Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gomyhit And Other Nasties


  • This topic is locked This topic is locked
26 replies to this topic

#1 Korpse

Korpse

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:04 PM

Posted 04 April 2008 - 07:20 PM

I've been asked to look at a computer that would appear to be riddled with spyware and other beasties - the wallpaper on one account has been replaced by an advert for anti-spyware software, there is an icon in the notify area that pops up a message every couple of minutes, and another message box that pops up every now and again. Clicking on either of these takes you to gomyhit.com. Control Panel and Task manager are disabled except in Safe Mode. Attempting to run things like DSS and Spybot do not even start unless you change the name of the executable (i.e. dss.exe won't run, dss2.exe will). There is a dat file in the Windows/Temp file that can't be deleted, and another strangely named dat file that runs even when starting in Safe Mode. Any and all assisitance would be very gratefully received.

Edit: and I noticed one post here that asked for a HijackThis from normal mode rather than Safe mode, so I've put that at the end of the post. Thanks in anticipation.


DSS log (from Safe Mode):

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-05 13:12:27
Computer is in Safe Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-05 13:15:44
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\CSRSS.EXE
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\shell.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\SYSTEM32\TASKMGR.EXE
C:\Documents and Settings\Administrator\Desktop\dss2.exe
C:\Program Files\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gomyhit.com/MTc5NjM=/2/6190/ax=1/ed=1/ex=1/10296/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O1 - Hosts: 10.18.250.4 ad.doubleclick.net
O1 - Hosts: 10.18.250.4 ad.fastclick.net
O1 - Hosts: 10.18.250.4 ads.fastclick.net
O1 - Hosts: 10.18.250.4 ar.atwola.com
O1 - Hosts: 10.18.250.4 atdmt.com
O1 - Hosts: 10.18.250.4 avp.ch
O1 - Hosts: 10.18.250.4 avp.com
O1 - Hosts: 10.18.250.4 avp.ru
O1 - Hosts: 10.18.250.4 awaps.net
O1 - Hosts: 10.18.250.4 banner.fastclick.net
O1 - Hosts: 10.18.250.4 banners.fastclick.net
O1 - Hosts: 10.18.250.4 ca.com
O1 - Hosts: 10.18.250.4 click.atdmt.com
O1 - Hosts: 10.18.250.4 clicks.atdmt.com
O1 - Hosts: 10.18.250.4 customer.symantec.com
O1 - Hosts: 10.18.250.4 dispatch.mcafee.com
O1 - Hosts: 10.18.250.4 download.mcafee.com
O1 - Hosts: 10.18.250.4 download.microsoft.com
O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads.microsoft.com
O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 engine.awaps.net
O1 - Hosts: 10.18.250.4 f-secure.com
O1 - Hosts: 10.18.250.4 fastclick.net
O1 - Hosts: 10.18.250.4 ftp.avp.ch
O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.f-secure.com
O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru
O1 - Hosts: 10.18.250.4 ftp.sophos.com
O1 - Hosts: 10.18.250.4 go.microsoft.com
O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky.com
O1 - Hosts: 10.18.250.4 liveupdate.symantec.com
O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 10.18.250.4 mast.mcafee.com
O1 - Hosts: 10.18.250.4 mcafee.com
O1 - Hosts: 10.18.250.4 media.fastclick.net
O1 - Hosts: 10.18.250.4 microsoft.com
O1 - Hosts: 10.18.250.4 msdn.microsoft.com
O1 - Hosts: 10.18.250.4 my-etrust.com
O1 - Hosts: 10.18.250.4 nai.com
O1 - Hosts: 10.18.250.4 networkassociates.com
O1 - Hosts: 10.18.250.4 norton.com
O1 - Hosts: 10.18.250.4 office.microsoft.com
O1 - Hosts: 10.18.250.4 pandasoftware.com
O1 - Hosts: 10.18.250.4 phx.corporate-ir.net
O1 - Hosts: 10.18.250.4 rads.mcafee.com
O1 - Hosts: 10.18.250.4 secure.nai.com
O1 - Hosts: 10.18.250.4 securityresponse.symantec.com
O1 - Hosts: 10.18.250.4 service1.symantec.com
O1 - Hosts: 10.18.250.4 sophos.com
O1 - Hosts: 10.18.250.4 spd.atdmt.com
O1 - Hosts: 10.18.250.4 support.microsoft.com
O1 - Hosts: 10.18.250.4 symantec.com
O1 - Hosts: 10.18.250.4 trendmicro.com
O1 - Hosts: 10.18.250.4 update.symantec.com
O1 - Hosts: 10.18.250.4 updates.symantec.com
O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 us.mcafee.com
O1 - Hosts: 10.18.250.4 vil.nai.com
O1 - Hosts: 10.18.250.4 viruslist.com
O1 - Hosts: 10.18.250.4 viruslist.ru
O1 - Hosts: 10.18.250.4 virusscan.jotti.org
O1 - Hosts: 10.18.250.4 virustotal.com
O1 - Hosts: 10.18.250.4 windowsupdate.microsoft.com
O1 - Hosts: 10.18.250.4 www.avp.ch
O1 - Hosts: 10.18.250.4 www.avp.com
O1 - Hosts: 10.18.250.4 www.avp.ru
O1 - Hosts: 10.18.250.4 www.awaps.net
O1 - Hosts: 10.18.250.4 www.ca.com
O1 - Hosts: 10.18.250.4 www.f-secure.com
O1 - Hosts: 10.18.250.4 www.fastclick.net
O1 - Hosts: 10.18.250.4 www.grisoft.com
O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 www.kaspersky.com
O1 - Hosts: 10.18.250.4 www.kaspersky.ru
O1 - Hosts: 10.18.250.4 www.mcafee.com
O1 - Hosts: 10.18.250.4 www.microsoft.com
O1 - Hosts: 10.18.250.4 www.my-etrust.com
O1 - Hosts: 10.18.250.4 www.nai.com
O1 - Hosts: 10.18.250.4 www.networkassociates.com
O1 - Hosts: 10.18.250.4 www.pandasoftware.com
O1 - Hosts: 10.18.250.4 www.sophos.com
O1 - Hosts: 10.18.250.4 www.symantec.com
O1 - Hosts: 10.18.250.4 www.trendmicro.com
O1 - Hosts: 10.18.250.4 www.viruslist.com
O1 - Hosts: 10.18.250.4 www.viruslist.ru
O1 - Hosts: 10.18.250.4 www.virustotal.com
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\ljjjkih.dll
O2 - BHO: (no name) - {7D6B7455-8C49-4D8B-82CC-69DDA514DC51} - C:\WINDOWS\SYSTEM32\gebyx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Labpixies Toolbar - {03e037d3-f080-4c0b-bdb5-a70c693ae36d} - C:\Program Files\Labpixies\tbLabp.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [typeconf] lpt.exe
O4 - HKLM\..\Run: [ffnbnrrr] rundll32.exe "C:\WINDOWS\TEMP\rbnnbrfjrfj.drv" WLEntryPoint
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKLM\..\Policies\Explorer\Run: [09jCoBDpfs] C:\Documents and Settings\All Users\Application Data\ojylihuf\sxoraluj.exe
O4 - HKLM\..\Policies\Explorer\Run: [ormhsjip] rundll32.exe "C:\WINDOWS\System32\knqhsfehoj.dll" WLEntryPoint
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\epobador.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/a-UNO1/GAME_UNO1.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/D...h2.1.0.0.68.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...37995.613587963
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/cinematycoon.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - http://ptcnz.tcnz.motive.com/lwp/static/in...aller_4-2-0.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{6DBC48F4-8269-4B48-BF85-E4C93A446BAA}: NameServer = 85.255.113.126,85.255.112.102
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: lcritcjmhof - C:\WINDOWS\System32\lcritcjmhof.dll
O20 - Winlogon Notify: ljjjkih - C:\WINDOWS\System32\ljjjkih.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\System32\WLCtrl32.dll
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\SYSTEM32\cryper.dll
O21 - SSODL: DUJGwmPoeHjp - {C495E10C-6E3F-4BA6-B7BC-B3D8ABE0F358} - C:\WINDOWS\SYSTEM32\ejhcxr.dll
O22 - SharedTaskScheduler: Hkjr94jdfdgj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\H4dj24g.dll (file missing)
O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Kf9467g.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\SYSTEM32\DRIVERS\dcfssvc.exe
O23 - Service: Googles Onlines Search Services - Unknown owner - C:\Documents and Settings\GRANT\ie_updates3r.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Service Messenger Sharing Folders USN Journal Reader (usnjsvc) - Unknown owner - C:\Program Files\MSN


--
End of file - 17021 bytes

-- Files created between 2008-03-05 and 2008-04-05 -----------------------------

2008-04-05 11:49:50 0 dr------- C:\WINDOWS\System32\wowfx.dll
2008-04-05 11:46:27 0 d-------- C:\WINDOWS\ERUNT
2008-04-05 11:37:19 40442 ---hs---- C:\WINDOWS\System32\drivers\spools.exe
2008-04-05 11:37:18 5120 --a------ C:\Documents and Settings\GRANT\ftpdll.dll
2008-04-05 10:59:20 16896 --a------ C:\WINDOWS\System32\braviax.exe
2008-04-05 10:56:20 9728 --a------ C:\WINDOWS\System32\spoolvs.exe
2008-04-05 10:50:20 9728 --a------ C:\WINDOWS\System32\printer.exe
2008-04-05 10:44:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-05 10:43:58 0 d-------- C:\Program Files\Security Task Manager
2008-04-02 23:50:59 0 d-------- C:\VundoFix Backups
2008-04-02 22:30:01 9728 --a------ C:\WINDOWS\shell.exe
2008-04-02 21:30:57 172 --a------ C:\Documents and Settings\KELLY\delself.bat
2008-04-02 21:30:18 0 d-------- C:\Documents and Settings\All Users\Application Data\ojylihuf
2008-04-02 20:28:48 3608 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-02 20:25:51 0 d-------- C:\temp
2008-04-02 19:51:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-02 19:42:37 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-02 19:42:36 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-01 18:22:09 0 --a------ C:\WINDOWS\System32\dllgh8jkd1q8.exe
2008-03-31 22:09:14 0 d-------- C:\Documents and Settings\All Users\Application Data\wtwxqlqf
2008-03-31 21:40:25 0 d-------- C:\Documents and Settings\All Users\Application Data\yvoxshwb
2008-03-31 19:18:59 5120 --a------ C:\Documents and Settings\BRIAR\ftpdll.dll
2008-03-31 18:23:13 0 d-------- C:\Documents and Settings\All Users\Application Data\ulcpirqv
2008-03-31 18:20:43 172 --a------ C:\Documents and Settings\BRIAR\delself.bat
2008-03-31 17:38:56 0 d-------- C:\Documents and Settings\All Users\Application Data\erifwfah
2008-03-31 14:07:53 172 --a------ C:\Documents and Settings\MORGAN\delself.bat
2008-03-31 14:07:45 5120 --a------ C:\Documents and Settings\MORGAN\ftpdll.dll
2008-03-31 13:06:33 6656 --a------ C:\WINDOWS\System32\univrs32.dat
2008-03-30 19:57:03 13886 --a------ C:\WINDOWS\System32\dllgh8jkd1q7.exe
2008-03-30 19:56:44 13450 --a------ C:\WINDOWS\System32\dllgh8jkd1q6.exe
2008-03-30 19:56:28 13682 --a------ C:\WINDOWS\System32\dllgh8jkd1q5.exe
2008-03-30 19:56:04 28022 --a------ C:\WINDOWS\System32\dllgh8jkd1q2.exe
2008-03-30 19:56:03 63959 --a------ C:\WINDOWS\System32\winivstr.exe
2008-03-30 19:55:59 0 d-------- C:\Documents and Settings\All Users\Application Data\tmngxwlc
2008-03-30 19:33:41 0 d-------- C:\Documents and Settings\All Users\Application Data\hmlwfqrm
2008-03-30 19:31:55 6144 --a------ C:\WINDOWS\System32\cru629.dat
2008-03-30 19:31:55 6144 --a------ C:\WINDOWS\cru629.dat
2008-03-30 19:31:55 16896 --a------ C:\WINDOWS\braviax.exe
2008-03-30 19:26:44 172 --a------ C:\Documents and Settings\GRANT\delself.bat
2008-03-30 19:25:36 6397 --ahs---- C:\WINDOWS\System32\xybeg.ini2
2008-03-30 19:22:08 18944 --a------ C:\Documents and Settings\LocalService\Application Data\nvsvc1024.dll
2008-03-30 19:22:05 12234 --a------ C:\WINDOWS\System32\dllgh8jkd1q1.exe
2008-03-30 19:21:35 298048 --a------ C:\WINDOWS\System32\gebyx.dll
2008-03-30 19:19:53 19584 --a------ C:\WINDOWS\System32\drivers\yjzeyfzt.dat
2008-03-30 19:19:23 44 --a------ C:\WINDOWS\System32\p2hhr.bat
2008-03-30 19:19:21 8704 --a------ C:\WINDOWS\System32\drivers\smss.exe
2008-03-30 19:19:03 16848 --a------ C:\WINDOWS\System32\wind32.exe
2008-03-30 19:19:03 3584 --a------ C:\1.dll
2008-03-30 19:19:00 9728 --a------ C:\findfast.exe
2008-03-30 19:18:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-30 19:18:16 9728 --a------ C:\Documents and Settings\LocalService\Application Data\printer.exe
2008-03-30 19:17:42 10 --a------ C:\WINDOWS\System32\kr_done1
2008-03-30 19:16:31 262144 --a------ C:\WINDOWS\System32\wlogon32.dll
2008-03-30 19:15:25 25472 --a------ C:\WINDOWS\System32\drivers\Chl61.sys
2008-03-30 19:15:23 10752 --a------ C:\WINDOWS\System32\WLCtrl32.dll
2008-03-30 19:15:16 5120 --a------ C:\WINDOWS\System32\ftpdll.dll
2008-03-30 19:15:15 5120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-30 19:14:34 444416 --a------ C:\autoex.dll
2008-03-30 19:14:25 346112 -----n--- C:\WINDOWS\System32\ljjjkih.dll
2008-03-30 19:14:00 705 --a------ C:\d.exe
2008-03-30 19:13:55 2 --a------ C:\-996810485
2008-03-30 19:13:42 6144 --a------ C:\rhvetm.exe
2008-03-30 19:13:37 261632 --a------ C:\WINDOWS\System32\cryper.dll
2008-03-30 19:11:07 3025 --a------ C:\Documents and Settings\GRANT\ie_updates3r.exe
2008-03-30 18:37:53 4096 --a------ C:\Documents and Settings\GRANT\Desktopfilemanagerclient.exe
2008-03-30 18:37:48 4096 --a------ C:\Documents and Settings\GRANT\DesktopFWebdEditor.exe
2008-03-30 18:37:48 4096 --a------ C:\Documents and Settings\GRANT\Desktopfwebd.exe
2008-03-30 15:39:11 4096 --a------ C:\Documents and Settings\MORGAN\Desktopfilemanagerclient.exe
2008-03-30 15:39:10 4096 --a------ C:\Documents and Settings\MORGAN\DesktopFWebdEditor.exe
2008-03-30 15:39:10 4096 --a------ C:\Documents and Settings\MORGAN\Desktopfwebd.exe
2008-03-30 15:38:41 106496 --a------ C:\WINDOWS\System32\xwzgfozm.exe
2008-03-30 15:17:37 88064 --a------ C:\WINDOWS\System32\ATKCTR.dll
2008-03-30 13:44:25 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-30 13:44:25 4096 --a------ C:\WINDOWS\System32winlogonpc.exe
2008-03-30 13:44:25 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32taack.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32sncntr.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32mwin32.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32hoproxy.dll
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\a.bat
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32taack.dat
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32ssurf022.dll
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32psoft1.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32psof1.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32ps1.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32msnbho.dll
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32medup020.dll
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32hxiwlgpm.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32hxiwlgpm.dat
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32bsva-egihsg52.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32temp#01.exe
2008-03-30 13:44:22 0 d-------- C:\WINDOWS\System32smp
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32netode.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32mtr2.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32msgp.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32medup012.dll
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32h@tkeysh@@k.dll
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32dpcproxy.exe
2008-03-30 13:44:22 0 d-------- C:\Program Files\Inet Delivery
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32thun32.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32thun.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32ssvchost.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32ssvchost.com
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32Rundl1.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32regm64.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32regc64.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32newsd32.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32msvchost.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32emesx.dll
2008-03-30 13:44:21 4096 --a------ C:\Documents and Settings\KELLY\DesktopFWebdEditor.exe
2008-03-30 13:44:21 4096 --a------ C:\Documents and Settings\KELLY\Desktopfwebd.exe
2008-03-30 13:44:21 4096 --a------ C:\Documents and Settings\KELLY\Desktopfilemanagerclient.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32WINWGPX.EXE
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32winsystem.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32vcatchpi.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32vbsys2.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32sysreq.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32mssecu.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32bdn.com
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32awtoolb.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32anticipator.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32akttzn.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-30 13:44:20 0 d-------- C:\WINDOWS\mslagent
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\bdn.com
2008-03-30 13:44:19 0 d-------- C:\Program Files\akl
2008-03-30 13:44:05 151552 --a------ C:\WINDOWS\stfngdvw.dll
2008-03-30 13:44:03 81920 --a------ C:\WINDOWS\dwltqnmx.exe
2008-03-30 13:43:44 0 d-------- C:\Documents and Settings\All Users\Application Data\ynqbybkv
2008-03-30 13:43:42 94208 --a------ C:\WINDOWS\System32\olgzwpav.exe


-- Find3M Report ---------------------------------------------------------------

2008-03-30 19:27:50 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-03-30 19:26:10 0 d-------- C:\Program Files\Common Files
2008-03-30 19:18:55 15872 --a------ C:\WINDOWS\System32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-30 18:36:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 15:00:01 0 d-------- C:\Program Files\Norton Security Scan
2008-03-03 21:25:39 0 d-------- C:\Program Files\Google
2008-03-02 07:33:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 07:32:02 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-01 10:18:15 0 d-------- C:\Program Files\Macrogaming
2008-02-25 18:16:58 0 d-------- C:\Program Files\Labpixies
2008-02-25 18:16:57 0 d-------- C:\Program Files\Conduit


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
03/30/2008 07:14 PM 346112 --------- C:\WINDOWS\system32\ljjjkih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D6B7455-8C49-4D8B-82CC-69DDA514DC51}]
03/30/2008 07:21 PM 298048 --a------ C:\WINDOWS\System32\gebyx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 04:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 04:07 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 11:47 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/02/2003 03:11 PM]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [12/02/2003 03:11 PM]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [07/03/1998 11:51 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [07/25/2002 05:20 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05/07/2005 12:06 PM]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [11/02/2004 03:59 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"autoload"="C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe" [04/05/2008 11:37 AM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/29/2002 09:00 AM]
"typeconf"="lpt.exe" []
"ffnbnrrr"="C:\WINDOWS\TEMP\rbnnbrfjrfj.drv WLEntryPoint" []
"Printer"="C:\WINDOWS\System32\printer.exe" [08/04/2005 03:01 AM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/05/2008 11:37 AM]
"braviax"="braviax.exe" [04/05/2008 12:48 PM C:\WINDOWS\SYSTEM32\braviax.exe]
"SDFix"="C:\SDFix\RunThis.bat /second" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [08/04/2005 03:01 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SDFix"=C:\SDFix\RunThis.bat /second

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:00:00 PM]
findfast.exe [8/9/2005 3:06:05 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autorun.exe [8/9/2005 3:13:14 PM]
DESKTOP.INI [9/3/2002 1:00:00 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [12/6/2003 5:19:20 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/6/2007 5:22:28 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/16/2002 3:42:06 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [12/29/2003 2:18:33 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"09jCoBDpfs"=C:\Documents and Settings\All Users\Application Data\ojylihuf\sxoraluj.exe
"ormhsjip"=rundll32.exe "C:\WINDOWS\System32\knqhsfehoj.dll" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"= C:\WINDOWS\System32\H4dj24g.dll [ ]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"= C:\WINDOWS\System32\Kf9467g.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\ljjjkih.dll [03/30/2008 07:14 PM 346112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"= {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll [03/30/2008 07:13 PM 261632]
"DUJGwmPoeHjp"= {C495E10C-6E3F-4BA6-B7BC-B3D8ABE0F358} - C:\WINDOWS\System32\ejhcxr.dll [08/29/2002 09:00 AM 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lcritcjmhof]
lcritcjmhof.dll 08/29/2002 09:00 AM 113664 C:\WINDOWS\SYSTEM32\lcritcjmhof.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkih]
ljjjkih.dll 03/30/2008 07:14 PM 346112 C:\WINDOWS\SYSTEM32\ljjjkih.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll 03/30/2008 07:14 PM 13587 C:\Documents and Settings\All Users\Documents\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 04/05/2008 12:48 PM 10752 C:\WINDOWS\SYSTEM32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\gebyx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chl61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^shqf.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shqf.exe
backup=C:\WINDOWS\pss\shqf.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^GRANT^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\GRANT\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
"fasd387.exe"/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awpbrtxh]
C:\WINDOWS\system32\xoxibqrw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bnjnjrfb]
rundll32.exe "C:\WINDOWS\TEMP\fmlcjqhgfqd.drv" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\br0ken]
slamm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
C:\WINDOWS\System32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fjnfrn]
rundll32.exe "C:\WINDOWS\TEMP\jjbjjrrb.dll" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhjg5jfd93dftdf]
C:\WINDOWS\TEMP\winlogan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\install2]
xwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\killall]
Brong32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMsgSvc]
C:\WINDOWS\System\MSMSGSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmtcbmpc]
rundll32.exe "C:\WINDOWS\TEMP\fmlcjqhgfqd.drv" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\System32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\System32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysmon12]
scanSYS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnSpyPC]
"C:\Program Files\UnSpyPC\UnSpyPC.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235}]
C:\WINDOWS\System32\tcpdiss.exe /r



-- End of Deckard's System Scanner: finished at 2008-04-05 13:18:24 ------------

====================================================================================================

Deckard's System Scanner v20071014.68
Run by GRANT on 2008-04-05 15:21:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as GRANT.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-05 15:25:10
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\CSRSS.EXE
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DRIVERS\dcfssvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\MultiPASS4\mpservic.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe
C:\Program Files\HijackThis\dss2.exe
C:\Program Files\HijackThis\GRANT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: (no name) - {F1652A7A-00FA-A8D6-1B2B-86D2EE1618B5} - WhatsNewBot.dll (file missing)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O1 - Hosts: 10.18.250.4 ad.doubleclick.net
O1 - Hosts: 10.18.250.4 ad.fastclick.net
O1 - Hosts: 10.18.250.4 ads.fastclick.net
O1 - Hosts: 10.18.250.4 ar.atwola.com
O1 - Hosts: 10.18.250.4 atdmt.com
O1 - Hosts: 10.18.250.4 avp.ch
O1 - Hosts: 10.18.250.4 avp.com
O1 - Hosts: 10.18.250.4 avp.ru
O1 - Hosts: 10.18.250.4 awaps.net
O1 - Hosts: 10.18.250.4 banner.fastclick.net
O1 - Hosts: 10.18.250.4 banners.fastclick.net
O1 - Hosts: 10.18.250.4 ca.com
O1 - Hosts: 10.18.250.4 click.atdmt.com
O1 - Hosts: 10.18.250.4 clicks.atdmt.com
O1 - Hosts: 10.18.250.4 customer.symantec.com
O1 - Hosts: 10.18.250.4 dispatch.mcafee.com
O1 - Hosts: 10.18.250.4 download.mcafee.com
O1 - Hosts: 10.18.250.4 download.microsoft.com
O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads.microsoft.com
O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 engine.awaps.net
O1 - Hosts: 10.18.250.4 f-secure.com
O1 - Hosts: 10.18.250.4 fastclick.net
O1 - Hosts: 10.18.250.4 ftp.avp.ch
O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.f-secure.com
O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru
O1 - Hosts: 10.18.250.4 ftp.sophos.com
O1 - Hosts: 10.18.250.4 go.microsoft.com
O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky.com
O1 - Hosts: 10.18.250.4 liveupdate.symantec.com
O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 10.18.250.4 mast.mcafee.com
O1 - Hosts: 10.18.250.4 mcafee.com
O1 - Hosts: 10.18.250.4 media.fastclick.net
O1 - Hosts: 10.18.250.4 microsoft.com
O1 - Hosts: 10.18.250.4 msdn.microsoft.com
O1 - Hosts: 10.18.250.4 my-etrust.com
O1 - Hosts: 10.18.250.4 nai.com
O1 - Hosts: 10.18.250.4 networkassociates.com
O1 - Hosts: 10.18.250.4 norton.com
O1 - Hosts: 10.18.250.4 office.microsoft.com
O1 - Hosts: 10.18.250.4 pandasoftware.com
O1 - Hosts: 10.18.250.4 phx.corporate-ir.net
O1 - Hosts: 10.18.250.4 rads.mcafee.com
O1 - Hosts: 10.18.250.4 secure.nai.com
O1 - Hosts: 10.18.250.4 securityresponse.symantec.com
O1 - Hosts: 10.18.250.4 service1.symantec.com
O1 - Hosts: 10.18.250.4 sophos.com
O1 - Hosts: 10.18.250.4 spd.atdmt.com
O1 - Hosts: 10.18.250.4 support.microsoft.com
O1 - Hosts: 10.18.250.4 symantec.com
O1 - Hosts: 10.18.250.4 trendmicro.com
O1 - Hosts: 10.18.250.4 update.symantec.com
O1 - Hosts: 10.18.250.4 updates.symantec.com
O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 us.mcafee.com
O1 - Hosts: 10.18.250.4 vil.nai.com
O1 - Hosts: 10.18.250.4 viruslist.com
O1 - Hosts: 10.18.250.4 viruslist.ru
O1 - Hosts: 10.18.250.4 virusscan.jotti.org
O1 - Hosts: 10.18.250.4 virustotal.com
O1 - Hosts: 10.18.250.4 windowsupdate.microsoft.com
O1 - Hosts: 10.18.250.4 www.avp.ch
O1 - Hosts: 10.18.250.4 www.avp.com
O1 - Hosts: 10.18.250.4 www.avp.ru
O1 - Hosts: 10.18.250.4 www.awaps.net
O1 - Hosts: 10.18.250.4 www.ca.com
O1 - Hosts: 10.18.250.4 www.f-secure.com
O1 - Hosts: 10.18.250.4 www.fastclick.net
O1 - Hosts: 10.18.250.4 www.grisoft.com
O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 www.kaspersky.com
O1 - Hosts: 10.18.250.4 www.kaspersky.ru
O1 - Hosts: 10.18.250.4 www.mcafee.com
O1 - Hosts: 10.18.250.4 www.microsoft.com
O1 - Hosts: 10.18.250.4 www.my-etrust.com
O1 - Hosts: 10.18.250.4 www.nai.com
O1 - Hosts: 10.18.250.4 www.networkassociates.com
O1 - Hosts: 10.18.250.4 www.pandasoftware.com
O1 - Hosts: 10.18.250.4 www.sophos.com
O1 - Hosts: 10.18.250.4 www.symantec.com
O1 - Hosts: 10.18.250.4 www.trendmicro.com
O1 - Hosts: 10.18.250.4 www.viruslist.com
O1 - Hosts: 10.18.250.4 www.viruslist.ru
O1 - Hosts: 10.18.250.4 www.virustotal.com
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\SYSTEM32\ljjjkih.dll
O2 - BHO: (no name) - {BA453331-C988-49EA-AD9F-F8B58A28219A} - C:\WINDOWS\SYSTEM32\gebyx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Labpixies Toolbar - {03e037d3-f080-4c0b-bdb5-a70c693ae36d} - C:\Program Files\Labpixies\tbLabp.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [typeconf] lpt.exe
O4 - HKLM\..\Run: [ffnbnrrr] rundll32.exe "C:\WINDOWS\TEMP\rbnnbrfjrfj.drv" WLEntryPoint
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [09jCoBDpfs] C:\Documents and Settings\All Users\Application Data\ojylihuf\sxoraluj.exe
O4 - HKLM\..\Policies\Explorer\Run: [ormhsjip] rundll32.exe "C:\WINDOWS\System32\knqhsfehoj.dll" WLEntryPoint
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\SYSTEM32\epobador.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/a-UNO1/GAME_UNO1.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/D...h2.1.0.0.68.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...37995.613587963
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/cinematycoon.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - http://ptcnz.tcnz.motive.com/lwp/static/in...aller_4-2-0.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{6DBC48F4-8269-4B48-BF85-E4C93A446BAA}: NameServer = 85.255.113.126,85.255.112.102
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: lcritcjmhof - C:\WINDOWS\System32\lcritcjmhof.dll
O20 - Winlogon Notify: ljjjkih - C:\WINDOWS\System32\ljjjkih.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\System32\WLCtrl32.dll
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\SYSTEM32\cryper.dll
O21 - SSODL: DUJGwmPoeHjp - {C495E10C-6E3F-4BA6-B7BC-B3D8ABE0F358} - C:\WINDOWS\SYSTEM32\ejhcxr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\SYSTEM32\DRIVERS\dcfssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\mpservic.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Service Messenger Sharing Folders USN Journal Reader (usnjsvc) - Unknown owner - C:\Program Files\MSN
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 18515 bytes

-- Files created between 2008-03-05 and 2008-04-05 -----------------------------

2008-04-05 15:13:00 66178 ---hs---- C:\WINDOWS\System32\drivers\spools.exe
2008-04-05 14:43:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-05 11:46:27 0 d-------- C:\WINDOWS\ERUNT
2008-04-05 11:37:18 5120 --a------ C:\Documents and Settings\GRANT\ftpdll.dll
2008-04-05 10:59:20 16896 --a------ C:\WINDOWS\System32\braviax.exe
2008-04-05 10:56:20 9728 --a------ C:\WINDOWS\System32\spoolvs.exe
2008-04-05 10:50:20 9728 --a------ C:\WINDOWS\System32\printer.exe
2008-04-05 10:44:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-05 10:43:58 0 d-------- C:\Program Files\Security Task Manager
2008-04-02 23:50:59 0 d-------- C:\VundoFix Backups
2008-04-02 22:30:01 9728 --a------ C:\WINDOWS\shell.exe
2008-04-02 21:30:57 172 --a------ C:\Documents and Settings\KELLY\delself.bat
2008-04-02 21:30:18 0 d-------- C:\Documents and Settings\All Users\Application Data\ojylihuf
2008-04-02 20:28:48 3608 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-02 20:25:51 0 d-------- C:\temp
2008-04-02 19:51:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-02 19:42:37 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-02 19:42:37 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-02 19:42:36 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-01 18:22:09 0 --a------ C:\WINDOWS\System32\dllgh8jkd1q8.exe
2008-03-31 22:09:14 0 d-------- C:\Documents and Settings\All Users\Application Data\wtwxqlqf
2008-03-31 21:40:25 0 d-------- C:\Documents and Settings\All Users\Application Data\yvoxshwb
2008-03-31 19:18:59 5120 --a------ C:\Documents and Settings\BRIAR\ftpdll.dll
2008-03-31 18:23:13 0 d-------- C:\Documents and Settings\All Users\Application Data\ulcpirqv
2008-03-31 18:20:43 172 --a------ C:\Documents and Settings\BRIAR\delself.bat
2008-03-31 17:38:56 0 d-------- C:\Documents and Settings\All Users\Application Data\erifwfah
2008-03-31 14:07:53 172 --a------ C:\Documents and Settings\MORGAN\delself.bat
2008-03-31 14:07:45 5120 --a------ C:\Documents and Settings\MORGAN\ftpdll.dll
2008-03-31 13:06:33 6656 --a------ C:\WINDOWS\System32\univrs32.dat
2008-03-30 19:57:03 13886 --a------ C:\WINDOWS\System32\dllgh8jkd1q7.exe
2008-03-30 19:56:44 13450 --a------ C:\WINDOWS\System32\dllgh8jkd1q6.exe
2008-03-30 19:56:28 13682 --a------ C:\WINDOWS\System32\dllgh8jkd1q5.exe
2008-03-30 19:56:04 28022 --a------ C:\WINDOWS\System32\dllgh8jkd1q2.exe
2008-03-30 19:56:03 63959 --a------ C:\WINDOWS\System32\winivstr.exe
2008-03-30 19:55:59 0 d-------- C:\Documents and Settings\All Users\Application Data\tmngxwlc
2008-03-30 19:33:41 0 d-------- C:\Documents and Settings\All Users\Application Data\hmlwfqrm
2008-03-30 19:31:55 6144 --a------ C:\WINDOWS\System32\cru629.dat
2008-03-30 19:31:55 6144 --a------ C:\WINDOWS\cru629.dat
2008-03-30 19:31:55 16896 --a------ C:\WINDOWS\braviax.exe
2008-03-30 19:26:44 172 --a------ C:\Documents and Settings\GRANT\delself.bat
2008-03-30 19:25:36 6730 --ahs---- C:\WINDOWS\System32\xybeg.ini2
2008-03-30 19:22:08 18944 --a------ C:\Documents and Settings\LocalService\Application Data\nvsvc1024.dll
2008-03-30 19:22:05 12234 --a------ C:\WINDOWS\System32\dllgh8jkd1q1.exe
2008-03-30 19:21:35 298048 --a------ C:\WINDOWS\System32\gebyx.dll
2008-03-30 19:19:53 19584 --a------ C:\WINDOWS\System32\drivers\yjzeyfzt.dat
2008-03-30 19:19:23 44 --a------ C:\WINDOWS\System32\p2hhr.bat
2008-03-30 19:19:21 8704 --a------ C:\WINDOWS\System32\drivers\smss.exe
2008-03-30 19:19:03 16848 --a------ C:\WINDOWS\System32\wind32.exe
2008-03-30 19:19:03 3584 --a------ C:\1.dll
2008-03-30 19:19:00 9728 --a------ C:\findfast.exe
2008-03-30 19:18:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-30 19:18:16 9728 --a------ C:\Documents and Settings\LocalService\Application Data\printer.exe
2008-03-30 19:17:42 10 --a------ C:\WINDOWS\System32\kr_done1
2008-03-30 19:16:31 262144 --a------ C:\WINDOWS\System32\wlogon32.dll
2008-03-30 19:15:25 25472 --a------ C:\WINDOWS\System32\drivers\Chl61.sys
2008-03-30 19:15:23 10752 --a------ C:\WINDOWS\System32\WLCtrl32.dll
2008-03-30 19:15:16 5120 --a------ C:\WINDOWS\System32\ftpdll.dll
2008-03-30 19:15:15 5120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-30 19:14:34 444416 --a------ C:\autoex.dll
2008-03-30 19:14:25 346112 -----n--- C:\WINDOWS\System32\ljjjkih.dll
2008-03-30 19:14:00 705 --a------ C:\d.exe
2008-03-30 19:13:55 2 --a------ C:\-996810485
2008-03-30 19:13:42 6144 --a------ C:\rhvetm.exe
2008-03-30 19:13:37 261632 --a------ C:\WINDOWS\System32\cryper.dll
2008-03-30 19:11:07 3025 --a------ C:\Documents and Settings\GRANT\ie_updates3r.exe
2008-03-30 18:37:53 4096 --a------ C:\Documents and Settings\GRANT\Desktopfilemanagerclient.exe
2008-03-30 18:37:48 4096 --a------ C:\Documents and Settings\GRANT\DesktopFWebdEditor.exe
2008-03-30 18:37:48 4096 --a------ C:\Documents and Settings\GRANT\Desktopfwebd.exe
2008-03-30 15:39:11 4096 --a------ C:\Documents and Settings\MORGAN\Desktopfilemanagerclient.exe
2008-03-30 15:39:10 4096 --a------ C:\Documents and Settings\MORGAN\DesktopFWebdEditor.exe
2008-03-30 15:39:10 4096 --a------ C:\Documents and Settings\MORGAN\Desktopfwebd.exe
2008-03-30 15:38:41 106496 --a------ C:\WINDOWS\System32\xwzgfozm.exe
2008-03-30 15:17:37 88064 --a------ C:\WINDOWS\System32\ATKCTR.dll
2008-03-30 13:44:25 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-30 13:44:25 4096 --a------ C:\WINDOWS\System32winlogonpc.exe
2008-03-30 13:44:25 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32taack.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32sncntr.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32mwin32.exe
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\System32hoproxy.dll
2008-03-30 13:44:24 4096 --a------ C:\WINDOWS\a.bat
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32taack.dat
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32ssurf022.dll
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32psoft1.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32psof1.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32ps1.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32msnbho.dll
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32medup020.dll
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32hxiwlgpm.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32hxiwlgpm.dat
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\System32bsva-egihsg52.exe
2008-03-30 13:44:23 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32temp#01.exe
2008-03-30 13:44:22 0 d-------- C:\WINDOWS\System32smp
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32netode.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32mtr2.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32msgp.exe
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32medup012.dll
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32h@tkeysh@@k.dll
2008-03-30 13:44:22 4096 --a------ C:\WINDOWS\System32dpcproxy.exe
2008-03-30 13:44:22 0 d-------- C:\Program Files\Inet Delivery
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32thun32.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32thun.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32ssvchost.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32ssvchost.com
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32Rundl1.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32regm64.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32regc64.dll
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32newsd32.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32msvchost.exe
2008-03-30 13:44:21 4096 --a------ C:\WINDOWS\System32emesx.dll
2008-03-30 13:44:21 4096 --a------ C:\Documents and Settings\KELLY\DesktopFWebdEditor.exe
2008-03-30 13:44:21 4096 --a------ C:\Documents and Settings\KELLY\Desktopfwebd.exe
2008-03-30 13:44:21 4096 --a------ C:\Documents and Settings\KELLY\Desktopfilemanagerclient.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32WINWGPX.EXE
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32winsystem.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32vcatchpi.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32vbsys2.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32sysreq.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32mssecu.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32bdn.com
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32awtoolb.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32anticipator.dll
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\System32akttzn.exe
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-30 13:44:20 0 d-------- C:\WINDOWS\mslagent
2008-03-30 13:44:20 4096 --a------ C:\WINDOWS\bdn.com
2008-03-30 13:44:19 0 d-------- C:\Program Files\akl
2008-03-30 13:44:05 151552 --a------ C:\WINDOWS\stfngdvw.dll
2008-03-30 13:44:03 81920 --a------ C:\WINDOWS\dwltqnmx.exe
2008-03-30 13:43:44 0 d-------- C:\Documents and Settings\All Users\Application Data\ynqbybkv
2008-03-30 13:43:42 94208 --a------ C:\WINDOWS\System32\olgzwpav.exe


-- Find3M Report ---------------------------------------------------------------

2008-03-30 19:27:50 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-03-30 19:26:10 0 d-------- C:\Program Files\Common Files
2008-03-30 19:18:55 15872 --a------ C:\WINDOWS\System32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-30 18:36:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 15:00:01 0 d-------- C:\Program Files\Norton Security Scan
2008-03-10 18:47:57 95688 --a------ C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 21:25:39 0 d-------- C:\Program Files\Google
2008-03-02 07:33:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 07:32:02 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-01 10:18:15 0 d-------- C:\Program Files\Macrogaming
2008-02-25 18:16:58 0 d-------- C:\Program Files\Labpixies
2008-02-25 18:16:57 0 d-------- C:\Program Files\Conduit
2008-02-23 16:53:26 0 d-------- C:\Documents and Settings\GRANT\Application Data\Macromedia
2008-02-16 13:22:55 0 d-------- C:\Documents and Settings\GRANT\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
03/30/2008 07:14 PM 346112 --------- C:\WINDOWS\system32\ljjjkih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA453331-C988-49EA-AD9F-F8B58A28219A}]
03/30/2008 07:21 PM 298048 --a------ C:\WINDOWS\System32\gebyx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 04:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 04:07 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 11:47 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/02/2003 03:11 PM]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [12/02/2003 03:11 PM]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [07/03/1998 11:51 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [07/25/2002 05:20 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05/07/2005 12:06 PM]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [11/02/2004 03:59 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"typeconf"="lpt.exe" []
"ffnbnrrr"="C:\WINDOWS\TEMP\rbnnbrfjrfj.drv WLEntryPoint" []
"Printer"="C:\WINDOWS\System32\printer.exe" [08/05/2005 03:39 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/05/2008 03:13 PM]
"autoload"="C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe" [04/05/2008 11:37 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/06/2007 05:22 PM]
"Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [08/05/2005 03:39 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/05/2008 03:13 PM]
"autoload"="C:\Documents and Settings\GRANT\Local Settings\Application Data\cftmon.exe" [04/05/2008 11:37 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe

C:\Documents and Settings\GRANT\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:00:00 PM]
findfast.exe [8/10/2005 3:03:53 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autorun.exe [8/10/2005 3:03:53 AM]
DESKTOP.INI [9/3/2002 1:00:00 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [12/6/2003 5:19:20 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/6/2007 5:22:28 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/16/2002 3:42:06 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [12/29/2003 2:18:33 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"09jCoBDpfs"=C:\Documents and Settings\All Users\Application Data\ojylihuf\sxoraluj.exe
"ormhsjip"=rundll32.exe "C:\WINDOWS\System32\knqhsfehoj.dll" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=1 (0x1)
"NoControlPanel"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoFolderOptions"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\ljjjkih.dll [03/30/2008 07:14 PM 346112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"= {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll [03/30/2008 07:13 PM 261632]
"DUJGwmPoeHjp"= {C495E10C-6E3F-4BA6-B7BC-B3D8ABE0F358} - C:\WINDOWS\system32\ejhcxr.dll [08/29/2002 09:00 AM 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lcritcjmhof]
lcritcjmhof.dll 08/29/2002 09:00 AM 113664 C:\WINDOWS\SYSTEM32\lcritcjmhof.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkih]
ljjjkih.dll 03/30/2008 07:14 PM 346112 C:\WINDOWS\SYSTEM32\ljjjkih.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll 03/30/2008 07:14 PM 13587 C:\Documents and Settings\All Users\Documents\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 04/05/2008 03:07 PM 10752 C:\WINDOWS\SYSTEM32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\gebyx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Chl61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^shqf.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shqf.exe
backup=C:\WINDOWS\pss\shqf.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^GRANT^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\GRANT\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
"fasd387.exe"/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awpbrtxh]
C:\WINDOWS\system32\xoxibqrw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bnjnjrfb]
rundll32.exe "C:\WINDOWS\TEMP\fmlcjqhgfqd.drv" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\br0ken]
slamm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
C:\WINDOWS\System32\braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fjnfrn]
rundll32.exe "C:\WINDOWS\TEMP\jjbjjrrb.dll" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhjg5jfd93dftdf]
C:\WINDOWS\TEMP\winlogan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\install2]
xwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\killall]
Brong32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMsgSvc]
C:\WINDOWS\System\MSMSGSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmtcbmpc]
rundll32.exe "C:\WINDOWS\TEMP\fmlcjqhgfqd.drv" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\System32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\System32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysmon12]
scanSYS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnSpyPC]
"C:\Program Files\UnSpyPC\UnSpyPC.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235}]
C:\WINDOWS\System32\tcpdiss.exe /r



-- End of Deckard's System Scanner: finished at 2008-04-05 15:28:50 ------------

Edited by Korpse, 05 April 2008 - 02:14 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 05 April 2008 - 06:02 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
You've got a load of malware there my friend.

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Korpse

Korpse
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:04 PM

Posted 05 April 2008 - 06:53 PM

Hi Sam, thanks for helping! - Yeah there is a heap of stuff in there, glad it's not my computer....

ComboFix log:

ComboFix 08-04-03.5 - GRANT 2008-04-06 12:31:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.99 [GMT 12:00]
Running from: C:\DOCUME~1\GRANT\Desktop\COMBOF~1.EXE
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\BEEP.SYS
C:\1.dll
C:\36110103225.exe
C:\autoex.dll
C:\d.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\Documents and Settings\BRIAR\Desktop\Error Cleaner.url
C:\Documents and Settings\BRIAR\Desktop\Privacy Protector.url
C:\Documents and Settings\BRIAR\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\BRIAR\Favorites\Error Cleaner.url
C:\Documents and Settings\BRIAR\Favorites\Privacy Protector.url
C:\Documents and Settings\BRIAR\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\BRIAR\ftpdll.dll
C:\Documents and Settings\BRIAR\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\BRIAR\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\GRANT\Desktopblackbird.jpg
C:\Documents and Settings\GRANT\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\GRANT\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\GRANT\Desktopfilemanagerclient.exe
C:\Documents and Settings\GRANT\Desktopfkwp1.5.exe
C:\Documents and Settings\GRANT\Desktopfkwp2.0.exe
C:\Documents and Settings\GRANT\Desktopfwebd.exe
C:\Documents and Settings\GRANT\DesktopFWebdEditor.exe
C:\Documents and Settings\GRANT\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\GRANT\Favorites\Error Cleaner.url
C:\Documents and Settings\GRANT\Favorites\Privacy Protector.url
C:\Documents and Settings\GRANT\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\GRANT\ftpdll.dll
C:\Documents and Settings\KELLY\Desktop\Error Cleaner.url
C:\Documents and Settings\KELLY\Desktop\Privacy Protector.url
C:\Documents and Settings\KELLY\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\KELLY\Favorites\Error Cleaner.url
C:\Documents and Settings\KELLY\Favorites\Privacy Protector.url
C:\Documents and Settings\KELLY\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService\Application Data\printer.exe
C:\Documents and Settings\LocalService\ftpdll.dll
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\MORGAN\Desktop\Error Cleaner.url
C:\Documents and Settings\MORGAN\Desktop\Privacy Protector.url
C:\Documents and Settings\MORGAN\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\MORGAN\Desktopblackbird.jpg
C:\Documents and Settings\MORGAN\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\MORGAN\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\MORGAN\Desktopfilemanagerclient.exe
C:\Documents and Settings\MORGAN\Desktopfkwp1.5.exe
C:\Documents and Settings\MORGAN\Desktopfkwp2.0.exe
C:\Documents and Settings\MORGAN\Desktopfwebd.exe
C:\Documents and Settings\MORGAN\DesktopFWebdEditor.exe
C:\Documents and Settings\MORGAN\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\MORGAN\Favorites\Error Cleaner.url
C:\Documents and Settings\MORGAN\Favorites\Privacy Protector.url
C:\Documents and Settings\MORGAN\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\MORGAN\ftpdll.dll
C:\Documents and Settings\MORGAN\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\MORGAN\Start Menu\Programs\Startup\findfast.exe
C:\findfast.exe
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\dwltqnmx.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\stfngdvw.dll
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\Chl61.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\QRJP57.sys
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\yjzeyfzt.dat
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\lcritcjmhof.dll
C:\WINDOWS\system32\ljjjkih.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\wlogon32.dll
C:\WINDOWS\SYSTEM32\xybeg.ini
C:\WINDOWS\SYSTEM32\xybeg.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CHL61
-------\Legacy_CMDSERVICE
-------\Legacy_ICF
-------\Legacy_IICZVFAX
-------\Legacy_NETWORK_MONITOR
-------\Legacy_QRJP57
-------\Service_Chl61
-------\Service_iiczvfax
-------\Service_oqtxde
-------\Service_Qrjp57
-------\Service_QRJP57
-------\Legacy_Schedule
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 12:44 . 2008-04-06 12:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-06 12:44 . 2008-04-06 12:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-05 12:52 . 2008-04-05 12:52 <DIR> d-------- C:\Deckard
2008-04-05 12:51 . 2008-04-05 11:58 1,308,216 --a------ C:\temp\HiJackThis_v2.exe
2008-04-05 11:58 . 2008-04-05 10:54 113,664 --a------ C:\WINDOWS\SYSTEM32\fnrjfrjn.nls
2008-04-05 11:46 . 2008-04-05 11:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-05 11:45 . 2008-04-05 14:51 <DIR> d-------- C:\SDFix
2008-04-05 10:44 . 2008-04-05 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-05 10:43 . 2008-04-05 14:43 <DIR> d-------- C:\Program Files\Security Task Manager
2008-04-02 23:50 . 2008-04-05 10:39 <DIR> d-------- C:\VundoFix Backups
2008-04-02 21:30 . 2008-04-02 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ojylihuf
2008-04-02 20:28 . 2008-04-02 22:20 3,608 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-02 20:26 . 2008-04-02 20:41 <DIR> d-------- C:\temp\SmitfraudFix
2008-04-02 20:26 . 2007-11-01 11:42 1,039,436 --a------ C:\temp\SmitfraudFix.exe
2008-04-02 20:26 . 2007-12-13 21:43 168,592 --a------ C:\temp\FxVMonde.exe
2008-04-02 20:26 . 2007-12-15 12:23 130,048 --a------ C:\temp\VundoFix.exe
2008-04-02 20:25 . 2008-04-05 12:54 <DIR> d-------- C:\temp
2008-04-02 19:51 . 2008-04-02 23:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 19:51 . 2008-04-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42 . 2003-12-06 17:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-02 19:42 . 2003-12-06 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-31 22:09 . 2008-04-02 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wtwxqlqf
2008-03-31 21:40 . 2008-03-31 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yvoxshwb
2008-03-31 18:23 . 2008-03-31 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ulcpirqv
2008-03-31 18:20 . 2008-04-01 18:22 172 --a------ C:\Documents and Settings\BRIAR\delself.bat
2008-03-31 17:38 . 2008-03-31 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\erifwfah
2008-03-31 14:07 . 2008-03-31 14:07 172 --a------ C:\Documents and Settings\MORGAN\delself.bat
2008-03-31 13:06 . 2008-04-06 12:24 6,656 --a------ C:\WINDOWS\SYSTEM32\univrs32.dat
2008-03-30 19:55 . 2008-03-31 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tmngxwlc
2008-03-30 19:33 . 2008-03-30 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hmlwfqrm
2008-03-30 19:26 . 2008-04-06 10:12 172 --a------ C:\Documents and Settings\GRANT\delself.bat
2008-03-30 19:22 . 2008-03-30 19:22 18,944 --a------ C:\Documents and Settings\LocalService\Application Data\nvsvc1024.dll
2008-03-30 19:19 . 2008-03-30 19:18 8,704 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\smss.exe
2008-03-30 19:19 . 2008-03-30 19:19 44 --a------ C:\WINDOWS\SYSTEM32\p2hhr.bat
2008-03-30 19:13 . 2008-03-30 19:13 261,632 --a------ C:\WINDOWS\SYSTEM32\cryper.dll
2008-03-30 19:13 . 2008-03-30 19:13 6,144 --a------ C:\rhvetm.exe
2008-03-30 19:13 . 2008-03-30 19:13 29 --a------ C:\WINDOWS\SYSTEM32\fywdihsu.tmp
2008-03-30 19:13 . 2008-03-30 19:21 2 --a------ C:\-996810485
2008-03-30 19:11 . 2008-03-30 19:11 3,025 --a------ C:\Documents and Settings\GRANT\ie_updates3r.exe
2008-03-30 19:11 . 2008-03-30 19:53 509 --a------ C:\WINDOWS\SYSTEM32\winlogans.tmp
2008-03-30 15:38 . 2008-03-30 15:38 106,496 --a------ C:\WINDOWS\SYSTEM32\xwzgfozm.exe
2008-03-30 15:17 . 2002-08-29 09:00 88,064 --a------ C:\WINDOWS\SYSTEM32\ATKCTR.dll
2008-03-30 13:43 . 2008-03-30 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ynqbybkv
2008-03-30 13:43 . 2008-03-30 13:43 94,208 --a------ C:\WINDOWS\SYSTEM32\olgzwpav.exe
2008-03-22 12:36 . 2008-03-22 12:36 9,216 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-03-15 11:07 . 2008-03-15 11:07 244 --ah----- C:\sqmnoopt00.sqm
2008-03-15 11:07 . 2008-03-15 11:07 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 00:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-06 00:44 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-30 07:18 15,872 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
2008-03-28 03:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-03-26 08:34 93,328 ----a-w C:\Documents and Settings\MORGAN\Application Data\GDIPFONTCACHEV1.DAT
2008-03-10 06:47 95,688 ----a-w C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-04 03:51 95,688 ----a-w C:\Documents and Settings\KELLY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 09:25 --------- d-----w C:\Program Files\Google
2008-03-01 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-03-01 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-03-01 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 19:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-29 22:18 --------- d-----w C:\Program Files\Macrogaming
2008-02-25 06:16 --------- d-----w C:\Program Files\Labpixies
2008-02-25 06:16 --------- d-----w C:\Program Files\Conduit
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\3.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\2.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\1.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\3.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\2.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\1.dat
2003-12-06 05:22 32 --sha-w C:\WINDOWS\{BC97D1C7-892B-48F7-A29C-08FACD8B3C90}.dat
2003-12-06 05:22 32 --sha-w C:\WINDOWS\SYSTEM32\{53D96304-E5AA-4034-85D9-2B1DA0F31E91}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{03E037D3-F080-4C0B-BDB5-A70C693AE36D}"= "C:\Program Files\Labpixies\tbLabp.dll" [2008-02-14 13:54 1555480]

[HKEY_CLASSES_ROOT\clsid\{03e037d3-f080-4c0b-bdb5-a70c693ae36d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 17:22 68856]
"sysmon12"="scanSYS.exe" []
"Sonic RecordNow!"="" []
"MSMsgSvc"="C:\WINDOWS\System\MSMSGSVC.exe" [ ]
"Host"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 04:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 04:07 114688]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 23:47 204800]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 15:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 15:11 58392]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 11:51 25088]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 17:20 28672]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-07 12:06 100056]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"typeconf"="lpt.exe" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 19:15 103712]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35 473928]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 05:04 114741]
"braviax"="braviax.exe" []
"frrbnj"="C:\WINDOWS\TEMP\brbbjb.sys WLEntryPoint" [ ]
"nnjbfbrb"="C:\WINDOWS\TEMP\bbjbnj.dll" [2008-04-06 12:45 113664]
"nnnbnjbb"="C:\WINDOWS\TEMP\bbjbnj.dll" [2008-04-06 12:45 113664]

C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\
OCRAWARE.lnk - C:\OPLIMIT\OCRAWARE.EXE [2004-01-19 11:29:10 51360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-12-06 17:19:20 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-06 17:22:28 125176]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 15:42:06 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2003-12-29 14:18:33 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"nbfbfffj"= rundll32.exe "C:\WINDOWS\System32\knqhsfehoj.dll" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"= {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\System32\cryper.dll [2008-03-30 19:13 261632]
"DUJGwmPoeHjp"= {C495E10C-6E3F-4BA6-B7BC-B3D8ABE0F358} - C:\WINDOWS\System32\ejhcxr.dll [2002-08-29 09:00 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM
"vidc.iv41"= ir41_32.dll
"VIDC.WMV3"= wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\System32\drivers\ATMhelpr.sys [1997-06-17 03:00]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235}]
C:\WINDOWS\System32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 20:53:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-03-28 03:55:37 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-03-30 05:50:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-30 06:36:05 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 06 April 2008 - 06:08 PM

Ready for the second round? :thumbsup:

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Program Files\Labpixies
C:\Documents and Settings\All Users\Application Data\ynqbybkv
C:\Documents and Settings\All Users\Application Data\tmngxwlc
C:\Documents and Settings\All Users\Application Data\hmlwfqrm
C:\Documents and Settings\All Users\Application Data\erifwfah
C:\Documents and Settings\All Users\Application Data\wtwxqlqf
C:\Documents and Settings\All Users\Application Data\yvoxshwb
C:\Documents and Settings\All Users\Application Data\ulcpirqv

File::
C:\Documents and Settings\MORGAN\delself.bat
C:\Documents and Settings\BRIAR\delself.bat
C:\WINDOWS\System32\tcpdiss.exe
C:\WINDOWS\System32\cryper.dll
C:\WINDOWS\System32\ejhcxr.dll
C:\WINDOWS\System32\knqhsfehoj.dll
C:\WINDOWS\SYSTEM32\olgzwpav.exe
C:\Documents and Settings\GRANT\ie_updates3r.exe
C:\WINDOWS\SYSTEM32\winlogans.tmp
C:\WINDOWS\SYSTEM32\xwzgfozm.exe
C:\WINDOWS\SYSTEM32\ATKCTR.dll
C:\rhvetm.exe
C:\WINDOWS\SYSTEM32\fywdihsu.tmp
C:\Documents and Settings\GRANT\delself.bat
C:\Documents and Settings\LocalService\Application Data\nvsvc1024.dll
C:\WINDOWS\SYSTEM32\DRIVERS\smss.exe
C:\WINDOWS\SYSTEM32\p2hhr.bat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"=-
"DUJGwmPoeHjp"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"nbfbfffj"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"typeconf"=-
"braviax"=-
"frrbnj"=-
"nnjbfbrb"=-
"nnnbnjbb"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysmon12"=-
"MSMsgSvc"=-
"Host"=-
[-HKEY_CLASSES_ROOT\clsid\{03e037d3-f080-4c0b-bdb5-a70c693ae36d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{03E037D3-F080-4C0B-BDB5-A70C693AE36D}"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Korpse

Korpse
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:04 PM

Posted 07 April 2008 - 04:19 AM

New ComboFix and HijackThis logs:
When ComboFix restarted after rebooting, there was the standard Windows "encountered a problem and was closed" dialogue for something called VFind, and then a message in the ComboFix window something like "temp2The specified file could not be found" - problems?

Lots of things are coming back ("Windows Explorer" and "My Computer" icons, being able to run ComboFix and DSS without having to rename them first) but there's still some strange stuff on there, I guess it's more than a simple one-step fix?

ComboFix log
ComboFix 08-04-03.5 - GRANT 2008-04-07 21:16:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.88 [GMT 12:00]
Running from: C:\DOCUME~1\GRANT\Desktop\COMBOF~1.EXE
Command switches used :: C:\Documents and Settings\GRANT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\BRIAR\delself.bat
C:\Documents and Settings\GRANT\delself.bat
C:\Documents and Settings\GRANT\ie_updates3r.exe
C:\Documents and Settings\LocalService\Application Data\nvsvc1024.dll
C:\Documents and Settings\MORGAN\delself.bat
C:\rhvetm.exe
C:\WINDOWS\SYSTEM32\ATKCTR.dll
C:\WINDOWS\System32\cryper.dll
C:\WINDOWS\SYSTEM32\DRIVERS\smss.exe
C:\WINDOWS\System32\ejhcxr.dll
C:\WINDOWS\SYSTEM32\fywdihsu.tmp
C:\WINDOWS\System32\knqhsfehoj.dll
C:\WINDOWS\SYSTEM32\olgzwpav.exe
C:\WINDOWS\SYSTEM32\p2hhr.bat
C:\WINDOWS\System32\tcpdiss.exe
C:\WINDOWS\SYSTEM32\winlogans.tmp
C:\WINDOWS\SYSTEM32\xwzgfozm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\erifwfah
C:\Documents and Settings\All Users\Application Data\hmlwfqrm
C:\Documents and Settings\All Users\Application Data\tmngxwlc
C:\Documents and Settings\All Users\Application Data\ulcpirqv
C:\Documents and Settings\All Users\Application Data\wtwxqlqf
C:\Documents and Settings\All Users\Application Data\ynqbybkv
C:\Documents and Settings\All Users\Application Data\yvoxshwb
C:\Documents and Settings\BRIAR\delself.bat
C:\Documents and Settings\GRANT\delself.bat
C:\Documents and Settings\GRANT\ie_updates3r.exe
C:\Documents and Settings\LocalService\Application Data\nvsvc1024.dll
C:\Documents and Settings\MORGAN\delself.bat
C:\Program Files\Labpixies
C:\Program Files\Labpixies\INSTALL.LOG
C:\Program Files\Labpixies\tbLabp.dll
C:\Program Files\Labpixies\toolbar.cfg
C:\Program Files\Labpixies\UNWISE.EXE
C:\rhvetm.exe
C:\WINDOWS\SYSTEM32\ATKCTR.dll
C:\WINDOWS\System32\cryper.dll
C:\WINDOWS\SYSTEM32\DRIVERS\smss.exe
C:\WINDOWS\System32\ejhcxr.dll
C:\WINDOWS\SYSTEM32\fywdihsu.tmp
C:\WINDOWS\System32\knqhsfehoj.dll
C:\WINDOWS\SYSTEM32\olgzwpav.exe
C:\WINDOWS\SYSTEM32\p2hhr.bat
C:\WINDOWS\System32\tcpdiss.exe
C:\WINDOWS\SYSTEM32\winlogans.tmp
C:\WINDOWS\SYSTEM32\xwzgfozm.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\BEEP.SYS
C:\1.dll
C:\36110103225.exe
C:\autoex.dll
C:\d.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\Documents and Settings\BRIAR\Desktop\Error Cleaner.url
C:\Documents and Settings\BRIAR\Desktop\Privacy Protector.url
C:\Documents and Settings\BRIAR\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\BRIAR\Favorites\Error Cleaner.url
C:\Documents and Settings\BRIAR\Favorites\Privacy Protector.url
C:\Documents and Settings\BRIAR\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\BRIAR\ftpdll.dll
C:\Documents and Settings\BRIAR\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\BRIAR\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\GRANT\Desktopblackbird.jpg
C:\Documents and Settings\GRANT\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\GRANT\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\GRANT\Desktopfilemanagerclient.exe
C:\Documents and Settings\GRANT\Desktopfkwp1.5.exe
C:\Documents and Settings\GRANT\Desktopfkwp2.0.exe
C:\Documents and Settings\GRANT\Desktopfwebd.exe
C:\Documents and Settings\GRANT\DesktopFWebdEditor.exe
C:\Documents and Settings\GRANT\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\GRANT\Favorites\Error Cleaner.url
C:\Documents and Settings\GRANT\Favorites\Privacy Protector.url
C:\Documents and Settings\GRANT\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\GRANT\ftpdll.dll
C:\Documents and Settings\KELLY\Desktop\Error Cleaner.url
C:\Documents and Settings\KELLY\Desktop\Privacy Protector.url
C:\Documents and Settings\KELLY\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\KELLY\Favorites\Error Cleaner.url
C:\Documents and Settings\KELLY\Favorites\Privacy Protector.url
C:\Documents and Settings\KELLY\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService\Application Data\printer.exe
C:\Documents and Settings\LocalService\ftpdll.dll
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\MORGAN\Desktop\Error Cleaner.url
C:\Documents and Settings\MORGAN\Desktop\Privacy Protector.url
C:\Documents and Settings\MORGAN\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\MORGAN\Desktopblackbird.jpg
C:\Documents and Settings\MORGAN\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\MORGAN\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\MORGAN\Desktopfilemanagerclient.exe
C:\Documents and Settings\MORGAN\Desktopfkwp1.5.exe
C:\Documents and Settings\MORGAN\Desktopfkwp2.0.exe
C:\Documents and Settings\MORGAN\Desktopfwebd.exe
C:\Documents and Settings\MORGAN\DesktopFWebdEditor.exe
C:\Documents and Settings\MORGAN\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\MORGAN\Favorites\Error Cleaner.url
C:\Documents and Settings\MORGAN\Favorites\Privacy Protector.url
C:\Documents and Settings\MORGAN\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\MORGAN\ftpdll.dll
C:\Documents and Settings\MORGAN\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\MORGAN\Start Menu\Programs\Startup\findfast.exe
C:\findfast.exe
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\dwltqnmx.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\stfngdvw.dll
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\Chl61.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\QRJP57.sys
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\yjzeyfzt.dat
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\lcritcjmhof.dll
C:\WINDOWS\system32\ljjjkih.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\wlogon32.dll
C:\WINDOWS\SYSTEM32\xybeg.ini
C:\WINDOWS\SYSTEM32\xybeg.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CHL61
-------\Legacy_CMDSERVICE
-------\Legacy_ICF
-------\Legacy_IICZVFAX
-------\Legacy_NETWORK_MONITOR
-------\Legacy_QRJP57
-------\Service_Chl61
-------\Service_iiczvfax
-------\Service_oqtxde
-------\Service_Qrjp57
-------\Service_QRJP57
-------\Legacy_Schedule
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 21:17 . 2008-04-06 12:45 113,664 --a------ C:\WINDOWS\SYSTEM32\rbnnrrffbj.drv
2008-04-06 12:44 . 2008-04-07 21:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-06 12:44 . 2008-04-06 12:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-05 12:52 . 2008-04-05 12:52 <DIR> d-------- C:\Deckard
2008-04-05 11:58 . 2008-04-05 10:54 113,664 --a------ C:\WINDOWS\SYSTEM32\fnrjfrjn.nls
2008-04-05 11:46 . 2008-04-05 11:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-05 10:44 . 2008-04-06 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-02 21:30 . 2008-04-02 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ojylihuf
2008-04-02 20:28 . 2008-04-02 22:20 3,608 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-02 19:51 . 2008-04-02 23:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 19:51 . 2008-04-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42 . 2003-12-06 17:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-02 19:42 . 2003-12-06 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-31 13:06 . 2008-04-06 12:24 6,656 --a------ C:\WINDOWS\SYSTEM32\univrs32.dat
2008-03-30 19:13 . 2008-03-30 19:21 2 --a------ C:\-996810485
2008-03-22 12:36 . 2008-03-22 12:36 9,216 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-03-15 11:07 . 2008-03-15 11:07 244 --ah----- C:\sqmnoopt00.sqm
2008-03-15 11:07 . 2008-03-15 11:07 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 09:24 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-04-07 09:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-06 03:52 --------- d-----w C:\Documents and Settings\KELLY\Application Data\Lavasoft
2008-03-30 07:18 15,872 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
2008-03-28 03:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-03-26 08:34 93,328 ----a-w C:\Documents and Settings\MORGAN\Application Data\GDIPFONTCACHEV1.DAT
2008-03-10 06:47 95,688 ----a-w C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-04 03:51 95,688 ----a-w C:\Documents and Settings\KELLY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 09:25 --------- d-----w C:\Program Files\Google
2008-03-01 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-03-01 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-03-01 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 19:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-29 22:18 --------- d-----w C:\Program Files\Macrogaming
2008-02-25 06:16 --------- d-----w C:\Program Files\Conduit
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\3.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\2.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\1.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\3.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\2.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\1.dat
2003-12-06 05:22 32 --sha-w C:\WINDOWS\{BC97D1C7-892B-48F7-A29C-08FACD8B3C90}.dat
2003-12-06 05:22 32 --sha-w C:\WINDOWS\SYSTEM32\{53D96304-E5AA-4034-85D9-2B1DA0F31E91}.dat
.

------- Sigcheck -------

2008-03-30 19:18 15872 f51804d380ac8d04d78a036e2191bced C:\WINDOWS\SYSTEM32\svchost.exe

2002-08-29 09:00 520704 eda6b245a61e0c30ee65dcd483a82113 C:\WINDOWS\SYSTEM32\winlogon.exe

2002-08-29 09:00 1007104 c588da2bb616b93a7656a79b84a21279 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-06_12.48.12.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-05 22:36:12 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-04-06 04:27:46 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-04-05 22:36:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-06 04:27:46 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-04-05 22:36:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-04-06 04:27:46 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 17:22 68856]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 04:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 04:07 114688]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 23:47 204800]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 15:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 15:11 58392]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 11:51 25088]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 17:20 28672]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-07 12:06 100056]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 19:15 103712]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35 473928]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 05:04 114741]
"frbbbjfr"="C:\WINDOWS\TEMP\bfnbjbjr.sys WLEntryPoint" [ ]

C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\
OCRAWARE.lnk - C:\OPLIMIT\OCRAWARE.EXE [2004-01-19 11:29:10 51360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-12-06 17:19:20 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-06 17:22:28 125176]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 15:42:06 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2003-12-29 14:18:33 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"nbfbfffj"= rundll32.exe "C:\WINDOWS\System32\nbjnjnnnbbf.nls" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM
"vidc.iv41"= ir41_32.dll
"VIDC.WMV3"= wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 20:53:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-03-28 03:55:37 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-03-30 05:50:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-30 06:36:05 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"

HijackThis Log
Deckard's System Scanner v20071014.68
Run by GRANT on 2008-04-07 21:31:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as GRANT.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32, on 2008-04-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\GRANT\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\GRANT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [frbbbjfr] rundll32.exe "C:\WINDOWS\TEMP\bfnbjbjr.sys" WLEntryPoint
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [nbfbfffj] rundll32.exe "C:\WINDOWS\System32\nbjnjnnnbbf.nls" WLEntryPoint
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\epobador.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\epobador.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/a-UNO1/GAME_UNO1.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/D...h2.1.0.0.68.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/cinematycoon.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - http://ptcnz.tcnz.motive.com/lwp/static/in...aller_4-2-0.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DBC48F4-8269-4B48-BF85-E4C93A446BAA}: NameServer = 85.255.113.126,85.255.112.102
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9920 bytes

-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-07 21:14:59 0 d-------- C:\COMBOF~1
2008-04-06 12:29:54 68096 --a------ C:\WINDOWS\zip.exe
2008-04-06 12:29:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-06 12:29:54 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 12:29:54 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 12:29:54 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 12:29:54 98816 --a------ C:\WINDOWS\sed.exe
2008-04-06 12:29:54 80412 --a------ C:\WINDOWS\grep.exe
2008-04-06 12:29:54 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-05 14:43:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-05 11:46:27 0 d-------- C:\WINDOWS\ERUNT
2008-04-05 10:44:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-02 21:30:18 0 d-------- C:\Documents and Settings\All Users\Application Data\ojylihuf
2008-04-02 20:28:48 3608 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-02 19:51:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-02 19:42:37 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-02 19:42:37 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-02 19:42:36 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-31 13:06:33 6656 --a------ C:\WINDOWS\System32\univrs32.dat
2008-03-30 19:18:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-30 19:13:55 2 --a------ C:\-996810485


-- Find3M Report ---------------------------------------------------------------

2008-04-07 21:31:47 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-04-07 21:24:54 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-07 21:24:01 0 d-------- C:\Program Files\Common Files
2008-03-30 19:18:55 15872 --a------ C:\WINDOWS\System32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-28 15:00:01 0 d-------- C:\Program Files\Norton Security Scan
2008-03-10 18:47:57 95688 --a------ C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 21:25:39 0 d-------- C:\Program Files\Google
2008-03-02 07:33:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 07:32:02 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-01 10:18:15 0 d-------- C:\Program Files\Macrogaming
2008-02-25 18:16:57 0 d-------- C:\Program Files\Conduit
2008-02-23 16:53:26 0 d-------- C:\Documents and Settings\GRANT\Application Data\Macromedia
2008-02-16 13:22:55 0 d-------- C:\Documents and Settings\GRANT\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 04:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 04:07]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 23:47]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 15:11]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 15:11]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 11:51]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 17:20]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-05-07 12:06]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 19:15]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 05:04]
"frbbbjfr"="C:\WINDOWS\TEMP\bfnbjbjr.sys WLEntryPoint" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 17:22]
"Sonic RecordNow!"="" []

C:\Documents and Settings\GRANT\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 13:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 13:00:00]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-12-06 17:19:20]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-06 17:22:28]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 15:42:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2003-12-29 14:18:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"nbfbfffj"=rundll32.exe "C:\WINDOWS\System32\nbjnjnnnbbf.nls" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"





-- End of Deckard's System Scanner: finished at 2008-04-07 21:32:59 ------------

Edited by Korpse, 07 April 2008 - 04:23 AM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 07 April 2008 - 06:51 AM

Yeah, if it was as easy as a one step fix, this forum wouldn't be needed. :thumbsup:

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"nbfbfffj"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"frbbbjfr"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================


There are a few files that show up in your log that I'm suspicious of, but we need to verify their intention.
Please visit this website.

http://www.virustotal.com/

One at a time, please upload these files to be scanned. After each one you will get a report as the file is scanned. Please be patient as the report is generated over several minutes. Once it is complete, copy the text and paste it here in your next reply.

C:\WINDOWS\SYSTEM32\rbnnrrffbj.drv

C:\WINDOWS\SYSTEM32\fnrjfrjn.nls

c:\windows\system32\epobador.dll

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Korpse

Korpse
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:04 PM

Posted 08 April 2008 - 04:03 AM

Oooookay......

ComboFix didn't do anything when I dropped that script on it. I installed AVG so I could connect to the internet and scan those other files, and it found a trojan in winlogon. It quarantined it, which was a bad thing, because now the computer won't boot at all. As the CD drive in this PC is knackered I'm a bit stuck now - can't repair the Windows install because I can't boot off the XP CD because the drive won't read anything.

So temporarily, this thread can be closed - if I get the CD drive going again, I may need to come back, but I'll let you know what happens. Thanks for the help so far.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 08 April 2008 - 06:17 AM

Hmmm...ok, I'll go ahead and close this thread. If you need it reopened just send me a PM and I'll open it back up for you.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 10 April 2008 - 06:14 AM

Topic re-opened.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Korpse

Korpse
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:04 PM

Posted 10 April 2008 - 06:21 AM

Thanks for the re-open - here's the ComboFix log (it ran first time once I'd got Windows going again) and the details from virustotal for those three files.

ComboFix 08-04-03.5 - GRANT 2008-04-10 20:11:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.79 [GMT 12:00]
Running from: C:\DOCUME~1\GRANT\Desktop\COMBOF~1.EXE
Command switches used :: C:\Documents and Settings\GRANT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\BEEP.SYS
C:\1.dll
C:\36110103225.exe
C:\autoex.dll
C:\d.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\Documents and Settings\All Users.\documents\settings\partnership.dll
C:\Documents and Settings\All Users\Application Data\erifwfah
C:\Documents and Settings\All Users\Application Data\hmlwfqrm
C:\Documents and Settings\All Users\Application Data\tmngxwlc
C:\Documents and Settings\All Users\Application Data\ulcpirqv
C:\Documents and Settings\All Users\Application Data\wtwxqlqf
C:\Documents and Settings\All Users\Application Data\ynqbybkv
C:\Documents and Settings\All Users\Application Data\yvoxshwb
C:\Documents and Settings\BRIAR\delself.bat
C:\Documents and Settings\BRIAR\Desktop\Error Cleaner.url
C:\Documents and Settings\BRIAR\Desktop\Privacy Protector.url
C:\Documents and Settings\BRIAR\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\BRIAR\Favorites\Error Cleaner.url
C:\Documents and Settings\BRIAR\Favorites\Privacy Protector.url
C:\Documents and Settings\BRIAR\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\BRIAR\ftpdll.dll
C:\Documents and Settings\BRIAR\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\BRIAR\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\GRANT\delself.bat
C:\Documents and Settings\GRANT\Desktopblackbird.jpg
C:\Documents and Settings\GRANT\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\GRANT\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\GRANT\Desktopfilemanagerclient.exe
C:\Documents and Settings\GRANT\Desktopfkwp1.5.exe
C:\Documents and Settings\GRANT\Desktopfkwp2.0.exe
C:\Documents and Settings\GRANT\Desktopfwebd.exe
C:\Documents and Settings\GRANT\DesktopFWebdEditor.exe
C:\Documents and Settings\GRANT\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\GRANT\Favorites\Error Cleaner.url
C:\Documents and Settings\GRANT\Favorites\Privacy Protector.url
C:\Documents and Settings\GRANT\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\GRANT\ftpdll.dll
C:\Documents and Settings\GRANT\ie_updates3r.exe
C:\Documents and Settings\KELLY\Desktop\Error Cleaner.url
C:\Documents and Settings\KELLY\Desktop\Privacy Protector.url
C:\Documents and Settings\KELLY\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\KELLY\Favorites\Error Cleaner.url
C:\Documents and Settings\KELLY\Favorites\Privacy Protector.url
C:\Documents and Settings\KELLY\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\LocalService\Application Data\nvsvc1024.dll
C:\Documents and Settings\LocalService\Application Data\printer.exe
C:\Documents and Settings\LocalService\ftpdll.dll
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\MORGAN\delself.bat
C:\Documents and Settings\MORGAN\Desktop\Error Cleaner.url
C:\Documents and Settings\MORGAN\Desktop\Privacy Protector.url
C:\Documents and Settings\MORGAN\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\MORGAN\Desktopblackbird.jpg
C:\Documents and Settings\MORGAN\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\MORGAN\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\MORGAN\Desktopfilemanagerclient.exe
C:\Documents and Settings\MORGAN\Desktopfkwp1.5.exe
C:\Documents and Settings\MORGAN\Desktopfkwp2.0.exe
C:\Documents and Settings\MORGAN\Desktopfwebd.exe
C:\Documents and Settings\MORGAN\DesktopFWebdEditor.exe
C:\Documents and Settings\MORGAN\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\MORGAN\Favorites\Error Cleaner.url
C:\Documents and Settings\MORGAN\Favorites\Privacy Protector.url
C:\Documents and Settings\MORGAN\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\MORGAN\ftpdll.dll
C:\Documents and Settings\MORGAN\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\MORGAN\Start Menu\Programs\Startup\findfast.exe
C:\findfast.exe
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Program Files\Labpixies
C:\Program Files\Labpixies\INSTALL.LOG
C:\Program Files\Labpixies\tbLabp.dll
C:\Program Files\Labpixies\toolbar.cfg
C:\Program Files\Labpixies\UNWISE.EXE
C:\rhvetm.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\dwltqnmx.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\stfngdvw.dll
C:\WINDOWS\SYSTEM32\ATKCTR.dll
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\System32\cryper.dll
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\Chl61.sys
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\drivers\QRJP57.sys
C:\WINDOWS\SYSTEM32\DRIVERS\smss.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\yjzeyfzt.dat
C:\WINDOWS\System32\ejhcxr.dll
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\SYSTEM32\fywdihsu.tmp
C:\WINDOWS\System32\gebyx.dll
C:\WINDOWS\System32\knqhsfehoj.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\lcritcjmhof.dll
C:\WINDOWS\system32\ljjjkih.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\olgzwpav.exe
C:\WINDOWS\SYSTEM32\p2hhr.bat
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\svchost.t__
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\System32\tcpdiss.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\SYSTEM32\winlogans.tmp
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\wlogon32.dll
C:\WINDOWS\SYSTEM32\xwzgfozm.exe
C:\WINDOWS\SYSTEM32\xybeg.ini
C:\WINDOWS\SYSTEM32\xybeg.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CHL61
-------\Legacy_CMDSERVICE
-------\Legacy_ICF
-------\Legacy_IICZVFAX
-------\Legacy_NETWORK_MONITOR
-------\Legacy_QRJP57
-------\Service_Chl61
-------\Service_iiczvfax
-------\Service_oqtxde
-------\Service_Qrjp57
-------\Service_QRJP57
-------\Legacy_Schedule
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-11 07:48 . 2002-08-29 15:41 516,608 --a------ C:\WINDOWS\SYSTEM32\winlogon.exe
2008-04-10 19:52 . 2008-04-10 19:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 19:52 . 2008-04-10 19:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 21:46 . 2008-04-08 21:46 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-08 21:46 . 2008-04-10 19:54 <DIR> d-------- C:\Documents and Settings\GRANT\Application Data\AVG7
2008-04-08 21:45 . 2008-04-08 21:45 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2008-04-08 21:45 . 2008-04-08 21:45 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2008-04-08 21:44 . 2008-04-08 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-08 21:44 . 2008-04-10 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\ComboFix
2008-04-07 21:17 . 2008-04-06 12:45 113,664 --a------ C:\WINDOWS\SYSTEM32\rbnnrrffbj.drv
2008-04-05 12:52 . 2008-04-05 12:52 <DIR> d-------- C:\Deckard
2008-04-05 11:58 . 2008-04-05 10:54 113,664 --a------ C:\WINDOWS\SYSTEM32\fnrjfrjn.nls
2008-04-05 11:46 . 2008-04-05 11:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-02 20:28 . 2008-04-02 22:20 3,608 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-02 19:51 . 2008-04-02 23:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 19:51 . 2008-04-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42 . 2003-12-06 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-31 13:06 . 2008-04-06 12:24 6,656 --a------ C:\WINDOWS\SYSTEM32\univrs32.dat
2008-03-30 19:13 . 2008-03-30 19:21 2 --a------ C:\-996810485
2008-03-22 12:36 . 2008-03-22 12:36 9,216 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-03-15 11:07 . 2008-03-15 11:07 244 --ah----- C:\sqmnoopt00.sqm
2008-03-15 11:07 . 2008-03-15 11:07 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 09:38 --------- d-----w C:\Program Files\Symantec
2008-04-08 09:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-07 09:36 --------- d-----w C:\Program Files\Microsoft Encarta
2008-04-07 09:36 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-30 07:18 15,872 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
2008-03-28 03:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-03-10 06:47 95,688 ----a-w C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-04 03:51 95,688 ----a-w C:\Documents and Settings\KELLY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 09:25 --------- d-----w C:\Program Files\Google
2008-03-01 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-03-01 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-03-01 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 19:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-29 22:18 --------- d-----w C:\Program Files\Macrogaming
2008-02-25 06:16 --------- d-----w C:\Program Files\Conduit
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\3.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\2.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\1.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\3.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\2.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\1.dat
.

------- Sigcheck -------

2008-03-30 19:18 15872 f51804d380ac8d04d78a036e2191bced C:\WINDOWS\SYSTEM32\svchost.exe

2002-08-29 09:00 1007104 c588da2bb616b93a7656a79b84a21279 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-06_12.48.12.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-05 22:36:12 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-04-06 04:27:46 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-04-05 22:36:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-04-06 04:27:46 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-04-05 22:36:12 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-04-06 04:27:46 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-04-08 09:45:40 821,856 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
+ 2008-04-08 09:45:52 4,224 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
+ 2008-04-08 09:45:52 27,776 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
+ 2008-04-08 09:45:53 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2008-04-08 09:45:53 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2008-04-08 09:45:53 4,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
+ 2002-08-28 21:00:00 113,664 ----a-w C:\WINDOWS\TEMP\bbffjb.drv
+ 2002-08-28 21:00:00 113,664 ----a-w C:\WINDOWS\TEMP\nnrnrrrf.sys
+ 2002-08-28 21:00:00 113,664 ----a-w C:\WINDOWS\TEMP\rjfrrbnf.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 17:22 68856]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 04:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 04:07 114688]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 23:47 204800]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 11:51 25088]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 17:20 28672]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 19:15 103712]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 05:04 114741]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-08 21:45 579072]
"jjnnnjbb"="C:\WINDOWS\TEMP\rjfrrbnf.dll" [2002-08-29 09:00 113664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-08 21:45 219136]

C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\
OCRAWARE.lnk - C:\OPLIMIT\OCRAWARE.EXE [2004-01-19 11:29:10 51360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-12-06 17:19:20 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-06 17:22:28 125176]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 15:42:06 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2003-12-29 14:18:33 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"jffbrbjb"= rundll32.exe "C:\WINDOWS\System32\nbjnjnnnbbf.nls" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM
"vidc.iv41"= ir41_32.dll
"VIDC.WMV3"= wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\System32\drivers\ATMhelpr.sys [1997-06-17 03:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 03:55:37 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-03-30 05:50:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-03-30 06:36:05 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 20:16:41
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System = csufy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINDOWS\system32\userinit.exe,

scanning hidden files ...

C:\WINDOWS\system32\csufy.exe 51200 bytes executable
C:\WINDOWS\system32\woinst32.exe 705 bytes executable
C:\WINDOWS\system32\howiper.exe 3107 bytes executable
C:\WINDOWS\system32\filesaver32.exe 654111 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
Completion time: 2008-04-10 20:18:32
ComboFix-quarantined-files.txt 2008-04-10 08:18:25
Pre-Run: 24,267,177,984 bytes free
Post-Run: 24,251,777,024 bytes free



Virustotal results
for c:\windows\system32\rbnnrrffbj.drv

File rbnnrrffbj.drv received on 04.10.2008 09:44:47 (CET)
Current status: finished

Result: 27/32 (84.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.4.9.0 2008.04.10 -
AntiVir 7.6.0.81 2008.04.10 Worm/Locksky.CM.1
Authentium 4.93.8 2008.04.10 -
Avast 4.8.1169.0 2008.04.09 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.04.09 I-Worm/Locksky.ER
BitDefender 7.2 2008.04.10 Win32.Worm.Locksky.CD
CAT-QuickHeal 9.50 2008.04.10 I-Worm.Locksky.cm
ClamAV 0.92.1 2008.04.10 -
DrWeb 4.44.0.09170 2008.04.10 DLOADER.Trojan
eSafe 7.0.15.0 2008.04.09 Win32.Locksky.cm
eTrust-Vet 31.3.5686 2008.04.10 Win32/Loosky
Ewido 4.0 2008.04.09 Worm.Locksky.cm
F-Prot 4.4.2.54 2008.04.08 W32/Locksky.A.gen!Eldorado
F-Secure 6.70.13260.0 2008.04.10 Email-Worm.Win32.Locksky.cm
FileAdvisor 1 2008.04.10 -
Fortinet 3.14.0.0 2008.04.10 -
Ikarus T3.1.1.26.0 2008.04.10 Email-Worm.Win32.Locksky.cm
Kaspersky 7.0.0.125 2008.04.10 Email-Worm.Win32.Locksky.cm
McAfee 5270 2008.04.09 loosky.gen
Microsoft 1.3408 2008.04.10 Worm:Win32/Locksky.gen!A
NOD32v2 3014 2008.04.09 Win32/Locksky
Norman 5.80.02 2008.04.09 W32/Locksky.UD
Panda 9.0.0.4 2008.04.10 Suspicious file
Prevx1 V2 2008.04.10 Heuristic: Suspicious File With Bad Parent Associations
Rising 20.39.22.00 2008.04.10 Worm.Win32.Locksky.a
Sophos 4.28.0 2008.04.10 Mal/Generic-A
Sunbelt 3.0.1032.0 2008.04.08 Worm/Locksky.CM.1
Symantec 10 2008.04.10 Backdoor.Trojan
TheHacker 6.2.92.271 2008.04.10 W32/Locksky.cm
VBA32 3.12.6.4 2008.04.06 Email-Worm.Win32.Locksky.cm
VirusBuster 4.3.26:9 2008.04.09 I-Worm.Locksky.FW
Webwasher-Gateway 6.6.2 2008.04.10 Worm.Locksky.CM.1

Additional information
File size: 113664 bytes
MD5...: b5634ae4d4589b1a93e799a7874ff3f6
SHA1..: 32902afc7a89fb0127276922d4b51bff2f184d98
SHA256: c30b203e4d55875c8021ad5a02dad4b5fe6a19c3c28b5eefbefef322db3b7a68
SHA512: 7ea52cbeb6b04dbce27e25ada3e77d1898e0f506d908ac8b894b16bd94665f6c
195bfe4c9108d10a96f81fc441d372df1da26d1b0751a53071f3173e485658e2
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2a480f8b
timedatestamp.....: 0x47cc0de8 (Mon Mar 03 14:40:40 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x110b5 0x11200 6.64 315908eb09425bb7b3fb46fb948ff321
.rdata 0x13000 0x30a6 0x3200 5.97 73ecf061c964b9440a90c93b60196544
.data 0x17000 0x796c 0x5800 5.91 ab01e4f9435a8727411fea7c6f9e9086
.rsrc 0x1f000 0x420 0x600 2.51 1b52da20b14223a9ae35fa2b08987250
.reloc 0x20000 0x140c 0x1600 5.40 f6ea09e199a7e75a8838f0a403003294

( 10 imports )
> KERNEL32.dll: lstrcpynW, lstrlenW, CreateEventA, SetEvent, lstrcpyA, SystemTimeToFileTime, GetSystemTime, IsBadReadPtr, lstrcatA, Sleep, GetLastError, MoveFileA, DeleteFileA, GetTempFileNameA, TerminateThread, GetCurrentThread, CreateMutexW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, InterlockedIncrement, InterlockedDecrement, CreateSemaphoreA, FindNextFileA, FindFirstFileA, GetVolumeInformationA, GetDriveTypeA, GetLogicalDrives, GetComputerNameA, LoadLibraryA, SetUnhandledExceptionFilter, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileSize, FindClose, GetEnvironmentVariableA, LocalFree, LocalAlloc, DeleteCriticalSection, GlobalFree, GlobalUnlock, GlobalLock, lstrlenA, GetFileTime, GetFullPathNameA, GetTempPathA, FileTimeToSystemTime, GetTimeZoneInformation, GetLocalTime, GetTickCount, QueryPerformanceCounter, GetProcAddress, GetModuleHandleA, SetFileTime, FreeLibrary, GetModuleFileNameA, ExitThread, GetCurrentThreadId, WinExec, ReleaseSemaphore, ResumeThread, SetThreadContext, GetThreadContext, VirtualAllocEx, GetVersion, MoveFileExA, CopyFileA, GetExitCodeProcess, SetFilePointer, CreateDirectoryA, RemoveDirectoryA, DisableThreadLibraryCalls, CreateMutexA, ReleaseMutex, ExitProcess, lstrcpynA, CreatePipe, GetStartupInfoA, OutputDebugStringA, GetSystemDirectoryA, CreateProcessA, WaitForSingleObject, PeekNamedPipe, ReadFile, TerminateProcess, lstrcmpiA, VirtualProtect, GetCurrentProcess, WriteProcessMemory, GetFileAttributesA, GetSystemTimeAsFileTime, VirtualQuery, VirtualFree, VirtualAlloc, CreateFileA, WriteFile, CreateThread, CloseHandle, GlobalAlloc
> USER32.dll: MessageBoxA, wsprintfA, wvsprintfA, GetSystemMetrics
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumValueA, RegDeleteValueA, RegNotifyChangeKeyValue, RegCreateKeyExA, RegSetValueExA, OpenProcessToken, ImpersonateLoggedOnUser, RevertToSelf, GetTokenInformation, LookupAccountSidA, RegOpenKeyExA, RegEnumKeyA, RegQueryValueExA, RegCloseKey
> ole32.dll: CreateStreamOnHGlobal
> ntdll.dll: RtlUnwind, memmove, strchr, tolower, _alldiv, _strcmpi, _chkstk, _allmul, NtAllocateVirtualMemory, NtQuerySystemInformation, NtFreeVirtualMemory, NtOpenProcess, NtClose, _strlwr, _strnicmp, strstr
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> DNSAPI.dll: DnsQuery_A, DnsRecordListFree
> MAPI32.dll: -, -, -, -, -, -, -, -, -, -, -
> WININET.dll: InternetCloseHandle, InternetOpenUrlA, InternetReadFile, InternetOpenA
> SHLWAPI.dll: StrStrA, StrChrA, StrCmpNA, StrToIntA

( 5 exports )
WLEntry, WLEntryPoint, WLEventLogoff, WLEventLogon, WLEventShutdown

Prevx info: http://info.prevx.com/aboutprogramtext.asp...08FF40085F1E02F
Bit9 info: http://fileadvisor.bit9.com/services/extin...3e799a7874ff3f6


for c:\windows\system32\fnrjfjrn.nls

File fnrjfrjn.nls received on 04.10.2008 09:39:29 (CET)
Current status: finished
Result: 27/32 (84.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.4.9.0 2008.04.10 -
AntiVir 7.6.0.81 2008.04.10 Worm/Locksky.CM.1
Authentium 4.93.8 2008.04.10 -
Avast 4.8.1169.0 2008.04.09 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.04.09 I-Worm/Locksky.ER
BitDefender 7.2 2008.04.10 Win32.Worm.Locksky.CD
CAT-QuickHeal 9.50 2008.04.10 I-Worm.Locksky.cm
ClamAV 0.92.1 2008.04.10 -
DrWeb 4.44.0.09170 2008.04.10 DLOADER.Trojan
eSafe 7.0.15.0 2008.04.09 Win32.Locksky.cm
eTrust-Vet 31.3.5686 2008.04.10 Win32/Loosky
Ewido 4.0 2008.04.09 Worm.Locksky.cm
F-Prot 4.4.2.54 2008.04.08 W32/Locksky.A.gen!Eldorado
F-Secure 6.70.13260.0 2008.04.10 Email-Worm.Win32.Locksky.cm
FileAdvisor 1 2008.04.10 -
Fortinet 3.14.0.0 2008.04.10 -
Ikarus T3.1.1.26.0 2008.04.10 Email-Worm.Win32.Locksky.cm
Kaspersky 7.0.0.125 2008.04.10 Email-Worm.Win32.Locksky.cm
McAfee 5270 2008.04.09 loosky.gen
Microsoft 1.3408 2008.04.10 Worm:Win32/Locksky.gen!A
NOD32v2 3014 2008.04.09 Win32/Locksky
Norman 5.80.02 2008.04.09 W32/Locksky.UD
Panda 9.0.0.4 2008.04.10 Suspicious file
Prevx1 V2 2008.04.10 Heuristic: Suspicious File With Bad Parent Associations
Rising 20.39.22.00 2008.04.10 Worm.Win32.Locksky.a
Sophos 4.28.0 2008.04.10 Mal/Generic-A
Sunbelt 3.0.1032.0 2008.04.08 Worm/Locksky.CM.1
Symantec 10 2008.04.10 Backdoor.Trojan
TheHacker 6.2.92.271 2008.04.10 W32/Locksky.cm
VBA32 3.12.6.4 2008.04.06 Email-Worm.Win32.Locksky.cm
VirusBuster 4.3.26:9 2008.04.09 I-Worm.Locksky.FW
Webwasher-Gateway 6.6.2 2008.04.10 Worm.Locksky.CM.1

Additional information
File size: 113664 bytes
MD5...: b5634ae4d4589b1a93e799a7874ff3f6
SHA1..: 32902afc7a89fb0127276922d4b51bff2f184d98
SHA256: c30b203e4d55875c8021ad5a02dad4b5fe6a19c3c28b5eefbefef322db3b7a68
SHA512: 7ea52cbeb6b04dbce27e25ada3e77d1898e0f506d908ac8b894b16bd94665f6c
195bfe4c9108d10a96f81fc441d372df1da26d1b0751a53071f3173e485658e2
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2a480f8b
timedatestamp.....: 0x47cc0de8 (Mon Mar 03 14:40:40 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x110b5 0x11200 6.64 315908eb09425bb7b3fb46fb948ff321
.rdata 0x13000 0x30a6 0x3200 5.97 73ecf061c964b9440a90c93b60196544
.data 0x17000 0x796c 0x5800 5.91 ab01e4f9435a8727411fea7c6f9e9086
.rsrc 0x1f000 0x420 0x600 2.51 1b52da20b14223a9ae35fa2b08987250
.reloc 0x20000 0x140c 0x1600 5.40 f6ea09e199a7e75a8838f0a403003294

( 10 imports )
> KERNEL32.dll: lstrcpynW, lstrlenW, CreateEventA, SetEvent, lstrcpyA, SystemTimeToFileTime, GetSystemTime, IsBadReadPtr, lstrcatA, Sleep, GetLastError, MoveFileA, DeleteFileA, GetTempFileNameA, TerminateThread, GetCurrentThread, CreateMutexW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, InterlockedIncrement, InterlockedDecrement, CreateSemaphoreA, FindNextFileA, FindFirstFileA, GetVolumeInformationA, GetDriveTypeA, GetLogicalDrives, GetComputerNameA, LoadLibraryA, SetUnhandledExceptionFilter, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileSize, FindClose, GetEnvironmentVariableA, LocalFree, LocalAlloc, DeleteCriticalSection, GlobalFree, GlobalUnlock, GlobalLock, lstrlenA, GetFileTime, GetFullPathNameA, GetTempPathA, FileTimeToSystemTime, GetTimeZoneInformation, GetLocalTime, GetTickCount, QueryPerformanceCounter, GetProcAddress, GetModuleHandleA, SetFileTime, FreeLibrary, GetModuleFileNameA, ExitThread, GetCurrentThreadId, WinExec, ReleaseSemaphore, ResumeThread, SetThreadContext, GetThreadContext, VirtualAllocEx, GetVersion, MoveFileExA, CopyFileA, GetExitCodeProcess, SetFilePointer, CreateDirectoryA, RemoveDirectoryA, DisableThreadLibraryCalls, CreateMutexA, ReleaseMutex, ExitProcess, lstrcpynA, CreatePipe, GetStartupInfoA, OutputDebugStringA, GetSystemDirectoryA, CreateProcessA, WaitForSingleObject, PeekNamedPipe, ReadFile, TerminateProcess, lstrcmpiA, VirtualProtect, GetCurrentProcess, WriteProcessMemory, GetFileAttributesA, GetSystemTimeAsFileTime, VirtualQuery, VirtualFree, VirtualAlloc, CreateFileA, WriteFile, CreateThread, CloseHandle, GlobalAlloc
> USER32.dll: MessageBoxA, wsprintfA, wvsprintfA, GetSystemMetrics
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumValueA, RegDeleteValueA, RegNotifyChangeKeyValue, RegCreateKeyExA, RegSetValueExA, OpenProcessToken, ImpersonateLoggedOnUser, RevertToSelf, GetTokenInformation, LookupAccountSidA, RegOpenKeyExA, RegEnumKeyA, RegQueryValueExA, RegCloseKey
> ole32.dll: CreateStreamOnHGlobal
> ntdll.dll: RtlUnwind, memmove, strchr, tolower, _alldiv, _strcmpi, _chkstk, _allmul, NtAllocateVirtualMemory, NtQuerySystemInformation, NtFreeVirtualMemory, NtOpenProcess, NtClose, _strlwr, _strnicmp, strstr
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> DNSAPI.dll: DnsQuery_A, DnsRecordListFree
> MAPI32.dll: -, -, -, -, -, -, -, -, -, -, -
> WININET.dll: InternetCloseHandle, InternetOpenUrlA, InternetReadFile, InternetOpenA
> SHLWAPI.dll: StrStrA, StrChrA, StrCmpNA, StrToIntA

( 5 exports )
WLEntry, WLEntryPoint, WLEventLogoff, WLEventLogon, WLEventShutdown

Bit9 info: http://fileadvisor.bit9.com/services/extin...3e799a7874ff3f6
Prevx info: http://info.prevx.com/aboutprogramtext.asp...08FF40085F1E02F

for c:\windows\system32\epobador.dll

File epobador.dll received on 04.10.2008 09:49:32 (CET)
Current status: finished

Result: 16/32 (50%)

Antivirus Version Last Update Result
AhnLab-V3 2008.4.9.0 2008.04.10 Win32/Locksky.worm.16896
AntiVir 7.6.0.81 2008.04.10 ADSPY/Sporder.A
Authentium 4.93.8 2008.04.10 -
Avast 4.8.1169.0 2008.04.09 -
AVG 7.5.0.516 2008.04.09 PSW.OnlineGames.AHVV
BitDefender 7.2 2008.04.10 Win32.Worm.Locksky.CE
CAT-QuickHeal 9.50 2008.04.10 -
ClamAV 0.92.1 2008.04.10 -
DrWeb 4.44.0.09170 2008.04.10 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5687 2008.04.10 -
Ewido 4.0 2008.04.09 Worm.Locksky.da
F-Prot 4.4.2.54 2008.04.08 -
F-Secure 6.70.13260.0 2008.04.10 Email-Worm.Win32.Locksky.da
FileAdvisor 1 2008.04.10 -
Fortinet 3.14.0.0 2008.04.10 W32/Loosky.H!tr
Ikarus T3.1.1.26 2008.04.10 Email-Worm.Win32.Locksky.da
Kaspersky 7.0.0.125 2008.04.10 Email-Worm.Win32.Locksky.da
McAfee 5270 2008.04.09 W32/Loosky
Microsoft 1.3408 2008.04.10 -
NOD32v2 3014 2008.04.09 -
Norman 5.80.02 2008.04.09 W32/Locksky.VJ
Panda 9.0.0.4 2008.04.10 -
Prevx1 V2 2008.04.10 Trojan.Downloader
Rising 20.39.22.00 2008.04.10 -
Sophos 4.28.0 2008.04.10 -
Sunbelt 3.0.1032.0 2008.04.08 Trojan.Sporder.A
Symantec 10 2008.04.10 -
TheHacker 6.2.92.271 2008.04.10 W32/Locksky.da
VBA32 3.12.6.4 2008.04.06 Email-Worm.Win32.Locksky.da
VirusBuster 4.3.26:9 2008.04.09 -
Webwasher-Gateway 6.6.2 2008.04.10 Ad-Spyware.Sporder.A

Additional information
File size: 16896 bytes
MD5...: cd5432f23d0fcc0d6b5d87e7f85df681
SHA1..: 8a0303760af911022d9504dbac685dd7f94dff21
SHA256: ea54d035227222f6495f53073510438cdfa5106d81828dfd58eee44ac120e01a
SHA512: 9312b6fe247a201fb29a26dc14ddf88aeb4677bb032bd218cf0c03a1941c7084
b1c1cc0145a518e71f4a2bf254635e082c3186237b18e6065a4559d3e42764bd
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x418a2fdd
timedatestamp.....: 0x47cc0dd4 (Mon Mar 03 14:40:20 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x29aa 0x2a00 6.56 a80aa5558f37cfc1701b448a33f3d7c4
.rdata 0x4000 0xaf5 0xc00 5.47 aa53297404133ec59f595e7b30c2bad9
.data 0x5000 0x5f4 0x200 3.33 b28b910c0c75fc0d68d3fb9d43495129
.reloc 0x6000 0x4c0 0x600 3.60 3269a125a81ed3c3649b681e17394ef9

( 5 imports )
> KERNEL32.dll: VirtualAlloc, VirtualFree, lstrcpynA, lstrlenA, GetVersionExA, CreateEventA, CreateThread, IsBadReadPtr, Sleep, GetTickCount, GlobalAlloc, GlobalFree, WideCharToMultiByte, FreeLibrary, GetProcAddress, LoadLibraryA, MultiByteToWideChar, HeapAlloc, GetProcessHeap, HeapDestroy, TerminateThread, HeapFree, LeaveCriticalSection, EnterCriticalSection, GetCurrentThreadId, DeleteCriticalSection, InitializeCriticalSection, GetModuleFileNameA, GetModuleHandleA, LoadLibraryW, ExpandEnvironmentStringsW, HeapCreate, CloseHandle, SetEvent
> USER32.dll: wvsprintfA
> ntdll.dll: wcslen, tolower, wcscmp, strstr, wcsncpy
> WS2_32.dll: WSCDeinstallProvider, WSCGetProviderPath, -, -, -, -, -, -, -, WSCInstallProvider, -, -, -, -, -, -, -, -, WSCEnumProtocols
> RPCRT4.dll: UuidCreate

( 6 exports )
DllMain, DllRegisterServer, DllSetName, DllUnregisterServer, UnadviseEvents, WSPStartup

Prevx info: http://info.prevx.com/aboutprogramtext.asp...63691002E0956E5

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 10 April 2008 - 06:37 AM

Ok, let's do some cleaning up now.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\epobador.dll
c:\windows\system32\fnrjfjrn.nls
c:\windows\system32\rbnnrrffbj.drv
C:\WINDOWS\system32\csufy.exe 
C:\WINDOWS\system32\woinst32.exe 
C:\WINDOWS\system32\howiper.exe 
C:\WINDOWS\system32\filesaver32.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================


Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Korpse

Korpse
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:04 PM

Posted 10 April 2008 - 07:05 AM

ComboFix log

ComboFix 08-04-03.5 - GRANT 2008-04-10 23:45:49.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.84 [GMT 12:00]
Running from: C:\DOCUME~1\GRANT\Desktop\COMBOF~1.EXE
Command switches used :: C:\Documents and Settings\GRANT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\csufy.exe
c:\windows\system32\epobador.dll
C:\WINDOWS\system32\filesaver32.exe
c:\windows\system32\fnrjfjrn.nls
C:\WINDOWS\system32\howiper.exe
c:\windows\system32\rbnnrrffbj.drv
C:\WINDOWS\system32\woinst32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rbnnrrffbj.drv

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-11 08:32 . 2002-08-29 15:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-04-11 07:48 . 2002-08-29 15:41 516,608 --a------ C:\WINDOWS\SYSTEM32\winlogon.exe
2008-04-10 23:46 . 2008-04-10 20:23 113,664 --a------ C:\WINDOWS\SYSTEM32\jfnnbjjbffj.nls
2008-04-10 20:44 . 2008-04-10 20:44 <DIR> d-------- C:\Documents and Settings\GRANT\Application Data\Symantec
2008-04-10 20:44 . 2008-04-10 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-10 20:22 . 2008-04-10 20:22 113,664 --a------ C:\WINDOWS\SYSTEM32\brbbrbbnjfj.nls
2008-04-10 20:12 . 2008-04-10 20:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-10 20:12 . 2008-04-10 21:08 <DIR> d-------- C:\Documents and Settings\GRANT\Application Data\AVG7
2008-04-10 20:11 . 2008-04-10 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-10 20:01 . 2008-04-10 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-10 19:52 . 2008-04-10 23:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 19:52 . 2008-04-10 19:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 21:45 . 2008-04-08 21:45 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2008-04-08 21:45 . 2008-04-08 21:45 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2008-04-08 21:40 . 2008-04-08 21:40 <DIR> d-------- C:\ComboFix
2008-04-05 12:52 . 2008-04-05 12:52 <DIR> d-------- C:\Deckard
2008-04-05 11:58 . 2008-04-05 10:54 113,664 --a------ C:\WINDOWS\SYSTEM32\fnrjfrjn.nls
2008-04-05 11:46 . 2008-04-05 11:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-02 20:28 . 2008-04-02 22:20 3,608 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-02 19:51 . 2008-04-02 23:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 19:51 . 2008-04-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42 . 2003-12-06 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-31 13:06 . 2008-04-06 12:24 6,656 --a------ C:\WINDOWS\SYSTEM32\univrs32.dat
2008-03-30 19:13 . 2008-03-30 19:21 2 --a------ C:\-996810485
2008-03-22 12:36 . 2008-03-22 12:36 9,216 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-03-15 11:07 . 2008-03-15 11:07 244 --ah----- C:\sqmnoopt00.sqm
2008-03-15 11:07 . 2008-03-15 11:07 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 08:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-07 09:36 --------- d-----w C:\Program Files\Microsoft Encarta
2008-04-07 09:36 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-30 07:18 15,872 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
2008-03-10 06:47 95,688 ----a-w C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-04 03:51 95,688 ----a-w C:\Documents and Settings\KELLY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 09:25 --------- d-----w C:\Program Files\Google
2008-03-01 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-03-01 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-03-01 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 19:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-29 22:18 --------- d-----w C:\Program Files\Macrogaming
2008-02-25 06:16 --------- d-----w C:\Program Files\Conduit
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\3.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\2.dat
2005-09-22 05:03 0 ----a-w C:\Documents and Settings\GRANT\1.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\3.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\2.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\1.dat
.

------- Sigcheck -------

2008-03-30 19:18 15872 f51804d380ac8d04d78a036e2191bced C:\WINDOWS\SYSTEM32\svchost.exe
.
((((((((((((((((((((((((((((( snapshot_2008-04-10_20.17.51.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-08 09:45:40 821,856 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
+ 2008-04-10 08:12:05 821,856 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
- 2008-04-08 09:45:52 4,224 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
+ 2008-04-10 08:12:17 4,224 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
- 2008-04-08 09:45:52 27,776 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
+ 2008-04-10 08:12:18 27,776 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
- 2008-04-08 09:45:53 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2008-04-10 08:12:19 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
- 2008-04-08 09:45:53 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2008-04-10 08:12:19 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
- 2008-04-08 09:45:53 4,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
+ 2008-04-10 08:12:19 4,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
+ 2002-08-29 03:41:24 113,664 ----a-w C:\WINDOWS\TEMP\brrrrjnnjbb.sys
+ 2002-08-29 03:41:24 113,664 ----a-w C:\WINDOWS\TEMP\jnbfrjnf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 17:22 68856]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 04:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 04:07 114688]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 23:47 204800]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 11:51 25088]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 17:20 28672]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 05:04 114741]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-10 20:12 579072]
"ffrfrnrf"="C:\WINDOWS\TEMP\jnbfrjnf.sys WLEntryPoint" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-10 20:12 219136]

C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\
OCRAWARE.lnk - C:\OPLIMIT\OCRAWARE.EXE [2004-01-19 11:29:10 51360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-12-06 17:19:20 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-06 17:22:28 125176]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 15:42:06 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2003-12-29 14:18:33 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"jffbrbjb"= rundll32.exe "C:\WINDOWS\System32\nbjnjnnnbbf.nls" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM
"vidc.iv41"= ir41_32.dll
"VIDC.WMV3"= wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\System32\drivers\ATMhelpr.sys [1997-06-17 03:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 06:36:05 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 23:51:00
Windows 5.1.2600 Service Pack 1 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System = cslmj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINDOWS\system32\userinit.exe,

scanning hidden files ...

C:\WINDOWS\system32\woinst32.exe 705 bytes executable
C:\WINDOWS\system32\howiper.exe 3107 bytes executable
C:\WINDOWS\system32\cslmj.exe 51200 bytes executable
C:\WINDOWS\system32\filesaver32.exe 654111 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
Completion time: 2008-04-10 23:53:07
ComboFix-quarantined-files.txt 2008-04-10 11:52:50
ComboFix2.txt 2008-04-10 07:56:52
Pre-Run: 23,950,479,360 bytes free
Post-Run: 23,935,086,592 bytes free


Fixwareout log

Username "GRANT" - 04/10/2008 23:56:36 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="cslmj.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6DBC48F4-8269-4B48-BF85-E4C93A446BAA}
"nameserver"="85.255.113.126,85.255.112.102" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "jmlsc" Value deleted
HKCR\clsid\{2EB9E64D-B448-4C07-866D-C9956C1CF73E}\_h\4 Deleted.
C:\WINDOWS\System32\cslmj.exe Deleted
....
~~~~~ Misc files.
C:\Documents and Settings\GRANT\Application Data\uns.tmp Deleted
C:\Documents and Settings\GRANT\1.dat Deleted
C:\Documents and Settings\GRANT\2.dat Deleted
C:\Documents and Settings\GRANT\3.dat Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\Help\SPAlert.chm Deleted
C:\WINDOWS\RDT.INI Deleted
C:\WINDOWS\System32\dgprpsetup.exe Deleted
C:\WINDOWS\System32\filesaver32.exe Deleted
C:\WINDOWS\System32\howiper.exe Deleted
C:\WINDOWS\System32\msblank.html Deleted
C:\WINDOWS\System32\setupcarnival.exe Deleted
C:\WINDOWS\System32\winctrl16.exe Deleted
C:\WINDOWS\System32\winctrl32.exe Deleted
C:\WINDOWS\System32\winctrl64.exe Deleted
C:\WINDOWS\System32\WOINST32.EXE Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"PE2CKFNT SE"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express 2 SE\\ChkFont.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"ffrfrnrf"="rundll32.exe \"C:\\WINDOWS\\TEMP\\rnbrjjnfjbb.sys\" WLEntryPoint"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Sonic RecordNow!"=""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


New HijackThis log

Deckard's System Scanner v20071014.68
Run by GRANT on 2008-04-11 00:01:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as GRANT.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:13 AM, on 4/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Dell\MEDIAE~1\PCMSER~1.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\COMMON~1\Sonic\UPDATE~1\sgtray.exe
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\WkUFind.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Google\GOOGLE~2\GOOGLE~1.EXE
C:\PROGRA~1\DIGITA~1\DLG.exe
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE
C:\PROGRA~1\ULEADS~1\ULEADP~1\CalCheck.exe
C:\DOCUME~1\GRANT\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\GRANT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ffrfrnrf] rundll32.exe "C:\WINDOWS\TEMP\rnbrjjnfjbb.sys" WLEntryPoint
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [jffbrbjb] rundll32.exe "C:\WINDOWS\System32\nbjnjnnnbbf.nls" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/a-UNO1/GAME_UNO1.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/D...h2.1.0.0.68.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/cinematycoon.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O16 - DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} (ConnectivityTester Class) - http://ptcnz.tcnz.motive.com/lwp/static/in...aller_4-2-0.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/bingame/swet/default/S...ia.1.0.0.46.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

--
End of file - 8448 bytes

-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-10 23:53:11 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-10 23:44:41 0 d-------- C:\COMBOF~1
2008-04-10 20:44:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-10 20:44:55 0 d-------- C:\Documents and Settings\GRANT\Application Data\Symantec
2008-04-10 20:23:42 0 dr-h----- C:\$VAULT$.AVG
2008-04-10 20:12:42 0 d-------- C:\Documents and Settings\GRANT\Application Data\AVG7
2008-04-10 20:12:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-10 20:11:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-10 20:01:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-06 12:29:54 68096 --a------ C:\WINDOWS\zip.exe
2008-04-06 12:29:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-06 12:29:54 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-06 12:29:54 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-06 12:29:54 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-06 12:29:54 98816 --a------ C:\WINDOWS\sed.exe
2008-04-06 12:29:54 80412 --a------ C:\WINDOWS\grep.exe
2008-04-06 12:29:54 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-05 14:43:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-05 11:46:27 0 d-------- C:\WINDOWS\ERUNT
2008-04-02 20:28:48 3608 --a------ C:\WINDOWS\System32\tmp.reg
2008-04-02 19:51:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-02 19:42:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-02 19:42:37 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-02 19:42:37 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-02 19:42:37 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-02 19:42:37 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-02 19:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-02 19:42:36 794624 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-31 13:06:33 6656 --a------ C:\WINDOWS\System32\univrs32.dat
2008-03-30 19:18:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-30 19:13:55 2 --a------ C:\-996810485


-- Find3M Report ---------------------------------------------------------------

2008-04-10 20:51:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:37:11 0 d-------- C:\Program Files\Common Files
2008-04-07 21:36:41 0 d-------- C:\Program Files\Microsoft Encarta
2008-04-07 21:36:16 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-03-30 19:18:55 15872 --a------ C:\WINDOWS\System32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-10 18:47:57 95688 --a------ C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 21:25:39 0 d-------- C:\Program Files\Google
2008-03-02 07:33:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 07:32:02 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-01 10:18:15 0 d-------- C:\Program Files\Macrogaming
2008-02-25 18:16:57 0 d-------- C:\Program Files\Conduit
2008-02-23 16:53:26 0 d-------- C:\Documents and Settings\GRANT\Application Data\Macromedia
2008-02-16 13:22:55 0 d-------- C:\Documents and Settings\GRANT\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 04:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 04:07 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 11:47 PM]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [07/03/1998 11:51 AM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [07/25/2002 05:20 PM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/06/2003 05:04 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/10/2008 08:12 PM]
"ffrfrnrf"="C:\WINDOWS\TEMP\rnbrjjnfjbb.sys WLEntryPoint" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/06/2007 05:22 PM]
"Sonic RecordNow!"="" []

C:\Documents and Settings\GRANT\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:00:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:00:00 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [12/6/2003 5:19:20 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [4/6/2007 5:22:28 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [9/16/2002 3:42:06 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [12/29/2003 2:18:33 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"jffbrbjb"=rundll32.exe "C:\WINDOWS\System32\nbjnjnnnbbf.nls" WLEntryPoint





-- End of Deckard's System Scanner: finished at 2008-04-11 00:01:40 ------------

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 10 April 2008 - 07:12 AM

Stubborn little booger.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\System32\nbjnjnnnbbf.nls

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"jffbrbjb"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ffrfrnrf"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



==================



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Korpse

Korpse
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:04 PM

Posted 10 April 2008 - 03:32 PM

I ran the F-Secure Online Scanner - it took a couple of hours to scan, so I kicked off the cleaning and went to bed (was about 1:30 am) - when I got up this morning, Windows had run out of virtual memory, and Internet Explorer crashed before I could see the results or get a log for you. I do recall the green bar being most if not all the way through on the cleaning. F-Secure reported over 600 viruses, but only 11 of these were outside of the System Restore directories. Should I disable/enable System Restore and try the F-Secure scan again?

ComboFix log:

ComboFix 08-04-03.5 - GRANT 2008-04-11 0:16:21.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.77 [GMT 12:00]
Running from: C:\DOCUME~1\GRANT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\GRANT\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\nbjnjnnnbbf.nls
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\nbjnjnnnbbf.nls

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-11 08:32 . 2002-08-29 15:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-04-11 08:32 . 2002-08-29 15:41 113,664 --a------ C:\WINDOWS\SYSTEM32\njfnffnbbf.sys
2008-04-11 07:48 . 2002-08-29 15:41 516,608 --a------ C:\WINDOWS\SYSTEM32\winlogon.exe
2008-04-10 23:56 . 2008-04-11 00:00 <DIR> d-------- C:\fixwareout
2008-04-10 23:46 . 2008-04-10 20:23 113,664 --a------ C:\WINDOWS\SYSTEM32\jfnnbjjbffj.nls
2008-04-10 23:44 . 2008-04-10 23:53 <DIR> d-------- C:\COMBOF~1
2008-04-10 20:44 . 2008-04-10 20:44 <DIR> d-------- C:\Documents and Settings\GRANT\Application Data\Symantec
2008-04-10 20:44 . 2008-04-10 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-10 20:22 . 2008-04-10 20:22 113,664 --a------ C:\WINDOWS\SYSTEM32\brbbrbbnjfj.nls
2008-04-10 20:12 . 2008-04-10 20:12 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-10 20:12 . 2008-04-10 21:08 <DIR> d-------- C:\Documents and Settings\GRANT\Application Data\AVG7
2008-04-10 20:11 . 2008-04-10 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-10 20:01 . 2008-04-10 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-10 19:52 . 2008-04-10 23:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 19:52 . 2008-04-10 19:52 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 21:45 . 2008-04-08 21:45 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2008-04-08 21:45 . 2008-04-08 21:45 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2008-04-05 12:52 . 2008-04-05 12:52 <DIR> d-------- C:\Deckard
2008-04-05 11:58 . 2008-04-05 10:54 113,664 --a------ C:\WINDOWS\SYSTEM32\fnrjfrjn.nls
2008-04-05 11:46 . 2008-04-05 11:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-02 20:28 . 2008-04-02 22:20 3,608 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-02 19:51 . 2008-04-02 23:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 19:51 . 2008-04-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 19:42 . 2003-12-06 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-31 13:06 . 2008-04-06 12:24 6,656 --a------ C:\WINDOWS\SYSTEM32\univrs32.dat
2008-03-30 19:13 . 2008-03-30 19:21 2 --a------ C:\-996810485
2008-03-22 12:36 . 2008-03-22 12:36 9,216 --ahs---- C:\WINDOWS\SYSTEM32\Thumbs.db
2008-03-15 11:07 . 2008-03-15 11:07 244 --ah----- C:\sqmnoopt00.sqm
2008-03-15 11:07 . 2008-03-15 11:07 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 08:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-07 09:36 --------- d-----w C:\Program Files\Microsoft Encarta
2008-04-07 09:36 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-03-30 07:18 15,872 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
2008-03-10 06:47 95,688 ----a-w C:\Documents and Settings\GRANT\Application Data\GDIPFONTCACHEV1.DAT
2008-03-04 03:51 95,688 ----a-w C:\Documents and Settings\KELLY\Application Data\GDIPFONTCACHEV1.DAT
2008-03-03 09:25 --------- d-----w C:\Program Files\Google
2008-03-01 20:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\IM
2008-03-01 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-03-01 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 19:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-29 22:18 --------- d-----w C:\Program Files\Macrogaming
2008-02-25 06:16 --------- d-----w C:\Program Files\Conduit
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\3.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\2.dat
2005-09-21 04:46 0 ----a-w C:\Documents and Settings\BRIAR\1.dat
.

------- Sigcheck -------

2008-03-30 19:18 15872 f51804d380ac8d04d78a036e2191bced C:\WINDOWS\SYSTEM32\svchost.exe
.
((((((((((((((((((((((((((((( snapshot_2008-04-10_20.17.51.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-08-28 21:00:00 157,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wbemtest.exe
- 2008-04-08 09:45:40 821,856 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
+ 2008-04-10 08:12:05 821,856 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
- 2008-04-08 09:45:52 4,224 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
+ 2008-04-10 08:12:17 4,224 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
- 2008-04-08 09:45:52 27,776 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
+ 2008-04-10 08:12:18 27,776 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
- 2008-04-08 09:45:53 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2008-04-10 08:12:19 10,760 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
- 2008-04-08 09:45:53 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2008-04-10 08:12:19 26,952 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
- 2008-04-08 09:45:53 4,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
+ 2008-04-10 08:12:19 4,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
+ 2002-08-28 21:00:00 157,696 ----a-w C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE
+ 2002-08-29 03:41:24 113,664 ----a-w C:\WINDOWS\TEMP\jfnrbrfb.drv
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 17:22 68856]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 04:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 04:07 114688]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 23:47 204800]
"PE2CKFNT SE"="C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 11:51 25088]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 17:20 28672]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 05:04 114741]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-10 20:12 579072]
"jrjfnrbb"="C:\WINDOWS\TEMP\jfnrbrfb.drv WLEntryPoint" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-10 20:12 219136]

C:\Documents and Settings\KELLY\Start Menu\Programs\Startup\
OCRAWARE.lnk - C:\OPLIMIT\OCRAWARE.EXE [2004-01-19 11:29:10 51360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-12-06 17:19:20 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-06 17:22:28 125176]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2002-09-16 15:42:06 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Photo Express Calendar Checker SE.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2003-12-29 14:18:33 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"rrjbnjrf"= rundll32.exe "C:\WINDOWS\System32\njfnffnbbf.sys" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3CODECA.ACM
"vidc.iv41"= ir41_32.dll
"VIDC.WMV3"= wmv9vcm.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\System32\drivers\ATMhelpr.sys [1997-06-17 03:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 06:36:05 C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 00:19:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 0:21:07
ComboFix-quarantined-files.txt 2008-04-10 12:20:46
ComboFix2.txt 2008-04-10 11:53:08
ComboFix3.txt 2008-04-10 07:56:52
Pre-Run: 23,944,912,896 bytes free
Post-Run: 23,929,597,952 bytes free

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:04 AM

Posted 10 April 2008 - 05:36 PM

We've still got issues. Let's try this another way.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb and a new combofix log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users