Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan And Quickbrowsersearch Problem


  • This topic is locked This topic is locked
14 replies to this topic

#1 Kulaid247

Kulaid247

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 14 April 2008 - 07:13 PM

I will post this first to make sure I am posting in the right area..

If correct I will post my DSS scans.

I need help in removing jJTrojan-backdoor-progdav and quickbrowsersearch.com problems
-----------
-----------
This seems to be the right place so I willpost my scans...

Kaspersky Reports cannot run since I cannot use the internet on that computer

Main Txt:

Deckard's System Scanner v20071014.68
Run by colin on 2008-04-14 19:00:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as colin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:01 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAheadInCDInCDsrv.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:WINDOWSsystem32CTsvcCDA.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32PnkBstrA.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWebrootSpy SweeperSpySweeper.exe
C:WINDOWSsystem32MsPMSPSv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32driversspools.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesJavajre1.5.0_06binjusched.exe
C:Program FilesCreativeSB Live! 24-bitSurround MixerCTSysVol.exe
C:Program FilesHpHP Software UpdateHPWuSchd2.exe
C:Program FilesAheadInCDInCD.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesScanSoftPaperPortpptd40nt.exe
C:Program FilesWebrootSpy SweeperSpySweeperUI.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesAIMaim.exe
C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32rundll32.exe
I:MY DOWNLOADSdss.exe
C:Program FilesWebrootSpy SweeperSSU.EXE
C:WINDOWSsystem32taskmgr.exe
C:PROGRA~1TRENDM~1HIJACK~1colin.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = about:blank
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
F2 - REG:system.ini: UserInit=userinit.exe,C:WINDOWSsystem32ntos.exe,
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {63AB48C9-01A8-495C-8194-A715DB8A37A2} - (no file)
O2 - BHO: (no name) - {EC0E7203-84AE-43D0-9D27-CDCE730EBCB5} - C:WINDOWSsystem32ddCRIYOe.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - blank (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O4 - HKLM..Run: [RemoteControl] "C:Program FilesCyberLinkPowerDVDPDVDServ.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.5.0_06binjusched.exe"
O4 - HKLM..Run: [CTSysVol] "C:Program FilesCreativeSB Live! 24-bitSurround MixerCTSysVol.exe" /r
O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
O4 - HKLM..Run: [SSBkgdUpdate] "C:Program FilesCommon FilesScansoft SharedSSBkgdUpdateSSBkgdupdate.exe" -Embedding -boot
O4 - HKLM..Run: [NvCplDaemon] "RUNDLL32.EXE" C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [HP Software Update] "C:Program FilesHpHP Software UpdateHPWuSchd2.exe"
O4 - HKLM..Run: [InCD] "C:Program FilesAheadInCDInCD.exe"
O4 - HKLM..Run: [nwiz] "nwiz.exe" /install
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [Synchronization Manager] "C:WINDOWSsystem32mobsync.exe" /logon
O4 - HKLM..Run: [NvMediaCenter] "RUNDLL32.EXE" C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [PaperPort PTD] "C:Program FilesScanSoftPaperPortpptd40nt.exe"
O4 - HKLM..Run: [IndexSearch] "C:Program FilesScanSoftPaperPortIndexSearch.exe"
O4 - HKLM..Run: [PPort11reminder] "C:Program FilesScanSoftPaperPortEregEreg.exe" -r "C:Documents and SettingsAll UsersApplication DataScanSoftPaperPort11ConfigEregEreg.ini
O4 - HKLM..Run: [ntuser] C:WINDOWSsystem32driversspools.exe
O4 - HKLM..Run: [autoload] "C:Documents and Settingscolincftmon.exe"
O4 - HKLM..Run: [icasServ] C:WINDOWSsystem32icasServ.exe
O4 - HKLM..Run: [e8f0057a] rundll32.exe "C:WINDOWSsystem32wmmhwhkm.dll",b
O4 - HKLM..Run: [SpySweeper] "C:Program FilesWebrootSpy SweeperSpySweeperUI.exe" /startintray
O4 - HKLM..Run: [BMebc336e6] Rundll32.exe "C:WINDOWSsystem32hnbqkert.dll",s
O4 - HKCU..Run: [AIM] "C:Program FilesAIMaim.exe" -cnetwait.odl
O4 - HKCU..Run: [updateMgr] "C:Program FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU..Run: [ntuser] C:WINDOWSsystem32driversspools.exe
O4 - HKCU..Run: [autoload] "C:Documents and Settingscolincftmon.exe"
O4 - HKUSS-1-5-21-3652532381-1387019385-737052560-1003..Run: [LDM] "C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe" (User 'user')
O4 - HKUSS-1-5-21-3652532381-1387019385-737052560-1005..Run: [LDM] "C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe" (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1105..Run: [amsnmsg] C:WINNTSystem32amsnmsg.exe (User 'ed')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [Yahoo! Pager] "C:PROGRA~1Yahoo!MESSEN~1ypager.exe" -quiet (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [Steam] (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [DW4] "C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe" (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [swg] "C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [Free Download Manager] C:Program FilesFree Download Managerfdm.exe -autorun (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [RealPlayer] "C:Program FilesRealRealOne Playerrealplay.exe" /RunUPGToolCommandReBoot (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [CTSyncU.exe] "C:Program FilesCreativeSync Manager UnicodeCTSyncU.exe" (User 'jim')
O4 - HKUSS-1-5-21-3803563418-3221506369-2245822553-1106..Run: [msnmsgr] "C:Program FilesMSN Messengermsnmsgr.exe" /background (User 'jim')
O4 - HKUSS-1-5-18..Run: [qrqk] C:PROGRA~1COMMON~1qrqkqrqkm.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [qrqk] C:PROGRA~1COMMON~1qrqkqrqkm.exe (User 'Default user')
O4 - S-1-5-21-3803563418-3221506369-2245822553-1106 Startup: Xfire.lnk = Program FilesXfireXfire.exe (User 'jim')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:Program FilesAudibleBinAudibleDownloadHelper.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:program filesaol toolbar 2.0aoltbres.dll/search.html
O8 - Extra context menu item: Download with GetRight - C:Program FilesGetRightGRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:Program FilesGetRightGRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~4OFFICE11REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:Program FilesCommon FilesMicrosoft SharedEncarta ResearcherEROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:Program FilesAIMaim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = kulasik.com
O17 - HKLMSoftware..Telephony: DomainName = kulasik.com
O17 - HKLMSystemCS1ServicesTcpipParameters: Domain = kulasik.com
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 85.255.116.39 85.255.112.70
O17 - HKLMSystemCS3ServicesTcpipParameters: Domain = kulasik.com
O17 - HKLMSystemCS3ServicesTcpipParameters: NameServer = 85.255.116.39 85.255.112.70
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 85.255.116.39 85.255.112.70
O18 - Protocol: bw+0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:Program FilesLogitechDesktop Messenger8876480ProgramGAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:Program FilesLogitechDesktop Messenger8876480ProgramBWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: winword.dll
O20 - Winlogon Notify: pMddeCsr - pMddeCsr.dll (file missing)
O21 - SSODL: SrvUnknown - {dd890c13-8125-473c-910e-68350f257fe2} - C:WINDOWSResourcesSrvUnknown.dll
O23 - Service: AdaptecStorageManagerAgent - Adaptec Incorporated - C:Program FilesAdaptecAdaptec Storage ManagerStorServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSsystem32CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe
O23 - Service: ICF - Unknown owner - C:WINDOWSsystem32svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:Program FilesAheadInCDInCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:WINDOWSsystem32PnkBstrA.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:WINDOWSsystem32driversspools.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:Program FilesWebrootSpy SweeperSpySweeper.exe

--
End of file - 23228 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shellopencommand - C:WINDOWSsystem32driversspools.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 AACmgt - c:windowssystem32driversaacmgt.sys <Not Verified; Adaptec, Inc.; Adaptec RAID Controller>
R0 aarsi3x - c:windowssystem32driversaarsi3x.sys <Not Verified; Adaptec, Inc.; Adaptec HostRAID for Serial ATA>
R1 BANTExt (Belarc SMBios Access) - c:windowssystem32driversbantext.sys
R1 rootmdmm - c:windowssystem32driversrootmdmm.sys
R3 SMBios (Intel System Management BIOS Service) - c:windowssystem32driverssmbios.sys <Not Verified; Intel Corporation; Intel System Management BIOS Driver>

S0 aar1210 - c:windowssystem32driversaar1210.sys <Not Verified; Adaptec, Inc.; Adaptec HostRAID for Serial ATA>
S0 szkg - c:windowssystem32driversszkg.sys (file missing)
S3 jatmlano - c:documents and settingsjimlocal settingstempjatmlano.sys
S3 TIEHDUSB - c:windowssystem32driverstiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:program filescommon filesapplemobile device supportbinapplemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 AdaptecStorageManagerAgent - "c:program filesadaptecadaptec storage managerstorserv.exe" <Not Verified; Adaptec Incorporated; Adaptec Storage Manager>
S2 ICF - c:windowssystem32svchost.exe:exe.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Sound Blaster Live! 24-bit
Device ID: PCIVEN_1102&DEV_0007&SUBSYS_10061102&REV_004&23C0B1C&0&18F0
Manufacturer: Creative Technology Ltd.
Name: Sound Blaster Live! 24-bit
PNP Device ID: PCIVEN_1102&DEV_0007&SUBSYS_10061102&REV_004&23C0B1C&0&18F0
Service: P17


-- Scheduled Tasks -------------------------------------------------------------

2008-04-14 17:31:44 330 --ah----- C:WINDOWSTasksMP Scheduled Scan.job
2008-04-08 19:25:00 284 --a------ C:WINDOWSTasksAppleSoftwareUpdate.job


-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 19:00:05 3648 --a------ C:WINDOWSsystem32kuppeogr.dll
2008-04-14 18:59:59 96320 --a------ C:WINDOWSsystem32hnbqkert.dll
2008-04-14 18:52:44 92224 --a------ C:WINDOWSsystem32sjexioyx.dll
2008-04-14 18:52:42 85056 -----n--- C:WINDOWSsystem32wmmhwhkm.dll
2008-04-14 18:50:38 3648 --a------ C:WINDOWSsystem32mvlyiifu.dll
2008-04-14 18:50:32 96320 --a------ C:WINDOWSsystem32fpsdhdxk.dll
2008-04-14 17:37:46 85056 -----n--- C:WINDOWSsystem32tgtxfjyi.dll
2008-04-14 17:34:53 92224 --a------ C:WINDOWSsystem32fwxppcmw.dll
2008-04-14 17:32:26 3648 --a------ C:WINDOWSsystem32qfwbtucr.dll
2008-04-14 17:32:20 96320 --a------ C:WINDOWSsystem32nrbjcyup.dll
2008-04-14 17:30:30 0 d--hs---- C:WINDOWSsystem32wsnpoem
2008-04-14 17:14:12 0 dr-h----- C:Documents and SettingscolinRecent
2008-04-14 17:06:05 0 d-------- C:Program FilesTrend Micro
2008-04-14 16:46:22 92224 --a------ C:WINDOWSsystem32jnxmhlyi.dll
2008-04-14 16:46:19 85056 -----n--- C:WINDOWSsystem32brbvtrpo.dll
2008-04-14 16:44:12 3648 --a------ C:WINDOWSsystem32yocjncvh.dll
2008-04-14 16:44:06 96320 --a------ C:WINDOWSsystem32eexqejlk.dll
2008-04-14 15:36:48 3648 --a------ C:WINDOWSsystem32avnxcqtm.dll
2008-04-14 15:36:41 96320 --a------ C:WINDOWSsystem32qvabgtdu.dll
2008-04-14 10:56:47 0 d-------- C:Documents and SettingsNetworkServiceApplication DataWebroot
2008-04-14 01:11:49 92736 --a------ C:WINDOWSsystem32ufowgdad.dll
2008-04-14 01:08:49 3648 --a------ C:WINDOWSsystem32ucrtraas.dll
2008-04-14 01:05:49 95296 --a------ C:WINDOWSsystem32frqvihke.dll
2008-04-13 01:08:50 92736 --a------ C:WINDOWSsystem32kgofmpaj.dll
2008-04-13 01:05:50 3648 --a------ C:WINDOWSsystem32rhgnndyc.dll
2008-04-13 01:03:16 94272 --a------ C:WINDOWSsystem32btrtdept.dll
2008-04-12 01:04:48 91712 --a------ C:WINDOWSsystem32xblpyocj.dll
2008-04-12 01:02:51 3648 --a------ C:WINDOWSsystem32uypjcdfi.dll
2008-04-12 01:02:45 94784 --a------ C:WINDOWSsystem32pdaatjfw.dll
2008-04-12 00:00:28 91712 --a------ C:WINDOWSsystem32evflcxeb.dll
2008-04-11 23:55:47 0 d-------- C:Documents and SettingsLocalServiceApplication DataWebroot
2008-04-11 23:55:39 0 d-------- C:Program FilesWebroot
2008-04-11 23:55:39 0 d-------- C:Documents and SettingscolinApplication DataWebroot
2008-04-11 23:55:39 0 d-------- C:Documents and SettingsAll UsersApplication DataWebroot
2008-04-11 23:54:24 3648 --a------ C:WINDOWSsystem32tngiypfb.dll
2008-04-11 23:54:19 94784 --a------ C:WINDOWSsystem32ahndtgtt.dll
2008-04-11 17:10:27 91712 --a------ C:WINDOWSsystem32oilrpcad.dll
2008-04-11 17:09:38 0 d-------- C:Program FilesAskSBar
2008-04-11 17:08:18 3648 --a------ C:WINDOWSsystem32xlxdfnqr.dll
2008-04-11 17:08:12 94784 --a------ C:WINDOWSsystem32knfhgoei.dll
2008-04-11 02:26:13 3648 --a------ C:WINDOWSsystem32fflujqnn.dll
2008-04-11 02:23:13 88128 --a------ C:WINDOWSsystem32gwfikqdr.dll
2008-04-10 14:18:35 66770 --ahs---- C:Documents and SettingsLocalServicecftmon.exe
2008-04-09 23:57:20 147 --a------ C:clean0.bat
2008-04-09 23:57:15 13312 --a------ C:gjtxc.exe
2008-04-09 23:56:55 37888 --a------ C:WINDOWSsystem32ssqQjKec.dll
2008-04-09 23:56:37 54 --a------ C:smp.bat
2008-04-09 23:56:06 5120 --a------ C:WINDOWSsystem32ftpdll.dll
2008-04-09 23:56:06 5120 --a------ C:Documents and Settingscolinftpdll.dll
2008-04-09 23:55:56 10 --a------ C:WINDOWSsystem32kr_done1
2008-04-09 23:55:55 0 d-------- C:Documents and SettingscolinApplication DataAnti-Virus-Pro.com
2008-04-09 23:55:51 0 d-------- C:Program FilesAntiVirusPro
2008-04-09 23:55:35 39785 ---hs---- C:WINDOWSsystem32driversspools.exe
2008-04-09 23:55:35 12800 --a------ C:WINDOWSsystem32~.exe
2008-04-09 23:55:35 89341 --ahs---- C:Documents and Settingscolincftmon.exe
2008-04-09 22:25:42 264506 --ahs---- C:WINDOWSsystem32eOYIRCdd.ini2
2008-04-09 22:25:40 270336 -----n--- C:WINDOWSsystem32ddCRIYOe.dll
2008-04-09 21:19:54 345 --ahs---- C:WINDOWSsystem32YHNnmUvw.ini2
2008-04-09 21:19:53 270336 --a------ C:WINDOWSsystem32wvUmnNHY.dll
2008-04-09 21:15:26 942592 --a------ C:winlogon.exe
2008-04-09 21:15:17 38400 --a------ C:WINDOWSmrofinu1188.exe
2008-04-09 21:15:02 86144 --a------ C:WINDOWSsystem32driversrootmdmm.sys
2008-04-09 21:15:01 0 d-------- C:WINDOWSsystem32pinz1
2008-04-09 21:15:01 0 d-------- C:WINDOWSsystem32IDE2
2008-04-09 21:15:01 0 d-------- C:WINDOWSsystem32ExTmp
2008-04-09 21:15:00 0 d-------- C:WINDOWSsystem32bharebio05
2008-04-09 21:15:00 0 d-------- C:Temp
2008-03-30 08:02:13 190464 --a------ C:WINDOWSsystem32msram.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-12 00:59:09 0 d-------- C:Documents and SettingscolinApplication DataXfire
2008-03-20 21:48:25 0 d--h----- C:Program FilesInstallShield Installation Information
2008-03-20 21:38:31 0 d-------- C:Program FilesActivision
2008-03-14 17:55:47 0 d-------- C:Program FilesCall of Duty


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE~Browser Helper Objects{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
04/11/2008 05:09 PM 66912 --a------ C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL

[HKEY_LOCAL_MACHINE~Browser Helper Objects{63AB48C9-01A8-495C-8194-A715DB8A37A2}]

[HKEY_LOCAL_MACHINE~Browser Helper Objects{EC0E7203-84AE-43D0-9D27-CDCE730EBCB5}]
04/09/2008 10:25 PM 270336 --------- C:WINDOWSsystem32ddCRIYOe.dll

[HKEY_LOCAL_MACHINE~Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/11/2008 05:09 PM 267592 --a------ C:Program FilesAskSBarbar1.binASKSBAR.DLL

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:Program FilesAskSBarbar1.binASKSBAR.DLL [04/11/2008 05:09 PM 267592]

[-HKEY_CLASSES_ROOTCLSID{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"RemoteControl"="C:Program FilesCyberLinkPowerDVDPDVDServ.exe" [10/31/2003 08:42 PM]
"SunJavaUpdateSched"="C:Program FilesJavajre1.5.0_06binjusched.exe" [11/10/2005 02:03 PM]
"CTSysVol"="C:Program FilesCreativeSB Live! 24-bitSurround MixerCTSysVol.exe" [09/17/2003 10:43 AM]
"UpdReg"="C:WINDOWSUpdReg.EXE" [05/11/2000 01:00 AM]
"SSBkgdUpdate"="C:Program FilesCommon FilesScansoft SharedSSBkgdUpdateSSBkgdupdate.exe" [10/25/2006 09:03 AM]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 07:00 AM C:WINDOWSsystem32rundll32.exe]
"HP Software Update"="C:Program FilesHpHP Software UpdateHPWuSchd2.exe" [02/17/2005 12:11 AM]
"InCD"="C:Program FilesAheadInCDInCD.exe" [07/25/2005 01:01 PM]
"nwiz"="nwiz.exe" [10/22/2006 01:22 PM C:WINDOWSsystem32nwiz.exe]
"Windows Defender"="C:Program FilesWindows DefenderMSASCui.exe" [11/03/2006 07:20 PM]
"Synchronization Manager"="C:WINDOWSsystem32mobsync.exe" [08/04/2004 07:00 AM]
"NvMediaCenter"="RUNDLL32.exe" [08/04/2004 07:00 AM C:WINDOWSsystem32rundll32.exe]
"PaperPort PTD"="C:Program FilesScanSoftPaperPortpptd40nt.exe" [01/11/2007 01:01 PM]
"IndexSearch"="C:Program FilesScanSoftPaperPortIndexSearch.exe" [01/11/2007 12:58 PM]
"PPort11reminder"="C:Program FilesScanSoftPaperPortEregEreg.exe" [11/16/2006 11:01 AM]
"ntuser"="C:WINDOWSsystem32driversspools.exe" [04/09/2008 11:55 PM]
"autoload"="C:Documents and Settingscolincftmon.exe" [04/14/2008 05:30 PM]
"icasServ"="C:WINDOWSsystem32icasServ.exe" [04/10/2006 11:56 PM]
"e8f0057a"="C:WINDOWSsystem32wmmhwhkm.dll" [04/14/2008 06:52 PM]
"SpySweeper"="C:Program FilesWebrootSpy SweeperSpySweeperUI.exe" [10/01/2007 04:40 PM]
"BMebc336e6"="C:WINDOWSsystem32hnbqkert.dll" [04/14/2008 06:59 PM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"AIM"="C:Program FilesAIMaim.exe" [05/10/2005 11:34 PM]
"updateMgr"="C:Program FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe" [11/22/2004 09:18 AM]
"ntuser"="C:WINDOWSsystem32driversspools.exe" [04/09/2008 11:55 PM]
"autoload"="C:Documents and Settingscolincftmon.exe" [04/14/2008 05:30 PM]

[HKEY_USERS.defaultsoftwaremicrosoftwindowscurrentversionrun]
"qrqk"=C:PROGRA~1COMMON~1qrqkqrqkm.exe
"CU1"=
"CU2"=
"ntuser"=C:WINDOWSsystem32driversspools.exe
"autoload"=C:Documents and SettingsLocalServicecftmon.exe
"userinit"=C:WINDOWSsystem32ntos.exe

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Adobe Reader Speed Launch.lnk - C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe [12/14/2004 5:44:06 AM]
Audible Download Manager.lnk - C:Program FilesAudibleBinAudibleDownloadHelper.exe [11/21/2006 12:49:10 PM]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"SrvUnknown"= {dd890c13-8125-473c-910e-68350f257fe2} - C:WINDOWSResourcesSrvUnknown.dll [04/09/2008 11:56 PM 12330]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
"Userinit"="userinit.exe,C:WINDOWSsystem32ntos.exe,"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifypMddeCsr]
pMddeCsr.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"appinit_dlls"=winword.dll

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
"Authentication Packages"= msv1_0 C:WINDOWSsystem32ddCRIYOe

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSystem Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{0585f47b-5f1a-11db-b906-00111164d970}]
AutoRuncommand- C:WINDOWSsystem32RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{90b0c731-2d23-11d9-afb5-806d6172696f}]
AutoRuncommand- D:AutoRun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***
127.0.0.1 bailefunk.com # ***Inserted By STOPzilla***
127.0.0.1 best4all.net # ***Inserted By STOPzilla***
127.0.0.1 besthardcore.net # ***Inserted By STOPzilla***
127.0.0.1 bundleware.com # ***Inserted By STOPzilla***
127.0.0.1 coolwebsearch.com # ***Inserted By STOPzilla***

1686 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-14 19:01:41 ------------

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 14 April 2008 - 07:39 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:55 PM

Posted 15 April 2008 - 06:20 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Kulaid247

Kulaid247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 15 April 2008 - 09:53 AM

Buckeye_Sam

attached is the log

Please advise....

Attached Files



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:55 PM

Posted 15 April 2008 - 11:12 AM

Kulaid247, going forward please copy and paste the text from your logs directly into your post instead of attaching them. It just makes it much easier for me to review.

ComboFix 08-04-14.2 - colin 2008-04-15 9:22:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1603 [GMT -5:00]
Running from: I:\MY DOWNLOADS\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 28160 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Uninstall.lnk
C:\Documents and Settings\colin\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\colin\Application Data\CROSOF~1
C:\Documents and Settings\colin\Application Data\ECURIT~1
C:\Documents and Settings\colin\Application Data\FNTS~1
C:\Documents and Settings\colin\Application Data\MANTEC~1
C:\Documents and Settings\colin\Application Data\SMBOLS~1
C:\Documents and Settings\colin\Application Data\SpamBlockerUtility_Icons
C:\Documents and Settings\colin\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico
C:\Documents and Settings\colin\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
C:\Documents and Settings\colin\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
C:\Documents and Settings\colin\My Documents\SEMBLY~1
C:\Documents and Settings\colin\My Documents\SKS~1
C:\Documents and Settings\colin\My Documents\SMBOLS~1
C:\Documents and Settings\colin\My Documents\YSTEM3~1
C:\Program Files\AntiVirusPro
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.local
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.log
C:\Program Files\AntiVirusPro\Core.dll
C:\Program Files\AntiVirusPro\database.pkg
C:\Program Files\AntiVirusPro\Localization.dll
C:\Program Files\AntiVirusPro\msvcp71.dll
C:\Program Files\AntiVirusPro\msvcr71.dll
C:\Program Files\AntiVirusPro\Uninstall.exe
C:\Program Files\AntiVirusPro\WndSystem.dll
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\sks~1
C:\Program Files\crosof~1
C:\Program Files\fnts~1
C:\Program Files\wnsxs~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\asks~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\resources\SrvUnknown.dll
C:\WINDOWS\system32\ahndtgtt.dll
C:\WINDOWS\system32\brbvtrpo.dll
C:\WINDOWS\system32\btrtdept.dll
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\ddCRIYOe.dll
C:\WINDOWS\system32\drivers\LUF46.sys
C:\WINDOWS\system32\drivers\rootmdmm.sys
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\eexqejlk.dll
C:\WINDOWS\system32\eOYIRCdd.ini
C:\WINDOWS\system32\eOYIRCdd.ini2
C:\WINDOWS\system32\evflcxeb.dll
C:\WINDOWS\system32\fpsdhdxk.dll
C:\WINDOWS\system32\frqvihke.dll
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\system32\fwxppcmw.dll
C:\WINDOWS\system32\gwfikqdr.dll
C:\WINDOWS\system32\hnbqkert.dll
C:\WINDOWS\system32\hxidrnnx.dll
C:\WINDOWS\system32\iyjfxtgt.ini
C:\WINDOWS\system32\jnxmhlyi.dll
C:\WINDOWS\system32\kgofmpaj.dll
C:\WINDOWS\system32\knfhgoei.dll
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\lfgonstu.ini
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\msram.dll
C:\WINDOWS\system32\nrbjcyup.dll
C:\WINDOWS\system32\oilrpcad.dll
C:\WINDOWS\system32\oprtvbrb.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pdaatjfw.dll
C:\WINDOWS\system32\qvabgtdu.dll
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\sjexioyx.dll
C:\WINDOWS\system32\ssqQjKec.dll
C:\WINDOWS\system32\tgtxfjyi.dll
C:\WINDOWS\system32\ufowgdad.dll
C:\WINDOWS\system32\utsnogfl.dll
C:\WINDOWS\system32\wintsvsu.exe
C:\WINDOWS\system32\wvUmnNHY.dll
C:\WINDOWS\system32\xblpyocj.dll
C:\WINDOWS\system32\YHNnmUvw.ini
C:\WINDOWS\system32\YHNnmUvw.ini2
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\unist1.htm
C:\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Legacy_LUF46
-------\Legacy_NETWORK_MONITOR
-------\Legacy_ROOTMDMM
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_ICF
-------\Service_LUF46
-------\Service_Luf46
-------\Service_rootmdmm
-------\Legacy_Schedule
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 21:21 . 2008-04-14 21:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 21:21 . 2008-04-14 21:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 19:00 . 2008-04-14 19:00 <DIR> d-------- C:\Deckard
2008-04-14 19:00 . 2008-04-14 19:00 3,648 --a------ C:\WINDOWS\system32\kuppeogr.dll
2008-04-14 18:52 . 2008-04-14 18:59 2,334 ---hs---- C:\WINDOWS\system32\mkhwhmmw.ini
2008-04-14 18:50 . 2008-04-14 18:50 3,648 --a------ C:\WINDOWS\system32\mvlyiifu.dll
2008-04-14 17:32 . 2008-04-14 17:32 3,648 --a------ C:\WINDOWS\system32\qfwbtucr.dll
2008-04-14 17:30 . 2008-04-14 17:30 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2008-04-14 17:06 . 2008-04-14 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 16:44 . 2008-04-14 16:44 3,648 --a------ C:\WINDOWS\system32\yocjncvh.dll
2008-04-14 15:36 . 2008-04-14 15:36 3,648 --a------ C:\WINDOWS\system32\avnxcqtm.dll
2008-04-14 01:14 . 2008-04-14 16:43 1,554 ---hs---- C:\WINDOWS\system32\dpnuwacr.ini
2008-04-14 01:08 . 2008-04-14 01:08 3,648 --a------ C:\WINDOWS\system32\ucrtraas.dll
2008-04-13 01:11 . 2008-04-14 01:12 1,134 ---hs---- C:\WINDOWS\system32\eshfqmnp.ini
2008-04-13 01:05 . 2008-04-13 01:05 3,648 --a------ C:\WINDOWS\system32\rhgnndyc.dll
2008-04-12 01:04 . 2008-04-13 01:05 1,074 ---hs---- C:\WINDOWS\system32\hscpjolt.ini
2008-04-12 01:02 . 2008-04-12 01:02 3,648 --a------ C:\WINDOWS\system32\uypjcdfi.dll
2008-04-12 00:03 . 2008-04-12 01:02 834 ---hs---- C:\WINDOWS\system32\efkbbcxp.ini
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Program Files\Webroot
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Documents and Settings\colin\Application Data\Webroot
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-11 23:55 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-04-11 23:55 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-11 23:55 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-11 23:55 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-11 23:55 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-04-11 23:54 . 2008-04-11 23:54 3,648 --a------ C:\WINDOWS\system32\tngiypfb.dll
2008-04-11 17:10 . 2008-04-12 00:00 654 ---hs---- C:\WINDOWS\system32\lehuynso.ini
2008-04-11 17:09 . 2008-04-11 17:09 <DIR> d-------- C:\Program Files\AskSBar
2008-04-11 17:08 . 2008-04-11 17:08 3,648 --a------ C:\WINDOWS\system32\xlxdfnqr.dll
2008-04-11 02:32 . 2008-04-11 17:07 354 ---hs---- C:\WINDOWS\system32\xdsqxowq.ini
2008-04-11 02:26 . 2008-04-11 02:26 3,648 --a------ C:\WINDOWS\system32\fflujqnn.dll
2008-04-11 02:23 . 2008-04-14 15:36 101,091 --a------ C:\WINDOWS\BMebc336e6.xml
2008-04-10 14:18 . 2008-04-10 14:18 66,770 --ahs---- C:\Documents and Settings\LocalService\cftmon.exe
2008-04-09 23:57 . 2008-04-09 23:57 13,312 --a------ C:\gjtxc.exe
2008-04-09 23:57 . 2008-04-09 23:57 147 --a------ C:\clean0.bat
2008-04-09 23:57 . 2008-04-09 23:57 29 --a------ C:\WINDOWS\system32\wayysqhh.tmp
2008-04-09 23:56 . 2008-04-09 23:56 5,120 --a------ C:\Documents and Settings\colin\ftpdll.dll
2008-04-09 23:56 . 2008-04-09 23:56 54 --a------ C:\smp.bat
2008-04-09 23:55 . 2008-04-09 23:55 269,334 --a------ C:\WINDOWS\system32\fahkb.bmp
2008-04-09 23:55 . 2008-04-15 09:19 77,995 --ahs---- C:\Documents and Settings\colin\cftmon.exe
2008-04-09 23:55 . 2008-04-09 23:55 12,800 --a------ C:\WINDOWS\system32\~.exe
2008-04-09 21:15 . 2008-04-10 14:35 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-09 21:15 . 2008-04-09 21:15 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-09 21:15 . 2008-04-12 00:55 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-09 21:15 . 2008-04-09 21:15 <DIR> d-------- C:\WINDOWS\system32\bharebio05
2008-04-09 21:15 . 2008-04-09 21:15 <DIR> d-------- C:\Temp\wdlw14
2008-04-09 21:15 . 2008-04-15 09:23 <DIR> d-------- C:\Temp
2008-04-09 21:15 . 2008-04-09 21:15 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-09 21:15 . 2008-04-09 21:15 38,400 --a------ C:\WINDOWS\mrofinu1188.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-12 05:59 --------- d-----w C:\Documents and Settings\colin\Application Data\Xfire
2008-04-10 04:55 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-10 04:55 12,800 ----a-w C:\WINDOWS\system32\~.exe
2008-04-10 03:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-10 03:17 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-21 02:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 02:38 --------- d-----w C:\Program Files\Activision
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:55 --------- d-----w C:\Program Files\Call of Duty
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-09 00:02 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-09 00:23 1,714 ----a-w C:\Documents and Settings\colin\Application Data\SAS7_000.DAT
2007-01-03 19:24 212 ---ha-w C:\Documents and Settings\jim.KULASIK\Application Data\srfvdo.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-04-11 17:09 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-11 17:09 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-04-11 17:09 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-04-11 17:09 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-05-10 23:34 67160]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 09:18 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 13:01 1397760]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00 143360]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-11 13:01 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-11 12:58 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2006-11-16 11:01 35368]
"icasServ"="C:\WINDOWS\system32\icasServ.exe" [2006-04-10 23:56 13824]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"qrqk"="C:\PROGRA~1\COMMON~1\qrqk\qrqkm.exe" [ ]
"CU1"="" []
"CU2"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pMddeCsr]
pMddeCsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=winword.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\day of defeat\\hl.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\counter-strike\\hl.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"C:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArms\\System\\bia.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\team fortress classic\\hl.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Adaptec\\Adaptec Storage Manager\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AACmgt;AACmgt;C:\WINDOWS\system32\drivers\AACmgt.sys [2004-09-15 06:15]
R0 aar1210;aar1210;C:\WINDOWS\system32\drivers\aar1210.sys [2003-03-14 11:19]
R0 aarsi3x;aarsi3x;C:\WINDOWS\system32\DRIVERS\aarsi3x.sys [2004-11-11 19:09]
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-24 03:16]
S3 jatmlano;jatmlano;C:\DOCUME~1\jim\LOCALS~1\Temp\jatmlano.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0585f47b-5f1a-11db-b906-00111164d970}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90b0c731-2d23-11d9-afb5-806d6172696f}]
\Shell\AutoRun\command - D:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 00:25:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-15 14:31:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 09:39:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-04-15 9:42:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 14:42:06

Pre-Run: 76,797,722,624 bytes free
Post-Run: 77,810,257,920 bytes free
.
2008-04-10 19:26:46 --- E O F ---
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:55 PM

Posted 15 April 2008 - 11:21 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\wsnpoem
C:\Program Files\AskSBar
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\bharebio05
C:\Temp\wdlw14

File::
C:\WINDOWS\system32\kuppeogr.dll
C:\WINDOWS\system32\mkhwhmmw.ini
C:\WINDOWS\system32\mvlyiifu.dll
C:\WINDOWS\system32\qfwbtucr.dll
C:\WINDOWS\system32\yocjncvh.dll
C:\WINDOWS\system32\avnxcqtm.dll
C:\WINDOWS\system32\dpnuwacr.ini
C:\WINDOWS\system32\ucrtraas.dll
C:\WINDOWS\system32\eshfqmnp.ini
C:\WINDOWS\system32\rhgnndyc.dll
C:\WINDOWS\system32\hscpjolt.ini
C:\WINDOWS\system32\uypjcdfi.dll
C:\WINDOWS\system32\efkbbcxp.ini
C:\WINDOWS\system32\tngiypfb.dll
C:\WINDOWS\system32\lehuynso.ini
C:\WINDOWS\system32\xlxdfnqr.dll
C:\WINDOWS\system32\xdsqxowq.ini
C:\WINDOWS\system32\fflujqnn.dll
C:\gjtxc.exe
C:\clean0.bat
C:\WINDOWS\system32\wayysqhh.tmp
C:\Documents and Settings\colin\ftpdll.dll
C:\smp.bat
C:\WINDOWS\system32\fahkb.bmp
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\mrofinu1188.exe
C:\DOCUME~1\jim\LOCALS~1\Temp\jatmlano.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"=-
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= -
[-HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"icasServ"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"qrqk"=-
"CU1"=-
"CU2"=-

Driver::
jatmlano
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Kulaid247

Kulaid247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 15 April 2008 - 11:49 AM

Sam,

Here are the results:

Combo fix after pasting in what you wanted:



ComboFix 08-04-14.2 - colin 2008-04-15 11:28:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1637 [GMT -5:00]
Running from: I:\MY DOWNLOADS\ComboFix.exe
Command switches used :: I:\MY DOWNLOADS\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\clean0.bat
C:\DOCUME~1\jim\LOCALS~1\Temp\jatmlano.sys
C:\Documents and Settings\colin\ftpdll.dll
C:\gjtxc.exe
C:\smp.bat
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\avnxcqtm.dll
C:\WINDOWS\system32\dpnuwacr.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\efkbbcxp.ini
C:\WINDOWS\system32\eshfqmnp.ini
C:\WINDOWS\system32\fahkb.bmp
C:\WINDOWS\system32\fflujqnn.dll
C:\WINDOWS\system32\hscpjolt.ini
C:\WINDOWS\system32\kuppeogr.dll
C:\WINDOWS\system32\lehuynso.ini
C:\WINDOWS\system32\mkhwhmmw.ini
C:\WINDOWS\system32\mvlyiifu.dll
C:\WINDOWS\system32\qfwbtucr.dll
C:\WINDOWS\system32\rhgnndyc.dll
C:\WINDOWS\system32\tngiypfb.dll
C:\WINDOWS\system32\ucrtraas.dll
C:\WINDOWS\system32\uypjcdfi.dll
C:\WINDOWS\system32\wayysqhh.tmp
C:\WINDOWS\system32\xdsqxowq.ini
C:\WINDOWS\system32\xlxdfnqr.dll
C:\WINDOWS\system32\yocjncvh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\clean0.bat
C:\Documents and Settings\colin\ftpdll.dll
C:\gjtxc.exe
C:\Program Files\AskSBar
C:\Program Files\AskSBar\bar\1.bin\A2FFXTBR.JAR
C:\Program Files\AskSBar\bar\1.bin\A2FFXTBR.MANIFEST
C:\Program Files\AskSBar\bar\1.bin\A2HIGHIN.EXE
C:\Program Files\AskSBar\bar\1.bin\A2NTSTBR.JAR
C:\Program Files\AskSBar\bar\1.bin\A2NTSTBR.MANIFEST
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
C:\Program Files\AskSBar\bar\1.bin\NPASKSBR.DLL
C:\Program Files\AskSBar\bar\Cache\files.ini
C:\Program Files\AskSBar\bar\History\search2
C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
C:\smp.bat
C:\Temp\wdlw14
C:\Temp\wdlw14\maxN1bo.log
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\avnxcqtm.dll
C:\WINDOWS\system32\bharebio05
C:\WINDOWS\system32\bharebio05\bharebio051080.exe
C:\WINDOWS\system32\dpnuwacr.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\efkbbcxp.ini
C:\WINDOWS\system32\eshfqmnp.ini
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\fahkb.bmp
C:\WINDOWS\system32\fflujqnn.dll
C:\WINDOWS\system32\hscpjolt.ini
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\IDE2\mdllcom2.exe
C:\WINDOWS\system32\kuppeogr.dll
C:\WINDOWS\system32\lehuynso.ini
C:\WINDOWS\system32\mkhwhmmw.ini
C:\WINDOWS\system32\mvlyiifu.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\qfwbtucr.dll
C:\WINDOWS\system32\rhgnndyc.dll
C:\WINDOWS\system32\tngiypfb.dll
C:\WINDOWS\system32\ucrtraas.dll
C:\WINDOWS\system32\uypjcdfi.dll
C:\WINDOWS\system32\wayysqhh.tmp
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\xdsqxowq.ini
C:\WINDOWS\system32\xlxdfnqr.dll
C:\WINDOWS\system32\yocjncvh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JATMLANO
-------\Service_jatmlano


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 21:21 . 2008-04-14 21:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 21:21 . 2008-04-14 21:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 19:00 . 2008-04-14 19:00 <DIR> d-------- C:\Deckard
2008-04-14 17:06 . 2008-04-14 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Program Files\Webroot
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Documents and Settings\colin\Application Data\Webroot
2008-04-11 23:55 . 2008-04-11 23:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-11 23:55 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-04-11 23:55 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-11 23:55 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-11 23:55 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-11 23:55 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-04-11 02:23 . 2008-04-14 15:36 101,091 --a------ C:\WINDOWS\BMebc336e6.xml
2008-04-10 14:18 . 2008-04-10 14:18 66,770 --ahs---- C:\Documents and Settings\LocalService\cftmon.exe
2008-04-09 23:55 . 2008-04-15 09:19 77,995 --ahs---- C:\Documents and Settings\colin\cftmon.exe
2008-04-09 21:15 . 2008-04-15 11:28 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 22:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-12 05:59 --------- d-----w C:\Documents and Settings\colin\Application Data\Xfire
2008-04-10 03:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-21 02:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 02:38 --------- d-----w C:\Program Files\Activision
2008-03-14 22:55 --------- d-----w C:\Program Files\Call of Duty
2007-11-09 00:23 1,714 ----a-w C:\Documents and Settings\colin\Application Data\SAS7_000.DAT
2007-01-03 19:24 212 ---ha-w C:\Documents and Settings\jim.KULASIK\Application Data\srfvdo.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 9.41.34.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 14:29:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 16:31:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-05-10 23:34 67160]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 09:18 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 09:03 210472]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 13:01 1397760]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 07:00 143360]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 07:00 33280 C:\WINDOWS\system32\rundll32.exe]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-11 13:01 30248]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-11 12:58 46632]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2006-11-16 11:01 35368]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pMddeCsr]
pMddeCsr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=winword.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\day of defeat\\hl.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\counter-strike\\hl.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"C:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArms\\System\\bia.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\team fortress classic\\hl.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\kulaidjr92\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Adaptec\\Adaptec Storage Manager\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AACmgt;AACmgt;C:\WINDOWS\system32\drivers\AACmgt.sys [2004-09-15 06:15]
R0 aar1210;aar1210;C:\WINDOWS\system32\drivers\aar1210.sys [2003-03-14 11:19]
R0 aarsi3x;aarsi3x;C:\WINDOWS\system32\DRIVERS\aarsi3x.sys [2004-11-11 19:09]
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-24 03:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0585f47b-5f1a-11db-b906-00111164d970}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90b0c731-2d23-11d9-afb5-806d6172696f}]
\Shell\AutoRun\command - D:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 00:25:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-15 14:31:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 11:32:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-04-15 11:34:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 16:34:29
ComboFix2.txt 2008-04-15 14:42:10

Pre-Run: 77,793,259,520 bytes free
Post-Run: 77,776,203,776 bytes free
.
2008-04-10 19:26:46 --- E O F ---


Second running of Highjack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:05 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - blank (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol toolbar 2.0\aoltbres.dll/search.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kulasik.com
O17 - HKLM\Software\..\Telephony: DomainName = kulasik.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kulasik.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.70
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = kulasik.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.39 85.255.112.70
O18 - Protocol: bw+0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {76D51D94-2AD8-488E-AE50-BB540C92CE31} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: winword.dll
O20 - Winlogon Notify: pMddeCsr - pMddeCsr.dll (file missing)
O23 - Service: AdaptecStorageManagerAgent - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 19533 bytes

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:55 PM

Posted 15 April 2008 - 03:56 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - blank (file missing)
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - blank (file missing)
O20 - AppInit_DLLs: winword.dll
O20 - Winlogon Notify: pMddeCsr - pMddeCsr.dll (file missing)



===============



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Kulaid247

Kulaid247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 15 April 2008 - 08:21 PM

Sam,

I fixed the items you posted BUT

since I have the quickbrowsersearch.com problem I cannot get internet access....

Please advise....

#9 Kulaid247

Kulaid247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 15 April 2008 - 08:40 PM

Sam,

I did run Spy sweeper and no Trojan came up.

can you help with the quick browser error...

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:55 PM

Posted 16 April 2008 - 06:56 AM

Sam,

I did run Spy sweeper and no Trojan came up.

can you help with the quick browser error...


Tell me about the quick browser error. What happens?



Let's run this removal tool and it should help with your connection.
Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Kulaid247

Kulaid247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 16 April 2008 - 08:05 AM

Sam,

I will run that

What the quick browser does is redirect mozilla and explorer to a fake site

and it becomes your start up site when you open your viewer....

#12 Kulaid247

Kulaid247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 16 April 2008 - 08:14 AM

Sam,

here is the log plus the Quickbrowsersearch error I get when trying to connect to the internet.


Username "colin" - 04/16/2008 8:04:57 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.39 85.255.112.70" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\""
"CTSysVol"="\"C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe\" /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe\""
"InCD"="\"C:\\Program Files\\Ahead\\InCD\\InCD.exe\""
"nwiz"="\"nwiz.exe\" /install"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Synchronization Manager"="\"C:\\WINDOWS\\system32\\mobsync.exe\" /logon"
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"PaperPort PTD"="\"C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe\""
"IndexSearch"="\"C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe\""
"PPort11reminder"="\"C:\\Program Files\\ScanSoft\\PaperPort\\Ereg\\Ereg.exe\" -r \"C:\\Documents and Settings\\All Users\\Application Data\\ScanSoft\\PaperPort\\11\\Config\\Ereg\\Ereg.ini"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9"
....
Hosts file was reset, If you use a custom hosts file please replace it...


~~~~~ End report ~~~~~





Address Not Found Error

Protocol Not Known Error

Connection Failure Error

Net Timeout Error

Redirect Loop Error

Unknown Socket Error

Net Reset Error

Offline Error




www.quickbrowsersearch.com could not be found. Please check the name and try again.

The address (URL) is not a valid format and cannot be read. A typical address will start with "http://", followed by an address, (e.g. www.netscape.com), followed by a path to the content (or just "/"). A common cause for the problem is using backslashes(\) instead of forward slashes (/).

The file specified by the address (URL) cannot be found. Check that the file exists and that you have sufficient permissions to view it.

The address (URL) does not correspond to a known site and could not be loaded. This could be due to a misspelling in the address or because the site does not exist. If the address is known to be valid, or if the problem occurs for many sites, it may be an issue with your proxy service (if you use one) or the directory name service lookup. In such cases you should consult your system documentation, administrator or Internet Service Provider (ISP) as appropriate for further assistance.

The address (URL) starts with a protocol that is not recognized by the browser. A protocol is the part at the front of the address, such as http: or ftp: which tells the browser how to connect to the site. In this instance, the protocol is unknown so loading cannot continue. Check that the address is correct before retrying.

The browser was unable to connect to the specified site, even though it exists. This may be because the site does not accept connections from your computer, the service may be down, or the site does not support the service or port that you tried to connect to.

The browser timed out while trying to connect to the specified site. The site may be experiencing high loads that are slowing it down, or network problems are preventing data from being received from it in a timely manner. If the site is likely to be busy, consider waiting a few moments before retrying the request.

The browser has stopped a connection because the site is redirecting requests to itself in a manner which prevents it from ever completing.

The site responded to the network request in an unexpected manner. This may be due to address (URL) using the wrong protocol for the specified port, or a non-standard configuration on the site which is running different services than expected.

The link to the site was dropped unexpectedly while negotiating a connection or transferring data. This may be due to a network fault somewhere between the site and your computer. If the problem persists, consult your system documentation, administrator or Internet Service Provider (ISP) as appropriate for further assistance.

The browser is currently offline and cannot connect to the requested site. Place your browser in online mode before trying again.

Try again

#13 Kulaid247

Kulaid247
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 16 April 2008 - 04:52 PM

Sam,

I was able to remove the quicksearchbrowser. com problem by searching this site for answers and then

run winsock fix.

:thumbsup:

Thanks for all your help.....

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:55 PM

Posted 16 April 2008 - 05:34 PM

Excellent. I strongly recommend that you run the Kaspersky scan now that you have a good connection.
As badly infected as your computer was, it's likely there are still remnants floating around.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:55 PM

Posted 13 May 2008 - 09:26 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users