp
C:\WINNT\system32\RCX15.tmp
C:\WINNT\system32\RCX16.tmp
C:\WINNT\system32\RCX17.tmp
C:\WINNT\system32\RCX18.tmp
C:\WINNT\system32\RCX19.tmp
C:\WINNT\system32\RCX1A.tmp
C:\WINNT\system32\RCX2E.tmp
C:\WINNT\system32\RCX31.tmp
C:\WINNT\system32\RCX3F4A.tmp
C:\WINNT\system32\RCX46A.tmp
C:\WINNT\system32\RCX4AE.tmp
C:\WINNT\system32\RCX6CA.tmp
C:\WINNT\system32\RCX8B2.tmp
C:\WINNT\system32\RCXB73.tmp
C:\WINNT\system32\ytrsjqme.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 08:24 . 08-03-25 08:24 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_264.dat
2008-03-24 23:06 . 03-06-19 13:05 17,680 --a------ C:\WINNT\system32\CF_init.exe
2008-03-24 14:14 . 08-03-24 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-24 13:57 . 08-03-24 14:31 478 --a------ C:\WINNT\wininit.ini
2008-03-24 13:16 . 08-03-24 13:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-24 13:07 . 08-03-24 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 11:34 . 08-03-24 11:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-14 17:32 . 08-03-14 17:32 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-03-14 17:31 . 08-03-15 15:52 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\ijjigame
2008-03-14 16:53 . 08-03-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-03-13 18:31 . 08-03-13 18:31 215 --a------ C:\WINNT\system32\MRT.INI
2008-03-13 14:55 . 08-03-18 08:07 51 --a------ C:\WINNT\GunzLauncher.INI
2008-03-02 12:26 . 08-03-10 01:55 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-02 12:26 . 08-03-02 12:26 1,409 --a------ C:\WINNT\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 14:24 --------- d-----w C:\Program Files\QuickTime
2008-03-25 14:24 --------- d-----w C:\Program Files\iTunes
2008-03-25 05:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-24 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-03-24 19:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 19:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-13 15:10 24,576 ----a-w C:\WINNT\system32\CTHELPER.EXE
2008-03-13 15:10 1,626,112 ----a-w C:\WINNT\system32\nwiz.exe
2008-03-01 15:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-25 02:18 338,432 ----a-w C:\WINNT\system32\RCX6E3.tmp
2008-02-22 17:05 --------- d-----w C:\Program Files\Temp
2008-02-22 15:01 338,432 ----a-w C:\WINNT\system32\RCX3153.tmp
2008-02-22 14:59 338,432 ----a-w C:\WINNT\system32\RCX380.tmp
2008-02-14 19:23 338,432 ----a-w C:\WINNT\system32\RCX2DD8.tmp
2008-02-11 21:05 338,432 ----a-w C:\WINNT\system32\RCX27EB.tmp
2008-02-11 18:20 338,432 ----a-w C:\WINNT\system32\RCX23A8.tmp
2008-02-09 17:53 338,432 ----a-w C:\WINNT\system32\RCX102A.tmp
2008-02-08 16:44 338,432 ----a-w C:\WINNT\system32\RCX1C01.tmp
2008-02-07 16:06 338,432 ----a-w C:\WINNT\system32\RCXF56.tmp
2008-02-07 16:03 --------- d-----w C:\Program Files\speed-bit
2008-02-06 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 19:49 338,432 ----a-w C:\WINNT\system32\RCX160A.tmp
2008-02-06 18:23 338,432 ----a-w C:\WINNT\system32\RCXD39.tmp
2008-02-06 18:02 338,432 ----a-w C:\WINNT\system32\RCX1614.tmp
2008-02-06 17:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-06 17:54 338,432 ----a-w C:\WINNT\system32\RCX1218.tmp
2008-02-06 17:45 338,432 ----a-w C:\WINNT\system32\RCXDF6.tmp
2008-01-26 18:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DivX
2008-01-25 15:39 90,112 -c--a-w C:\WINNT\UpdReg.EXE
2006-11-12 05:34 271 ---h--w C:\Program Files\desktop.ini
2006-11-12 05:34 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
2007-12-11 22:33 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-12-11 22:33 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-12-11 22:33 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [07-03-23 12:49 2526776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [07-04-19 13:26 7700480]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [07-04-19 13:26 86016]
"DownloadAccelerator"="D:\Program Files\DAP\DAP.exe" [07-12-04 11:08 4568576]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [08-01-23 14:47 847872]
"SDTray"="D:\Program Files\Spyware Doctor\SDTrayApp.exe" [07-10-02 16:27 1065288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayawvw]
yayawvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 08-03-04 08:41 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 13:05 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 06:22 ]
S3 MSControlService;Microsoft cache control;C:\WINNT\system32\windows []
S3 XDva032;XDva032;C:\WINNT\system32\XDva032.sys []

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:00:06 C:\WINNT\Tasks\RegCure Program Check.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-03-20 19:36:57 C:\WINNT\Tasks\RegCure.job"
- D:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 08:24:58
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINNT\system32\windows"
.
Completion time: 2008-03-25 8:25:17
ComboFix-quarantined-files.txt 2008-03-25 14:25:09
ComboFix2.txt 2008-03-25 05:10:13
.
2008-03-14 00:31:13 --- E O F ---



sorry for the late reply, I was out of town

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 AM

Posted 30 March 2008 - 05:26 PM

No problem. I see a few more we need to get rid of next.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
MSControlService

File::
C:\WINNT\system32\RCX1218.tmp
C:\WINNT\system32\RCXDF6.tmp
C:\WINNT\system32\RCX160A.tmp
C:\WINNT\system32\RCXD39.tmp
C:\WINNT\system32\RCX1614.tmp
C:\WINNT\system32\RCX3153.tmp
C:\WINNT\system32\RCX380.tmp
C:\WINNT\system32\RCX2DD8.tmp
C:\WINNT\system32\RCX27EB.tmp
C:\WINNT\system32\RCX23A8.tmp
C:\WINNT\system32\RCX102A.tmp
C:\WINNT\system32\RCX1C01.tmp
C:\WINNT\system32\RCXF56.tmp
C:\WINNT\system32\RCX6E3.tmp
D:\Program Files\Spyware Doctor Antivirus V5.2.0 + Crack\sdsetup.exe

Folder::
C:\Program Files\Temp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayawvw]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 30 March 2008 - 06:47 PM

ComboFix 08-03-24.1 - Administrator 03/30/2008 18:34:25.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.503 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\RCX102A.tmp
C:\WINNT\system32\RCX1218.tmp
C:\WINNT\system32\RCX160A.tmp
C:\WINNT\system32\RCX1614.tmp
C:\WINNT\system32\RCX1C01.tmp
C:\WINNT\system32\RCX23A8.tmp
C:\WINNT\system32\RCX27EB.tmp
C:\WINNT\system32\RCX2DD8.tmp
C:\WINNT\system32\RCX3153.tmp
C:\WINNT\system32\RCX380.tmp
C:\WINNT\system32\RCX6E3.tmp
C:\WINNT\system32\RCXD39.tmp
C:\WINNT\system32\RCXDF6.tmp
C:\WINNT\system32\RCXF56.tmp
D:\Program Files\Spyware Doctor Antivirus V5.2.0 + Crack\sdsetup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Temp
C:\Program Files\Temp\71.89_win2kxp_english.exe
C:\Program Files\Temp\AdbeRdr709_en_US.exe
C:\Program Files\Temp\big_drive_enabler.exe
C:\Program Files\Temp\CAENO9YB.exe
C:\Program Files\Temp\catacombs_to_darkness_setup.exe
C:\Program Files\Temp\dxwebsetup.exe
C:\Program Files\Temp\ie6setup.exe
C:\Program Files\Temp\Kasper scan.txt
C:\Program Files\Temp\LiveDrvUni-Pack(ENG).exe
C:\Program Files\Temp\MPSetup.exe
C:\Program Files\Temp\setup_en.exe
C:\Program Files\Temp\sp3express.exe
C:\Program Files\Temp\toa_to_catacombs_setup.exe
C:\WINNT\system32\RCX102A.tmp
C:\WINNT\system32\RCX1218.tmp
C:\WINNT\system32\RCX160A.tmp
C:\WINNT\system32\RCX1614.tmp
C:\WINNT\system32\RCX1C01.tmp
C:\WINNT\system32\RCX23A8.tmp
C:\WINNT\system32\RCX27EB.tmp
C:\WINNT\system32\RCX2DD8.tmp
C:\WINNT\system32\RCX3153.tmp
C:\WINNT\system32\RCX380.tmp
C:\WINNT\system32\RCX6E3.tmp
C:\WINNT\system32\RCXD39.tmp
C:\WINNT\system32\RCXDF6.tmp
C:\WINNT\system32\RCXF56.tmp
D:\Program Files\Spyware Doctor Antivirus V5.2.0 + Crack\sdsetup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSCONTROLSERVICE
-------\Service_MSControlService


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-25 10:28 . 07-07-30 19:19 271,224 --a------ C:\WINNT\system32\mucltui.dll
2008-03-25 10:28 . 07-07-30 19:19 30,072 --a------ C:\WINNT\system32\mucltui.dll.mui
2008-03-25 08:54 . 08-03-25 08:54 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-03-25 08:54 . 08-03-25 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 08:46 . 08-03-25 08:46 <DIR> d--h----- C:\WINNT\msdownld.tmp
2008-03-25 08:45 . 08-03-25 08:46 <DIR> d-------- C:\WINNT\Windows Update Setup Files
2008-03-24 23:06 . 03-06-19 13:05 17,680 --a------ C:\WINNT\system32\CF_init.exe
2008-03-24 14:14 . 08-03-24 14:22 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-03-24 13:57 . 08-03-24 14:31 478 --a------ C:\WINNT\wininit.ini
2008-03-24 13:16 . 08-03-24 13:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-24 13:07 . 08-03-24 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 11:34 . 08-03-24 11:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-14 17:32 . 08-03-14 17:32 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-03-14 17:31 . 08-03-15 15:52 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\ijjigame
2008-03-14 16:53 . 08-03-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-03-13 18:31 . 08-03-13 18:31 215 --a------ C:\WINNT\system32\MRT.INI
2008-03-13 14:55 . 08-03-18 08:07 51 --a------ C:\WINNT\GunzLauncher.INI
2008-03-02 12:26 . 08-03-10 01:55 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-02 12:26 . 08-03-02 12:26 1,409 --a------ C:\WINNT\QTFont.for
2008-02-06 14:00 . 03-07-20 21:17 5,174 --a------ C:\WINNT\system32\nppt9x.vxd
2008-02-06 14:00 . 05-01-04 12:43 4,682 --a------ C:\WINNT\system32\npptNT2.sys
2008-02-06 11:58 . 08-02-06 11:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-06 11:58 . 07-10-04 17:10 79,688 --a------ C:\WINNT\system32\drivers\iksyssec.sys
2008-02-06 11:58 . 07-10-04 17:10 62,280 --a------ C:\WINNT\system32\drivers\iksysflt.sys
2008-02-06 11:58 . 07-10-04 17:10 41,288 --a------ C:\WINNT\system32\drivers\ikfilesec.sys
2008-02-06 11:58 . 07-10-04 17:11 29,000 --a------ C:\WINNT\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 18:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 14:24 --------- d-----w C:\Program Files\QuickTime
2008-03-25 14:24 --------- d-----w C:\Program Files\iTunes
2008-03-24 20:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-03-24 19:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 19:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-03-01 15:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-02-07 16:03 --------- d-----w C:\Program Files\speed-bit
2008-02-06 19:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 15:39 90,112 -c--a-w C:\WINNT\UpdReg.EXE
2006-11-12 05:34 271 ---h--w C:\Program Files\desktop.ini
2006-11-12 05:34 21,952 -c-h--w C:\Program Files\folder.htt
2007-12-11 22:33 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-12-11 22:33 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-12-11 22:33 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((( snapshot@Tue 2008-03-25_ 8.25.04.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-01-12 19:39:46 59,904 ----a-w C:\WINNT\system32\acctres.dll
+ 2002-08-29 13:06:14 64,512 ----a-w C:\WINNT\system32\acctres.dll
- 2003-06-19 19:05:04 72,464 ----a-w C:\WINNT\system32\actxprxy.dll
+ 2002-08-29 13:14:40 98,816 ----a-w C:\WINNT\system32\actxprxy.dll
- 2003-06-19 19:05:04 88,848 ----a-w C:\WINNT\system32\advpack.dll
+ 2002-08-29 13:14:40 91,136 ----a-w C:\WINNT\system32\advpack.dll
- 2003-06-19 19:05:04 35,328 ----a-w C:\WINNT\system32\browselc.dll
+ 2002-08-29 13:14:40 62,976 ----a-w C:\WINNT\system32\browselc.dll
- 2007-12-10 16:23:08 792,848 ----a-w C:\WINNT\system32\BROWSEUI.DLL
+ 2007-12-10 21:46:16 1,018,368 ----a-w C:\WINNT\system32\BROWSEUI.DLL
+ 2002-08-29 13:14:40 71,680 ----a-w C:\WINNT\system32\browsewm.dll
- 2003-06-19 19:05:04 142,608 ----a-w C:\WINNT\system32\cdfview.dll
+ 2007-12-10 21:46:22 143,360 ----a-w C:\WINNT\system32\CDFVIEW.DLL
- 2006-08-28 11:03:26 529,680 ----a-w C:\WINNT\system32\comctl32.dll
+ 2006-08-28 08:44:10 530,192 ----a-w C:\WINNT\system32\comctl32.dll
- 1999-12-07 12:00:00 14,608 ----a-w C:\WINNT\system32\corpol.dll
+ 2002-08-29 13:14:40 16,384 ----a-w C:\WINNT\system32\corpol.dll
- 2003-06-19 19:05:04 90,384 -c--a-w C:\WINNT\system32\CRYPTDLG.DLL
+ 2003-06-19 18:05:04 90,384 ----a-w C:\WINNT\system32\CRYPTDLG.DLL
- 1999-12-07 12:00:00 86,066 ----a-w C:\WINNT\system32\cscript.exe
+ 2001-06-26 23:49:06 102,450 ----a-w C:\WINNT\system32\cscript.exe
+ 2002-08-29 13:14:40 86,016 ----a-w C:\WINNT\system32\csseqchk.dll
- 2007-12-10 17:45:34 1,134,352 ----a-w C:\WINNT\system32\DANIM.DLL
+ 2007-10-11 04:13:44 1,054,208 ----a-w C:\WINNT\system32\DANIM.DLL
- 1999-12-07 12:00:00 46,352 ----a-w C:\WINNT\system32\digest.dll
+ 2002-08-29 13:14:40 55,296 ----a-w C:\WINNT\system32\digest.dll
- 1999-12-07 12:00:00 45,112 ----a-w C:\WINNT\system32\dispex.dll
+ 2001-06-26 22:42:14 45,105 ----a-w C:\WINNT\system32\dispex.dll
- 2005-01-12 19:39:46 59,904 -c----w C:\WINNT\system32\dllcache\acctres.dll
+ 2002-08-29 13:06:14 64,512 -c--a-w C:\WINNT\system32\dllcache\acctres.dll
+ 2002-08-29 13:14:40 98,816 -c--a-w C:\WINNT\system32\dllcache\actxprxy.dll
+ 2002-08-29 13:14:40 91,136 -c--a-w C:\WINNT\system32\dllcache\advpack.dll
+ 2002-08-29 13:14:40 62,976 -c--a-w C:\WINNT\system32\dllcache\browselc.dll
- 2007-12-10 16:23:08 792,848 -c----w C:\WINNT\system32\dllcache\BROWSEUI.DLL
+ 2007-12-10 21:46:16 1,018,368 -c--a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
+ 2002-08-29 13:14:40 71,680 -c--a-w C:\WINNT\system32\dllcache\browsewm.dll
+ 2007-12-10 21:46:22 143,360 -c--a-w C:\WINNT\system32\dllcache\CDFVIEW.DLL
- 2006-08-28 11:03:26 529,680 -c----w C:\WINNT\system32\dllcache\comctl32.dll
+ 2006-08-28 08:44:10 530,192 -c--a-w C:\WINNT\system32\dllcache\comctl32.dll
- 1999-12-07 12:00:00 14,608 -c--a-w C:\WINNT\system32\dllcache\corpol.dll
+ 2002-08-29 13:14:40 16,384 -c--a-w C:\WINNT\system32\dllcache\corpol.dll
- 2003-06-19 19:05:04 90,384 -c--a-w C:\WINNT\system32\dllcache\cryptdlg.dll
+ 2003-06-19 18:05:04 90,384 -c--a-w C:\WINNT\system32\dllcache\cryptdlg.dll
- 1999-12-07 12:00:00 86,066 -c--a-w C:\WINNT\system32\dllcache\cscript.exe
+ 2001-06-26 23:49:06 102,450 -c--a-w C:\WINNT\system32\dllcache\cscript.exe
+ 2002-08-29 13:14:40 86,016 -c--a-w C:\WINNT\system32\dllcache\csseqchk.dll
- 2007-12-10 17:45:34 1,134,352 -c--a-w C:\WINNT\system32\dllcache\DANIM.DLL
+ 2007-10-11 04:13:44 1,054,208 -c--a-w C:\WINNT\system32\dllcache\DANIM.DLL
- 1999-12-07 12:00:00 46,352 -c--a-w C:\WINNT\system32\dllcache\digest.dll
+ 2002-08-29 13:14:40 55,296 -c--a-w C:\WINNT\system32\dllcache\digest.dll
- 2005-01-12 19:39:50 58,128 -c----w C:\WINNT\system32\dllcache\directdb.dll
+ 2007-08-19 23:55:12 75,776 -c--a-w C:\WINNT\system32\dllcache\DIRECTDB.DLL
- 1999-12-07 12:00:00 45,112 -c--a-w C:\WINNT\system32\dllcache\dispex.dll
+ 2001-06-26 22:42:14 45,105 -c--a-w C:\WINNT\system32\dllcache\dispex.dll
- 2007-12-10 16:22:32 325,904 -c--a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
+ 2007-12-10 18:38:42 351,744 -c--a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
- 1999-12-07 12:00:00 150,288 -c--a-w C:\WINNT\system32\dllcache\dxtrans.dll
+ 2007-12-10 18:38:38 192,512 -c--a-w C:\WINNT\system32\dllcache\DXTRANS.DLL
- 1999-12-07 12:00:00 27,920 -c--a-w C:\WINNT\system32\dllcache\ie4uinit.exe
+ 2002-08-29 13:14:40 28,672 -c--a-w C:\WINNT\system32\dllcache\ie4uinit.exe
- 1999-12-07 12:00:00 126,224 -c--a-w C:\WINNT\system32\dllcache\ieakeng.dll
+ 2002-08-29 13:14:40 126,976 -c--a-w C:\WINNT\system32\dllcache\ieakeng.dll
- 1999-12-07 12:00:00 110,864 -c--a-w C:\WINNT\system32\dllcache\ieaksie.dll
+ 2002-08-29 13:14:40 204,288 -c--a-w C:\WINNT\system32\dllcache\ieaksie.dll
- 1999-12-07 12:00:00 215,040 -c--a-w C:\WINNT\system32\dllcache\ieakui.dll
+ 2002-08-29 13:14:40 221,184 -c--a-w C:\WINNT\system32\dllcache\ieakui.dll
+ 2002-08-29 13:14:40 294,912 -c--a-w C:\WINNT\system32\dllcache\iedkcs32.dll
+ 2007-12-10 18:38:50 236,032 -c--a-w C:\WINNT\system32\dllcache\IEPEERS.DLL
+ 2002-08-29 13:14:40 57,856 -c--a-w C:\WINNT\system32\dllcache\iesetup.dll
+ 2002-08-29 13:14:40 30,720 -c--a-w C:\WINNT\system32\dllcache\imgutil.dll
- 2007-08-16 15:03:32 575,760 -c--a-w C:\WINNT\system32\dllcache\INETCOMM.DLL
+ 2007-08-19 23:55:32 596,992 -c--a-w C:\WINNT\system32\dllcache\INETCOMM.DLL
+ 2002-08-29 13:14:40 110,592 -c--a-w C:\WINNT\system32\dllcache\inetcplc.dll
- 2005-01-12 19:39:52 47,616 -c----w C:\WINNT\system32\dllcache\inetres.dll
+ 2007-08-19 23:55:26 47,616 -c--a-w C:\WINNT\system32\dllcache\INETRES.DLL
- 2007-12-10 16:24:44 74,000 -c----w C:\WINNT\system32\dllcache\INSENG.DLL
+ 2007-12-10 18:38:54 69,632 -c--a-w C:\WINNT\system32\dllcache\INSENG.DLL
- 2006-05-18 07:13:30 483,385 -c----w C:\WINNT\system32\dllcache\jscript.dll
+ 2006-05-17 17:43:58 465,864 -c--a-w C:\WINNT\system32\dllcache\jscript.dll
- 2007-12-10 16:24:30 13,584 -c--a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
+ 2007-12-10 18:39:14 12,288 -c--a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
+ 2002-08-29 13:14:40 574,976 -c--a-w C:\WINNT\system32\dllcache\mlang.dll
+ 2002-08-29 13:14:40 24,576 -c--a-w C:\WINNT\system32\dllcache\mshta.exe
- 2007-12-10 16:24:38 2,303,760 -c----w C:\WINNT\system32\dllcache\MSHTML.DLL
+ 2007-12-10 18:38:46 2,705,408 -c--a-w C:\WINNT\system32\dllcache\MSHTML.DLL
+ 2002-08-29 13:14:40 434,688 -c--a-w C:\WINNT\system32\dllcache\mshtmled.dll
+ 2002-08-29 13:14:40 56,320 -c--a-w C:\WINNT\system32\dllcache\mshtmler.dll
+ 2007-08-19 23:52:36 44,032 -c--a-w C:\WINNT\system32\dllcache\MSIDENT.DLL
+ 2002-08-29 13:14:40 14,848 -c--a-w C:\WINNT\system32\dllcache\msidntld.dll
+ 2005-08-05 19:53:02 248,592 -c--a-w C:\WINNT\system32\dllcache\MSIEFTP.DLL
+ 2007-08-19 23:55:44 56,832 -c--a-w C:\WINNT\system32\dllcache\MSIMN.EXE
- 2007-08-16 15:03:36 1,147,664 -c--a-w C:\WINNT\system32\dllcache\MSOE.DLL
+ 2007-08-19 23:55:38 1,176,064 -c--a-w C:\WINNT\system32\dllcache\MSOE.DLL
+ 2007-08-19 23:55:14 229,376 -c--a-w C:\WINNT\system32\dllcache\MSOEACCT.DLL
- 2005-01-12 19:39:56 911,872 -c----w C:\WINNT\system32\dllcache\msoeres.dll
+ 2007-08-19 23:55:48 2,479,616 -c--a-w C:\WINNT\system32\dllcache\MSOERES.DLL
- 2005-01-12 19:39:56 68,368 -c----w C:\WINNT\system32\dllcache\msoert2.dll
+ 2007-08-19 23:55:10 91,136 -c--a-w C:\WINNT\system32\dllcache\MSOERT2.DLL
+ 2002-08-29 13:14:40 59,904 -c--a-w C:\WINNT\system32\dllcache\msratelc.dll
- 2007-12-10 16:23:42 149,776 -c----w C:\WINNT\system32\dllcache\MSRATING.DLL
+ 2007-12-10 21:46:38 132,096 -c--a-w C:\WINNT\system32\dllcache\MSRATING.DLL
+ 2007-12-10 18:38:36 498,176 -c--a-w C:\WINNT\system32\dllcache\MSTIME.DLL
- 2004-07-07 04:11:40 44,032 -c----w C:\WINNT\system32\dllcache\msxml3r.dll
+ 2002-08-29 13:14:40 44,032 -c--a-w C:\WINNT\system32\dllcache\msxml3r.dll
+ 2002-08-29 13:14:40 87,552 -c--a-w C:\WINNT\system32\dllcache\occache.dll
- 2005-01-12 19:39:58 74,512 -c----w C:\WINNT\system32\dllcache\oeimport.dll
+ 2007-08-19 23:55:36 93,184 -c--a-w C:\WINNT\system32\dllcache\OEIMPORT.DLL
+ 2007-08-19 23:55:50 55,808 -c--a-w C:\WINNT\system32\dllcache\OEMIG50.EXE
+ 2007-08-19 23:55:50 31,744 -c--a-w C:\WINNT\system32\dllcache\OEMIGLIB.DLL
- 2007-12-10 16:24:26 48,912 -c----w C:\WINNT\system32\dllcache\PNGFILT.DLL
+ 2007-12-10 18:38:44 34,816 -c--a-w C:\WINNT\system32\dllcache\PNGFILT.DLL
+ 2001-06-26 22:38:20 159,793 -c--a-w C:\WINNT\system32\dllcache\scrobj.dll
+ 2001-06-26 22:39:42 151,601 -c--a-w C:\WINNT\system32\dllcache\scrrun.dll
+ 2002-08-29 13:14:40 18,704 -c--a-w C:\WINNT\system32\dllcache\sendmail.dll
+ 2002-08-29 13:06:14 67,584 -c--a-w C:\WINNT\system32\dllcache\setup50.exe
+ 2002-08-29 13:14:40 533,504 -c--a-w C:\WINNT\system32\dllcache\shdoclc.dll
- 2007-12-10 16:23:04 1,104,656 -c----w C:\WINNT\system32\dllcache\SHDOCVW.DLL
+ 2007-12-10 21:46:10 1,340,416 -c--a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
- 1999-12-07 12:00:00 21,776 -c--a-w C:\WINNT\system32\dllcache\shfolder.dll
+ 2002-08-29 13:14:40 22,528 -c--a-w C:\WINNT\system32\dllcache\shfolder.dll
- 2007-12-10 23:08:48 284,432 -c----w C:\WINNT\system32\dllcache\SHLWAPI.DLL
+ 2007-12-10 21:46:02 402,944 -c--a-w C:\WINNT\system32\dllcache\SHLWAPI.DLL
- 1999-12-07 12:00:00 149,776 -c--a-w C:\WINNT\system32\dllcache\triedit.dll
+ 2002-08-29 13:14:40 146,432 -c--a-w C:\WINNT\system32\dllcache\triedit.dll
- 2007-12-10 23:12:20 84,240 -c----w C:\WINNT\system32\dllcache\URL.DLL
+ 2002-08-29 13:14:40 106,496 -c--a-w C:\WINNT\system32\dllcache\url.dll
- 2007-12-10 16:24:36 425,232 -c----w C:\WINNT\system32\dllcache\URLMON.DLL
+ 2007-12-10 18:39:14 462,336 -c--a-w C:\WINNT\system32\dllcache\URLMON.DLL
- 2005-01-12 19:39:46 438,330 -c----w C:\WINNT\system32\dllcache\vbscript.dll
+ 2002-02-26 21:58:06 462,906 -c--a-w C:\WINNT\system32\dllcache\vbscript.dll
- 2007-06-26 16:00:14 1,757,256 -c--a-w C:\WINNT\system32\dllcache\VGX.DLL
+ 2007-06-26 20:52:08 2,286,080 -c--a-w C:\WINNT\system32\dllcache\VGX.DLL
- 2007-08-16 15:03:28 20,752 -c--a-w C:\WINNT\system32\dllcache\wab.exe
+ 2007-08-19 23:55:20 42,496 -c--a-w C:\WINNT\system32\dllcache\WAB.EXE
- 2005-01-12 19:40:00 454,416 -c----w C:\WINNT\system32\dllcache\wab32.dll
+ 2007-08-19 23:55:20 465,920 -c--a-w C:\WINNT\system32\dllcache\WAB32.DLL
- 2005-01-12 19:40:00 159,232 -c----w C:\WINNT\system32\dllcache\wab32res.dll
+ 2002-08-29 13:06:14 249,344 -c--a-w C:\WINNT\system32\dllcache\wab32res.dll
+ 2007-08-19 23:55:22 30,208 -c--a-w C:\WINNT\system32\dllcache\WABFIND.DLL
- 2007-08-16 15:03:28 85,264 -c--a-w C:\WINNT\system32\dllcache\wabimp.dll
+ 2007-08-19 23:55:18 77,824 -c--a-w C:\WINNT\system32\dllcache\WABIMP.DLL
+ 2007-08-19 23:55:16 27,648 -c--a-w C:\WINNT\system32\dllcache\WABMIG.EXE
+ 2002-08-29 13:14:40 258,048 -c--a-w C:\WINNT\system32\dllcache\webcheck.dll
- 2007-12-10 16:24:32 451,344 -c----w C:\WINNT\system32\dllcache\WININET.DLL
+ 2007-12-10 18:39:18 575,488 -c--a-w C:\WINNT\system32\dllcache\WININET.DLL
- 1999-12-07 12:00:00 90,162 -c--a-w C:\WINNT\system32\dllcache\wscript.exe
+ 2001-06-26 23:53:50 118,834 -c--a-w C:\WINNT\system32\dllcache\wscript.exe
+ 2001-06-26 23:59:32 28,721 -c--a-w C:\WINNT\system32\dllcache\wshcon.dll
- 1999-12-07 12:00:00 45,105 -c--a-w C:\WINNT\system32\dllcache\wshext.dll
+ 2001-06-26 23:56:36 65,585 -c--a-w C:\WINNT\system32\dllcache\wshext.dll
- 2007-12-10 16:22:32 325,904 ----a-w C:\WINNT\system32\DXTMSFT.DLL
+ 2007-12-10 18:38:42 351,744 ----a-w C:\WINNT\system32\DXTMSFT.DLL
- 1999-12-07 12:00:00 150,288 ----a-w C:\WINNT\system32\dxtrans.dll
+ 2007-12-10 18:38:38 192,512 ----a-w C:\WINNT\system32\DXTRANS.DLL
- 2005-07-13 07:22:02 138,000 ----a-w C:\WINNT\system32\faxui.dll
+ 2005-01-12 19:39:50 138,000 ----a-w C:\WINNT\system32\faxui.dll
- 1999-12-07 12:00:00 27,920 ----a-w C:\WINNT\system32\ie4uinit.exe
+ 2002-08-29 13:14:40 28,672 ----a-w C:\WINNT\system32\ie4uinit.exe
- 1999-12-07 12:00:00 126,224 ----a-w C:\WINNT\system32\ieakeng.dll
+ 2002-08-29 13:14:40 126,976 ----a-w C:\WINNT\system32\ieakeng.dll
- 1999-12-07 12:00:00 110,864 ----a-w C:\WINNT\system32\ieaksie.dll
+ 2002-08-29 13:14:40 204,288 ----a-w C:\WINNT\system32\ieaksie.dll
- 1999-12-07 12:00:00 215,040 ----a-w C:\WINNT\system32\ieakui.dll
+ 2002-08-29 13:14:40 221,184 ----a-w C:\WINNT\system32\ieakui.dll
- 2003-06-19 19:05:04 198,928 ----a-w C:\WINNT\system32\iedkcs32.dll
+ 2002-08-29 13:14:40 294,912 ----a-w C:\WINNT\system32\iedkcs32.dll
- 2007-12-10 16:24:28 100,112 ----a-w C:\WINNT\system32\IEPEERS.DLL
+ 2007-12-10 18:38:50 236,032 ----a-w C:\WINNT\system32\IEPEERS.DLL
- 2003-06-19 19:05:04 58,128 ----a-w C:\WINNT\system32\iesetup.dll
+ 2002-08-29 13:14:40 57,856 ----a-w C:\WINNT\system32\iesetup.dll
- 2003-06-19 19:05:04 31,504 ----a-w C:\WINNT\system32\imgutil.dll
+ 2002-08-29 13:14:40 30,720 ----a-w C:\WINNT\system32\imgutil.dll
- 2007-08-16 15:03:32 575,760 ----a-w C:\WINNT\system32\INETCOMM.DLL
+ 2007-08-19 23:55:32 596,992 ----a-w C:\WINNT\system32\INETCOMM.DLL
- 2003-06-19 19:05:04 62,976 ----a-w C:\WINNT\system32\inetcplc.dll
+ 2002-08-29 13:14:40 110,592 ----a-w C:\WINNT\system32\inetcplc.dll
- 2005-01-12 19:39:52 47,616 ----a-w C:\WINNT\system32\inetres.dll
+ 2007-08-19 23:55:26 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
- 2007-12-10 16:24:44 74,000 ----a-w C:\WINNT\system32\INSENG.DLL
+ 2007-12-10 18:38:54 69,632 ----a-w C:\WINNT\system32\INSENG.DLL
- 2006-05-18 07:13:30 483,385 ----a-w C:\WINNT\system32\jscript.dll
+ 2006-05-17 17:43:58 465,864 ----a-w C:\WINNT\system32\jscript.dll
- 2007-12-10 16:24:30 13,584 ----a-w C:\WINNT\system32\JSPROXY.DLL
+ 2007-12-10 18:39:14 12,288 ----a-w C:\WINNT\system32\JSPROXY.DLL
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2003-06-19 19:05:04 523,024 ----a-w C:\WINNT\system32\mlang.dll
+ 2002-08-29 13:14:40 574,976 ----a-w C:\WINNT\system32\mlang.dll
- 1999-12-07 12:00:00 94,480 ----a-w C:\WINNT\system32\msencode.dll
+ 2002-08-29 13:14:40 95,744 ----a-w C:\WINNT\system32\msencode.dll
- 2003-06-19 19:05:04 29,968 ----a-w C:\WINNT\system32\mshta.exe
+ 2002-08-29 13:14:40 24,576 ----a-w C:\WINNT\system32\mshta.exe
- 2007-12-10 16:24:38 2,303,760 ----a-w C:\WINNT\system32\MSHTML.DLL
+ 2007-12-10 18:38:46 2,705,408 ----a-w C:\WINNT\system32\MSHTML.DLL
- 2003-06-19 19:05:04 235,280 ----a-w C:\WINNT\system32\mshtmled.dll
+ 2002-08-29 13:14:40 434,688 ----a-w C:\WINNT\system32\mshtmled.dll
- 2003-06-19 19:05:04 58,368 ----a-w C:\WINNT\system32\mshtmler.dll
+ 2002-08-29 13:14:40 56,320 ----a-w C:\WINNT\system32\mshtmler.dll
- 2003-06-19 19:05:04 38,672 ----a-w C:\WINNT\system32\msident.dll
+ 2007-08-19 23:52:36 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
- 2003-06-19 19:05:04 14,848 ----a-w C:\WINNT\system32\msidntld.dll
+ 2002-08-29 13:14:40 14,848 ----a-w C:\WINNT\system32\msidntld.dll
- 2003-06-19 19:05:04 246,544 ----a-w C:\WINNT\system32\msieftp.dll
+ 2005-08-05 19:53:02 248,592 ----a-w C:\WINNT\system32\MSIEFTP.DLL
- 2003-06-19 19:05:04 183,056 ----a-w C:\WINNT\system32\msoeacct.dll
+ 2007-08-19 23:55:14 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
- 2005-01-12 19:39:56 68,368 ----a-w C:\WINNT\system32\msoert2.dll
+ 2007-08-19 23:55:10 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
+ 2002-08-29 13:14:40 59,904 ----a-w C:\WINNT\system32\msratelc.dll
- 2007-12-10 16:23:42 149,776 ----a-w C:\WINNT\system32\MSRATING.DLL
+ 2007-12-10 21:46:38 132,096 ----a-w C:\WINNT\system32\MSRATING.DLL
+ 2007-12-10 18:38:36 498,176 ----a-w C:\WINNT\system32\MSTIME.DLL
+ 2002-08-29 13:14:40 24,576 ----a-w C:\WINNT\system32\msxml3a.dll
- 2004-07-07 04:11:40 44,032 ----a-w C:\WINNT\system32\msxml3r.dll
+ 2002-08-29 13:14:40 44,032 ----a-w C:\WINNT\system32\msxml3r.dll
+ 2007-07-31 01:18:34 207,736 ----a-w C:\WINNT\system32\muweb.dll
- 2003-06-19 19:05:04 87,824 ----a-w C:\WINNT\system32\occache.dll
+ 2002-08-29 13:14:40 87,552 ----a-w C:\WINNT\system32\occache.dll
- 2007-12-10 16:24:26 48,912 ----a-w C:\WINNT\system32\PNGFILT.DLL
+ 2007-12-10 18:38:44 34,816 ----a-w C:\WINNT\system32\PNGFILT.DLL
- 2003-06-19 19:05:04 151,601 ----a-w C:\WINNT\system32\scrobj.dll
+ 2001-06-26 22:38:20 159,793 ----a-w C:\WINNT\system32\scrobj.dll
- 2003-06-19 19:05:04 147,512 ----a-w C:\WINNT\system32\scrrun.dll
+ 2001-06-26 22:39:42 151,601 ----a-w C:\WINNT\system32\scrrun.dll
- 2003-06-19 19:05:04 18,704 ----a-w C:\WINNT\system32\sendmail.dll
+ 2002-08-29 13:14:40 18,704 ----a-w C:\WINNT\system32\sendmail.dll
+ 2002-08-29 13:14:40 50,688 ----a-w C:\WINNT\system32\setupwbv.dll
- 2003-06-19 19:05:04 332,288 ----a-w C:\WINNT\system32\shdoclc.dll
+ 2002-08-29 13:14:40 533,504 ----a-w C:\WINNT\system32\shdoclc.dll
- 2007-12-10 16:23:04 1,104,656 ----a-w C:\WINNT\system32\SHDOCVW.DLL
+ 2007-12-10 21:46:10 1,340,416 ----a-w C:\WINNT\system32\SHDOCVW.DLL
- 1999-12-07 12:00:00 21,776 ----a-w C:\WINNT\system32\shfolder.dll
+ 2002-08-29 13:14:40 22,528 ----a-w C:\WINNT\system32\shfolder.dll
- 2007-12-10 23:08:48 284,432 ----a-w C:\WINNT\system32\SHLWAPI.DLL
+ 2007-12-10 21:46:02 402,944 ----a-w C:\WINNT\system32\SHLWAPI.DLL
- 2007-12-06 01:56:54 13,536 ------w C:\WINNT\system32\spmsg.dll
+ 2005-06-28 16:20:36 14,048 ------w C:\WINNT\system32\spmsg.dll
+ 2001-03-23 22:17:12 7,168 ----a-w C:\WINNT\system32\updcrl.exe
- 2007-12-10 23:12:20 84,240 ----a-w C:\WINNT\system32\URL.DLL
+ 2002-08-29 13:14:40 106,496 ----a-w C:\WINNT\system32\url.dll
- 2007-12-10 16:24:36 425,232 ----a-w C:\WINNT\system32\URLMON.DLL
+ 2007-12-10 18:39:14 462,336 ----a-w C:\WINNT\system32\URLMON.DLL
- 2005-01-12 19:39:46 438,330 ----a-w C:\WINNT\system32\vbscript.dll
+ 2002-02-26 21:58:06 462,906 ----a-w C:\WINNT\system32\vbscript.dll
- 2003-06-19 19:05:04 257,808 ----a-w C:\WINNT\system32\webcheck.dll
+ 2002-08-29 13:14:40 258,048 ----a-w C:\WINNT\system32\webcheck.dll
- 2007-12-10 16:24:32 451,344 ----a-w C:\WINNT\system32\WININET.DLL
+ 2007-12-10 18:39:18 575,488 ----a-w C:\WINNT\system32\WININET.DLL
- 1999-12-07 12:00:00 90,162 ----a-w C:\WINNT\system32\wscript.exe
+ 2001-06-26 23:53:50 118,834 ----a-w C:\WINNT\system32\wscript.exe
+ 2001-06-26 23:59:32 28,721 ----a-w C:\WINNT\system32\wshcon.dll
- 1999-12-07 12:00:00 45,105 ----a-w C:\WINNT\system32\wshext.dll
+ 2001-06-26 23:56:36 65,585 ----a-w C:\WINNT\system32\wshext.dll
+ 2008-03-25 14:45:24 491,768 ----a-w C:\WINNT\Windows Update Setup Files\ie6setup.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [07-03-23 12:49 2526776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 111376 C:\WINNT\system32\mobsync.exe]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [07-04-19 13:26 7700480]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [07-04-19 13:26 86016]
"DownloadAccelerator"="D:\Program Files\DAP\DAP.exe" [07-12-04 11:08 4568576]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [08-01-23 14:47 847872]
"SDTray"="D:\Program Files\Spyware Doctor\SDTrayApp.exe" [07-10-02 16:27 1065288]
"BMf305ad30"="C:\WINNT\system32\qoycgukl.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 13:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 08-03-04 08:41 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 13:05 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 06:22 ]
S3 XDva032;XDva032;C:\WINNT\system32\XDva032.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:00:06 C:\WINNT\Tasks\RegCure Program Check.job"
- D:\Program Files\RegCure\RegCure.exe
"2008-03-20 19:36:57 C:\WINNT\Tasks\RegCure.job"
- D:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 18:43:52
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINNT\system32\lsass.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINNT\explorer.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINNT\system32\csrss.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
.
**************************************************************************
.
Completion time: 2008-03-30 18:45:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 00:45:29
ComboFix2.txt 2008-03-25 14:25:18
ComboFix3.txt 2008-03-25 05:10:13
.
2008-03-26 09:01:18 --- E O F ---

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 AM

Posted 31 March 2008 - 06:07 AM

Please post a new hijackthis log as well.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 31 March 2008 - 10:12 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:09 AM, on 3/31/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\DAP\DAP.EXE
D:\Mythic\Atlantis\patch.bin
D:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] "D:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SDTray] "D:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [BMf305ad30] Rundll32.exe "C:\WINNT\system32\qoycgukl.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206456137265
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5650 bytes




Overall loading time seems to be better, and I have had no trouble loading my internet explorer as I did before. I ran Spybot S&D again, and everything came up clean except for Spyhunter which is a antivirus program which Spybot shows as maleware that finds viruses that are not there, do you know anything about this? Should I delete it?

Just got done running Spyware Doctor and it found Trojan-PSW.Tanspy and Trojan.Generic do you think that this Spyware Doctor is maleware?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 AM

Posted 31 March 2008 - 06:32 PM

Spyhunter is not malware, but it is a program that is not recommended to use. Here's some more info.

http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note

If it was me, I'd uninstall it.


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [BMf305ad30] Rundll32.exe "C:\WINNT\system32\qoycgukl.dll",s



Reboot and post a new hijackthis log.
Can you give me specific info on what Spyware Doctor found?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 31 March 2008 - 07:30 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:06 PM, on 3/31/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
D:\Program Files\Spyware Doctor\svcntaux.exe
D:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\Program Files\DAP\DAP.EXE
D:\Program Files\Spyware Doctor\SDTrayApp.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] "D:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [BMf305ad30] Rundll32.exe "C:\WINNT\system32\qoycgukl.dll",s
O4 - HKLM\..\Run: [SDTray] "D:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206456137265
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5518 bytes

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 AM

Posted 01 April 2008 - 06:42 AM

You must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Once you have Teatimer disabled, fix this line with hijackthis.

O4 - HKLM\..\Run: [BMf305ad30] Rundll32.exe "C:\WINNT\system32\qoycgukl.dll",s


Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 01 April 2008 - 10:50 AM

This is what Spyware Doctor found

http://www.pctools.com/mrc/infections/id/Trojan-PWS.Tanspy

http://www.pctools.com/mrc/infections/id/Trojan.Generic

I fixed them, will give more info after I reboot and post new hijack log 1 sec

#14 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 01 April 2008 - 11:01 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:37 AM, on 4/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
D:\Program Files\Spyware Doctor\svcntaux.exe
D:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\Program Files\DAP\DAP.EXE
D:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DownloadAccelerator] "D:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SDTray] "D:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206456137265
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5240 bytes



SWDoctor came up clear after reset

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 AM

Posted 01 April 2008 - 05:30 PM

You could fix these lines with Hijackthis.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)



Otherwise it looks pretty good to me. How are things on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users