Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log..


  • Please log in to reply
18 replies to this topic

#1 DropShadow

DropShadow

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 15 April 2008 - 03:11 AM

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-15 03:05:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
21: 2008-04-15 08:05:33 UTC - RP28 - Deckard's System Scanner Restore Point
20: 2008-04-13 06:41:58 UTC - RP27 - Installed SUPERAntiSpyware Free Edition
19: 2008-04-13 06:32:39 UTC - RP26 - Last known good configuration
18: 2008-04-13 06:32:34 UTC - RP25 - Restore Operation
17: 2008-04-13 06:32:34 UTC - RP24 - Last known good configuration


-- First Restore Point --
1: 2008-04-13 06:32:33 UTC - RP8 - Installed Java™ 6 Update 5


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:47 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: DVA Storm - {34a75400-077f-4e0e-bb38-b7f45baea819} - C:\WINDOWS\nslbvxpglqe.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [tkbellexe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189513246687
O17 - HKLM\System\CCS\Services\Tcpip\..\{C508FF55-9E2E-4819-849D-7A6D98461EB7}: NameServer = 85.255.115.155,85.255.112.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.155 85.255.112.128
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.155 85.255.112.128
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.155 85.255.112.128
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXPjGXN - cbXPjGXN.dll (file missing)
O21 - SSODL: ogxtsepr - {66DFC5B9-9B80-47C9-9296-F62A1B1C722A} - C:\WINDOWS\ogxtsepr.dll
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4488 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 sasdifsv - c:\program files\superantispyware\sasdifsv.sys
R1 saskutil - c:\program files\superantispyware\saskutil.sys
R3 sasenum - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 03:06:37 0 d-------- C:\Program Files\Trend Micro
2008-04-15 01:57:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 01:57:18 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 01:57:15 0 d-------- C:\WINDOWS\LastGood
2008-04-15 00:53:30 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-14 14:52:00 0 d-------- C:\Program Files\Virtools
2008-04-14 08:57:15 32768 --a------ C:\WINDOWS\system32\plugin.dll <Not Verified; Adobe Systems, Inc.; Adobe Photoshop>
2008-04-14 08:57:15 210944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2008-04-14 08:57:15 57344 --a------ C:\WINDOWS\system32\icmfilter.dll <Not Verified; ; icmfilter Module>
2008-04-13 01:51:43 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-04-13 01:42:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-13 01:42:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 01:42:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-13 01:15:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-13 01:15:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 01:15:13 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 01:14:59 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-13 00:55:00 1626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 00:41:39 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-13 00:41:39 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-13 00:41:39 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-13 00:41:39 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-13 00:41:39 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-13 00:41:39 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-13 00:41:39 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-13 00:07:05 0 d-------- C:\WINDOWS\pss
2008-04-13 00:00:41 0 --a------ C:\Documents and Settings\Administrator\NULL
2008-04-12 23:49:50 0 d-------- C:\Program Files\CCleaner
2008-04-12 23:35:14 0 d-------- C:\Documents and Settings\All Users\Application Data\wjqleryb
2008-04-12 23:35:14 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 23:08:19 37888 --a------ C:\WINDOWS\system32\rqRHBTnK.dll
2008-04-12 23:08:08 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-12 23:08:08 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-12 23:08:08 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-12 23:08:07 4096 --a------ C:\WINDOWS\a.bat
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-12 23:08:06 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-12 23:08:06 4096 --a------ C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
2008-04-12 23:08:06 4096 --a------ C:\Documents and Settings\Administrator\Desktopfwebd.exe
2008-04-12 23:08:06 4096 --a------ C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
2008-04-12 23:06:43 81920 --a------ C:\WINDOWS\spnkfwad.exe
2008-04-12 23:06:43 167936 --a------ C:\WINDOWS\ogxtsepr.dll
2008-04-12 23:05:36 51 --a------ C:\smp.bat
2008-04-12 23:05:32 2 --a------ C:\-1932036760
2008-04-12 23:05:27 55218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-12 23:05:27 4096 --a------ C:\jgkpt.exe
2008-04-12 23:05:17 38400 --a------ C:\WINDOWS\system32\byXpmNEx.dll
2008-04-12 21:25:33 1801 --a------ C:\WINDOWS\mozver.dat
2008-04-12 21:14:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-12 21:14:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-12 21:02:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc
2008-04-11 16:21:05 0 d-------- C:\Program Files\SimPE
2008-04-11 14:36:31 0 d-------- C:\Program Files\Jasc Software Inc
2008-04-10 12:10:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-04-09 23:23:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-09 23:21:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 23:21:07 0 d-------- C:\Program Files\Yahoo!
2008-04-09 10:21:04 50688 --a------ C:\Program Files\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2008-04-08 10:25:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2008-04-08 10:25:21 0 d-------- C:\Program Files\MySpace
2008-04-07 14:54:25 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-07 14:54:08 0 d-------- C:\Program Files\Real
2008-04-07 14:54:05 0 d-------- C:\Program Files\Common Files\Real
2008-04-07 14:54:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-04-07 10:30:28 0 d-------- C:\Program Files\John Deere American Farmer Deluxe
2008-04-07 10:08:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-07 10:07:43 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-06 19:40:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-06 19:40:00 0 d-------- C:\Program Files\LimeWire
2008-04-06 19:10:04 88 -r-hs---- C:\WINDOWS\system32\BC8E4D24E2.sys
2008-04-06 16:17:09 0 d-------- C:\Program Files\EA GAMES
2008-04-06 16:17:08 442368 -ra------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2008-04-06 16:11:19 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-06 16:11:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-04-06 16:10:30 0 d-------- C:\Program Files\Common Files\Corel
2008-04-06 16:09:04 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-06 16:08:22 0 d-------- C:\Program Files\Corel
2008-04-06 05:20:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-06 05:19:40 0 d-------- C:\Program Files\iPod
2008-04-06 05:19:30 0 d-------- C:\Program Files\iTunes
2008-04-06 05:18:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-06 05:18:18 0 d-------- C:\Program Files\Apple Software Update
2008-04-06 05:18:08 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-06 05:17:54 0 d-------- C:\Program Files\Common Files\Apple
2008-04-06 05:17:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-05 11:01:07 0 d-------- C:\WINDOWS\Sun
2008-04-05 11:01:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-05 11:00:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-04-05 10:59:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-05 10:59:12 0 d-------- C:\Program Files\Google
2008-04-05 10:57:48 0 d-------- C:\Program Files\Java
2008-04-05 10:57:10 0 d-------- C:\Program Files\Common Files\Java


-- Find3M Report ---------------------------------------------------------------

2008-04-13 01:41:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 01:14:59 0 d-------- C:\Program Files\Common Files
2008-04-13 00:23:57 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-07 10:08:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-06 16:11:10 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-05 10:36:33 0 d-------- C:\Program Files\McAfee


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34a75400-077f-4e0e-bb38-b7f45baea819}]
C:\WINDOWS\nslbvxpglqe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/13/2003 02:07 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/13/2003 01:53 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"jdgf894jrghoiiskd"="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe" []
"tkbellexe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/07/2008 02:54 PM]
"ituneshelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 08:18 AM]
"jdgf894jrghoiiskd"="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 03:32 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ogxtsepr"= {66DFC5B9-9B80-47C9-9296-F62A1B1C722A} - C:\WINDOWS\ogxtsepr.dll [04/12/2008 06:07 PM 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXPjGXN]
cbXPjGXN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abd5a178-6fb7-11dc-81f0-806d6172696f}]
autorun\command- D:\Setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-15 03:07:21 ------------


Thank You!!


*edited...I forgot to post this also ..as it says..



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 253.99 MiB / 98.63 MiB
Pagefile Memory (total/avail): 624.96 MiB / 438.17 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.02 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 38.28 GiB total, 29.77 GiB free.
D: is CDROM (CDFS)
E: is Removable (No Media)
F: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - Maxtor 6E040L0 - 38.29 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 38.28 GiB - C:

\\.\PHYSICALDRIVE2 - Apple iPod USB Device - 3.77 GiB - 1 partition
\PARTITION0 - Unknown - 3.69 GiB - F:

\\.\PHYSICALDRIVE1 - Multi Flash Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer is ready and waiting.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DEBBIE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\DEBBIE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=DEBBIE
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Alien Skin Eye Candy 5 Textures --> C:\PROGRA~1\Corel\CORELP~2\ALIENS~1\EYECAN~1\UNWISE.EXE C:\PROGRA~1\Corel\CORELP~2\ALIENS~1\EYECAN~1\INSTALL.LOG
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Corel Paint Shop Pro X --> MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
Eye Candy 4000 --> C:\PROGRA~1\Corel\CORELP~2\EYECAN~1\UNWISE.EXE C:\PROGRA~1\Corel\CORELP~2\EYECAN~1\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\Pc Cleaners\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Jasc Animation Shop 3 --> MsiExec.exe /I{174D5678-D941-433C-BD23-58A5C7B0D36D}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
John Deere American Farmer Deluxe --> "C:\Program Files\John Deere American Farmer Deluxe\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SimPE 0.66 (alpha) --> "C:\Program Files\SimPE\unins000.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type291 / Error
Event Submitted/Written: 04/15/2008 00:52:27 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Paint Shop Pro X.exe, version 10.0.3.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type280 / Error
Event Submitted/Written: 04/14/2008 11:28:30 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20080.31114, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type272 / Warning
Event Submitted/Written: 04/13/2008 11:56:59 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type271 / Warning
Event Submitted/Written: 04/13/2008 11:56:58 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type270 / Warning
Event Submitted/Written: 04/13/2008 11:56:58 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS', component '{ACD935F6-53F3-469B-842F-2CE17B80840C}' failed. The resource 'HKEY_CURRENT_USER\Software\Corel\Auto Update\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Interval' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2435 / Warning
Event Submitted/Written: 04/14/2008 09:57:42 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type2432 / Error
Event Submitted/Written: 04/14/2008 05:58:44 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Ad-Aware 2007 Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type2377 / Warning
Event Submitted/Written: 04/14/2008 04:16:51 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type2375 / Error
Event Submitted/Written: 04/14/2008 04:06:24 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Ad-Aware 2007 Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type2374 / Error
Event Submitted/Written: 04/14/2008 04:06:21 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The iPod Service service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-04-15 03:07:21 ------------

Attached Files


Edited by DropShadow, 15 April 2008 - 03:17 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 15 April 2008 - 06:10 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

Edited by Buckeye_Sam, 15 April 2008 - 06:11 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 DropShadow

DropShadow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 15 April 2008 - 08:00 AM

Thanks Sam :thumbsup:




Username "Administrator" - 04/15/2008 7:49:21 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.155 85.255.112.128" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C508FF55-9E2E-4819-849D-7A6D98461EB7}
"nameserver"="85.255.115.155,85.255.112.128" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3B2113E4-204D-42A3-913A-1E8D142617B9}
"DhcpNameServer"="85.255.115.155,85.255.112.128" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"jdgf894jrghoiiskd"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winlogan.exe"
"tkbellexe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ituneshelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"jdgf894jrghoiiskd"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\winlogan.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:18 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: DVA Storm - {34a75400-077f-4e0e-bb38-b7f45baea819} - C:\WINDOWS\nslbvxpglqe.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [tkbellexe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189513246687
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXPjGXN - cbXPjGXN.dll (file missing)
O21 - SSODL: ogxtsepr - {66DFC5B9-9B80-47C9-9296-F62A1B1C722A} - C:\WINDOWS\ogxtsepr.dll
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4367 bytes

#4 DropShadow

DropShadow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 15 April 2008 - 10:24 AM

I'd like to add, that SystemDefender Security Center keeps popping up occasionally and says I don't have spyware or firewall protection. I have never seen that before :thumbsup:

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 15 April 2008 - 11:23 AM

Good to know. We still have more to do.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: DVA Storm - {34a75400-077f-4e0e-bb38-b7f45baea819} - C:\WINDOWS\nslbvxpglqe.dll (file missing)
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogan.exe
O20 - Winlogon Notify: cbXPjGXN - cbXPjGXN.dll (file missing)
O21 - SSODL: ogxtsepr - {66DFC5B9-9B80-47C9-9296-F62A1B1C722A} - C:\WINDOWS\ogxtsepr.dll
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm



Reboot your computer.




Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 DropShadow

DropShadow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 15 April 2008 - 02:51 PM

ComboFix 08-04-14.2 - Administrator 2008-04-15 14:33:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.103 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktopblackbird.jpg
C:\Documents and Settings\Administrator\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Administrator\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Administrator\Desktopfilemanagerclient.exe
C:\Documents and Settings\Administrator\Desktopfkwp1.5.exe
C:\Documents and Settings\Administrator\Desktopfkwp2.0.exe
C:\Documents and Settings\Administrator\Desktopfwebd.exe
C:\Documents and Settings\Administrator\DesktopFWebdEditor.exe
C:\Documents and Settings\Administrator\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\resources\DrvComponent.dll
C:\WINDOWS\resources\SrvRom.dll
C:\WINDOWS\system32\byXpmNEx.dll
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\rqRHBTnK.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-15 07:48 . 2008-04-15 14:03 <DIR> d-------- C:\fixwareout
2008-04-15 03:06 . 2008-04-15 03:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 01:57 . 2008-04-15 01:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 01:57 . 2008-04-15 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 14:52 . 2008-04-14 14:52 <DIR> d-------- C:\Program Files\Virtools
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLX
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2008-04-14 08:57 . 2004-03-08 17:40 57,344 --a------ C:\WINDOWS\system32\icmfilter.dll
2008-04-14 08:57 . 2004-03-08 17:40 32,768 --a------ C:\WINDOWS\system32\plugin.dll
2008-04-13 01:42 . 2008-04-15 00:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-13 01:14 . 2008-04-13 01:14 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-13 00:55 . 2008-04-13 00:55 1,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 00:41 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-13 00:41 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-13 00:41 . 2008-04-12 17:34 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-13 00:41 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-13 00:41 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-13 00:41 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-13 00:41 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 23:49 . 2008-04-12 23:49 <DIR> d-------- C:\Program Files\CCleaner
2008-04-12 23:35 . 2008-04-13 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wjqleryb
2008-04-12 23:35 . 2008-04-12 23:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 23:06 . 2008-04-12 18:07 167,936 --a------ C:\WINDOWS\ogxtsepr.dll
2008-04-12 23:06 . 2008-04-12 18:08 81,920 --a------ C:\WINDOWS\spnkfwad.exe
2008-04-12 23:05 . 2008-04-12 23:05 55,218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-12 23:05 . 2008-04-12 23:05 4,096 --a------ C:\jgkpt.exe
2008-04-12 23:05 . 2008-04-12 23:06 51 --a------ C:\smp.bat
2008-04-12 23:05 . 2008-04-12 23:05 2 --a------ C:\-1932036760
2008-04-12 21:25 . 2008-04-14 14:52 1,801 --a------ C:\WINDOWS\mozver.dat
2008-04-12 21:14 . 2008-04-12 21:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-12 21:13 . 2008-04-12 21:13 6,039,144 --a------ C:\Program Files\Firefox Setup 2.0.0.13.exe
2008-04-12 21:02 . 2008-04-12 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc
2008-04-11 16:21 . 2008-04-11 16:21 <DIR> d-------- C:\Program Files\SimPE
2008-04-11 14:36 . 2008-04-11 14:36 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-04-09 23:23 . 2008-04-10 11:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-09 23:21 . 2008-04-10 11:15 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-09 23:21 . 2008-04-10 11:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 10:21 . 2008-04-09 10:21 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-04-08 10:25 . 2008-04-08 10:25 <DIR> d-------- C:\Program Files\MySpace
2008-04-08 10:25 . 2008-04-08 10:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2008-04-07 14:54 . 2008-04-07 14:54 <DIR> d-------- C:\Program Files\Real
2008-04-07 14:54 . 2008-04-07 14:54 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-07 14:54 . 2008-04-07 14:54 <DIR> d-------- C:\Program Files\Common Files\Real
2008-04-07 10:30 . 2008-04-15 14:04 <DIR> d-------- C:\Program Files\John Deere American Farmer Deluxe
2008-04-07 10:08 . 2008-04-07 14:54 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-07 10:08 . 2008-04-07 14:54 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-07 10:07 . 2008-04-07 10:10 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-06 19:40 . 2008-04-06 19:40 <DIR> d-------- C:\Program Files\LimeWire
2008-04-06 19:40 . 2008-04-08 09:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-06 19:39 . 2008-04-06 19:39 4,506,256 --a------ C:\Program Files\LimeWireWin.exe
2008-04-06 19:10 . 2008-04-15 09:37 88 -r-hs---- C:\WINDOWS\system32\BC8E4D24E2.sys
2008-04-06 16:17 . 2008-04-06 16:17 <DIR> d-------- C:\Program Files\EA GAMES
2008-04-06 16:17 . 2004-08-17 21:14 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-04-06 16:11 . 2008-04-06 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-06 16:11 . 2008-04-06 16:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-04-06 16:10 . 2008-04-06 16:10 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-04-06 16:09 . 2008-04-15 09:37 3,350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-06 16:08 . 2008-04-06 16:10 <DIR> d-------- C:\Program Files\Corel
2008-04-06 05:20 . 2008-04-06 05:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-06 05:19 . 2008-04-06 05:19 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 05:19 . 2008-04-06 05:19 <DIR> d-------- C:\Program Files\iPod
2008-04-06 05:18 . 2008-04-06 05:18 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-06 05:18 . 2008-04-06 05:18 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-06 05:18 . 2008-04-06 05:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-06 05:17 . 2008-04-06 05:17 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-06 05:17 . 2008-04-06 05:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-05 11:01 . 2008-04-05 11:01 <DIR> d-------- C:\WINDOWS\Sun
2008-04-05 10:59 . 2008-04-10 11:13 <DIR> d-------- C:\Program Files\Google
2008-04-05 10:58 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-05 10:57 . 2008-04-05 10:58 <DIR> d-------- C:\Program Files\Java
2008-04-05 10:57 . 2008-04-05 10:57 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"tkbellexe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-07 14:54 185896]
"ituneshelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 14:41:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-15 14:45:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 19:45:55

Pre-Run: 31,868,760,064 bytes free
Post-Run: 31,820,742,656 bytes free

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 15 April 2008 - 04:15 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Documents and Settings\All Users\Application Data\wjqleryb

File::
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\zeqbqwp.sys
C:\jgkpt.exe
C:\smp.bat
C:\-1932036760

Registry::
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.


Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.



=====================




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 DropShadow

DropShadow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 07 May 2008 - 01:39 AM

Hello...sorry I haven't had the time to run anything much or post...but I definitely have something else cause I keep gettin these annoying pop-ups now...HELP again...Thank You :thumbsup: Plus its changed my homepage and I can't figure out how to change it back in Firefox...IE I can :blink: Anyway here's this:


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-07 01:28:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:11 AM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {ee69de0f-d7cf-544a-5dd4-70a731484227} - {72248413-7a07-4dd5-a445-fc7df0ed96ee} - C:\WINDOWS\system32\ntmcylkb.dll
O2 - BHO: (no name) - {90EB67F4-AE37-4032-96C3-EDDE47987272} - C:\WINDOWS\system32\ddcYpqon.dll
O2 - BHO: gooochi browser optimizer - {b83f2c8c-8d3b-4c42-ae38-e6c5182df0b5} - C:\WINDOWS\system32\{03d38b22-bafd-7bfd-875c-58ae1b0d217e}.dll (file missing)
O2 - BHO: (no name) - {F6725EDC-93FF-479B-A98B-C5B9E3C44864} - C:\WINDOWS\system32\geBstsqn.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [tkbellexe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Administrator\Application Data\Deskbar_{7BD5D344-D077-4c8e-8318-CBECF4E9908D}\starter.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189513246687
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: geBstsqn - C:\WINDOWS\SYSTEM32\geBstsqn.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4855 bytes

-- Files created between 2008-04-07 and 2008-05-07 -----------------------------

2008-05-06 20:30:40 96832 --a------ C:\WINDOWS\system32\mkrbgswn.dll
2008-05-06 20:27:40 108608 --a------ C:\WINDOWS\system32\ntmcylkb.dll
2008-05-06 20:24:40 2112 --a------ C:\WINDOWS\system32\tahyjsre.exe
2008-05-06 20:22:07 104512 --a------ C:\WINDOWS\system32\luylqxef.dll
2008-05-06 20:21:40 414556 --ahs---- C:\WINDOWS\system32\noqpYcdd.ini2
2008-05-06 20:21:37 281600 --a------ C:\WINDOWS\system32\ddcYpqon.dll
2008-05-06 14:50:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 14:50:33 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 12:48:25 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-06 10:35:40 0 d-------- C:\Program Files\Executive Software
2008-05-06 10:02:35 0 d-------- C:\Program Files\Csvnro
2008-05-06 07:35:37 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-05 23:12:30 107584 --a------ C:\WINDOWS\system32\ferkdutj.dll
2008-05-05 23:09:42 402097 --a------ C:\WINDOWS\system32\g19.exe
2008-05-05 22:55:12 269 --a------ C:\WINDOWS\system32\7717.bat
2008-05-05 22:55:02 0 d-------- C:\WINDOWS\system32\bkEur07
2008-05-05 22:54:55 42496 --a------ C:\WINDOWS\system32\geBstsqn.dll
2008-05-05 22:54:39 0 d--hs---- C:\Program Files\outlook
2008-05-05 22:50:08 0 d-------- C:\Program Files\Spcron
2008-05-05 22:50:06 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-05-05 22:50:04 0 d-------- C:\Program Files\Svconr
2008-05-05 22:46:45 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-05 22:46:31 298311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-05 22:46:28 0 d--hs---- C:\WINDOWS\VmFsdWVkIEN1c3RvbWVy
2008-05-05 22:46:25 86144 --a------ C:\WINDOWS\system32\drivers\cdromm.sys
2008-05-05 22:46:23 0 d-------- C:\WINDOWS\system32\xdb4
2008-05-05 22:46:23 0 d-------- C:\WINDOWS\system32\din3
2008-05-05 22:46:23 0 d-------- C:\WINDOWS\system32\cNF
2008-05-05 22:46:23 0 d-------- C:\WINDOWS\system32\cdTMP
2008-05-05 22:46:23 0 d-------- C:\WINDOWS\system32\12033
2008-05-05 22:46:19 0 d-------- C:\WINDOWS\system32\bkEur18
2008-05-05 22:46:19 0 d-------- C:\Temp
2008-05-05 21:52:04 0 d-------- C:\Program Files\Incomplete
2008-05-02 23:58:45 0 d-------- C:\Program Files\SuperBladePro
2008-04-24 11:11:39 0 d-------- C:\Program Files\QuickTime
2008-04-24 11:00:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\QQ Games Plugin
2008-04-24 10:50:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-04-24 10:48:00 0 d-------- C:\Program Files\Tencent
2008-04-24 10:46:33 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-24 10:45:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-24 10:45:53 0 d-------- C:\Program Files\Viewpoint
2008-04-24 10:45:44 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-24 10:45:43 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-24 10:45:26 0 d-------- C:\Program Files\Common Files\AOL
2008-04-24 10:44:56 0 d-------- C:\Program Files\AIM6
2008-04-16 22:01:57 0 d-------- C:\Program Files\kSolo
2008-04-16 12:44:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Snapfish
2008-04-15 14:33:17 68096 --a------ C:\WINDOWS\zip.exe
2008-04-15 14:33:17 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-15 14:33:17 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-15 14:33:17 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-15 14:33:17 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-15 14:33:17 98816 --a------ C:\WINDOWS\sed.exe
2008-04-15 14:33:17 80412 --a------ C:\WINDOWS\grep.exe
2008-04-15 14:33:17 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-15 03:06:37 0 d-------- C:\Program Files\Trend Micro
2008-04-14 14:52:00 0 d-------- C:\Program Files\Virtools
2008-04-14 08:57:15 32768 --a------ C:\WINDOWS\system32\plugin.dll <Not Verified; Adobe Systems, Inc.; Adobe Photoshop>
2008-04-14 08:57:15 210944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2008-04-14 08:57:15 57344 --a------ C:\WINDOWS\system32\icmfilter.dll <Not Verified; ; icmfilter Module>
2008-04-13 01:42:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-13 01:42:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 01:42:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-13 01:15:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-13 01:15:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 01:15:13 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 01:14:59 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-13 00:55:00 1626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 00:41:39 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-13 00:41:39 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-13 00:41:39 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-13 00:41:39 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-13 00:41:39 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-13 00:41:39 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-13 00:41:39 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-13 00:07:05 0 d-------- C:\WINDOWS\pss
2008-04-13 00:00:41 0 --a------ C:\Documents and Settings\Administrator\NULL
2008-04-12 23:49:50 0 d-------- C:\Program Files\CCleaner
2008-04-12 23:35:14 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 21:25:33 2400 --a------ C:\WINDOWS\mozver.dat
2008-04-12 21:14:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-12 21:14:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-12 21:02:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc
2008-04-11 16:21:05 0 d-------- C:\Program Files\SimPE
2008-04-11 14:36:31 0 d-------- C:\Program Files\Jasc Software Inc
2008-04-10 12:10:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-04-09 23:23:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-09 23:21:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 23:21:07 0 d-------- C:\Program Files\Yahoo!
2008-04-09 10:21:04 50688 --a------ C:\Program Files\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2008-04-08 10:25:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\MySpace
2008-04-08 10:25:21 0 d-------- C:\Program Files\MySpace
2008-04-07 14:54:25 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-07 14:54:08 0 d-------- C:\Program Files\Real
2008-04-07 14:54:05 0 d-------- C:\Program Files\Common Files\Real
2008-04-07 14:54:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-04-07 10:30:28 0 d-------- C:\Program Files\John Deere American Farmer Deluxe
2008-04-07 10:08:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-07 10:07:43 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-05 23:34:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-05 23:00:31 0 d-------- C:\Program Files\Common Files
2008-05-05 22:51:44 0 d-------- C:\Program Files\LimeWire
2008-05-05 22:00:06 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-05 22:00:00 88 -r-hs---- C:\WINDOWS\system32\BC8E4D24E2.sys
2008-04-13 01:41:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 00:23:57 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-10 11:13:46 0 d-------- C:\Program Files\Google
2008-04-07 10:08:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-06 16:17:09 0 d-------- C:\Program Files\EA GAMES
2008-04-06 16:11:10 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-06 16:10:30 0 d-------- C:\Program Files\Corel
2008-04-06 05:20:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-06 05:19:54 0 d-------- C:\Program Files\iTunes
2008-04-06 05:19:40 0 d-------- C:\Program Files\iPod
2008-04-06 05:18:18 0 d-------- C:\Program Files\Apple Software Update
2008-04-06 05:17:54 0 d-------- C:\Program Files\Common Files\Apple
2008-04-05 11:12:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-04-05 11:01:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-05 10:58:47 0 d-------- C:\Program Files\Java
2008-04-05 10:57:10 0 d-------- C:\Program Files\Common Files\Java
2008-04-05 10:36:33 0 d-------- C:\Program Files\McAfee


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72248413-7a07-4dd5-a445-fc7df0ed96ee}]
05/06/2008 08:27 PM 108608 --a------ C:\WINDOWS\system32\ntmcylkb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90EB67F4-AE37-4032-96C3-EDDE47987272}]
05/06/2008 08:21 PM 281600 --a------ C:\WINDOWS\system32\ddcYpqon.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b83f2c8c-8d3b-4c42-ae38-e6c5182df0b5}]
C:\WINDOWS\system32\{03d38b22-bafd-7bfd-875c-58ae1b0d217e}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6725EDC-93FF-479B-A98B-C5B9E3C44864}]
05/05/2008 10:54 PM 42496 --a------ C:\WINDOWS\system32\geBstsqn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/13/2003 02:07 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/13/2003 01:53 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"tkbellexe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/07/2008 02:54 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"outlook"="C:\Program Files\outlook\outlook.exe" []
"dbar_starter"="C:\Documents and Settings\Administrator\Application Data\Deskbar_{7BD5D344-D077-4c8e-8318-CBECF4E9908D}\starter.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 08:18 AM]
"Aim6"="" []
"WinUpdater"="C:\Program Files\winvi\update.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"winlog"=winlog.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{F6725EDC-93FF-479B-A98B-C5B9E3C44864}"= C:\WINDOWS\system32\geBstsqn.dll [05/05/2008 10:54 PM 42496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBstsqn]
geBstsqn.dll 05/05/2008 10:54 PM 42496 C:\WINDOWS\system32\geBstsqn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\Setup.exe




-- End of Deckard's System Scanner: finished at 2008-05-07 01:29:21 ------------

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 07 May 2008 - 03:54 PM

You gotta stick with this until the end. If we don't get it all, you might think you're clean but then it all comes back.

Please run Combofix and post the resulting log.

Edited by Buckeye_Sam, 07 May 2008 - 03:54 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 DropShadow

DropShadow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 07 May 2008 - 09:48 PM

ComboFix 08-05-01.3 - Administrator 2008-05-07 21:42:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.110 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 09:55 . 2008-05-07 09:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-05-07 09:54 . 2008-05-07 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-07 09:48 . 2008-05-07 09:50 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-07 09:34 . 2008-05-07 09:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-06 20:24 . 2008-05-06 20:24 2,112 --a------ C:\WINDOWS\system32\tahyjsre.exe
2008-05-06 14:50 . 2008-05-06 14:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 14:50 . 2008-05-06 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 10:35 . 2008-05-06 10:37 <DIR> d-------- C:\Program Files\Executive Software
2008-05-06 10:02 . 2008-05-06 10:02 <DIR> d-------- C:\Program Files\Csvnro
2008-05-06 07:35 . 2008-05-06 07:35 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-05 23:09 . 2008-05-05 23:09 402,097 --a------ C:\WINDOWS\system32\g19.exe
2008-05-05 23:04 . 2008-05-06 23:04 109,709 --a------ C:\WINDOWS\BM8fe4465b.xml
2008-05-05 22:55 . 2008-05-05 22:55 <DIR> d-------- C:\WINDOWS\system32\bkEur07
2008-05-05 22:55 . 2008-05-05 22:55 269 --a------ C:\WINDOWS\system32\7717.bat
2008-05-05 22:50 . 2008-05-05 22:59 <DIR> d-------- C:\Program Files\Svconr
2008-05-05 22:50 . 2008-05-05 23:08 <DIR> d-------- C:\Program Files\Spcron
2008-05-05 22:50 . 2008-05-05 22:50 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-05 22:46 . 2008-05-06 07:48 <DIR> d--hs---- C:\WINDOWS\VmFsdWVkIEN1c3RvbWVy
2008-05-05 22:46 . 2008-05-05 22:46 <DIR> d-------- C:\WINDOWS\system32\xdb4
2008-05-05 22:46 . 2008-05-05 22:46 <DIR> d-------- C:\WINDOWS\system32\din3
2008-05-05 22:46 . 2008-05-05 22:46 <DIR> d-------- C:\WINDOWS\system32\cNF
2008-05-05 22:46 . 2008-05-06 07:44 <DIR> d-------- C:\WINDOWS\system32\cdTMP
2008-05-05 22:46 . 2008-05-05 22:46 <DIR> d-------- C:\WINDOWS\system32\bkEur18
2008-05-05 22:46 . 2008-05-06 07:44 <DIR> d-------- C:\WINDOWS\system32\12033
2008-05-05 22:46 . 2008-05-05 22:46 <DIR> d-------- C:\Temp\maxsv15
2008-05-05 22:46 . 2008-05-07 20:04 <DIR> d-------- C:\Temp
2008-05-05 22:46 . 2008-05-05 22:46 298,311 --a------ C:\WINDOWS\system32\gside.exe
2008-05-05 22:46 . 2008-05-05 22:46 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-05 21:52 . 2008-05-05 22:50 <DIR> d-------- C:\Program Files\Incomplete
2008-05-02 23:58 . 2008-05-02 23:58 <DIR> d-------- C:\Program Files\SuperBladePro
2008-04-24 11:11 . 2008-04-24 11:12 <DIR> d-------- C:\Program Files\QuickTime
2008-04-24 11:00 . 2008-04-24 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\QQ Games Plugin
2008-04-24 10:50 . 2008-04-24 10:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-04-24 10:48 . 2008-04-24 10:48 <DIR> d-------- C:\Program Files\Tencent
2008-04-24 10:46 . 2008-04-24 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-24 10:46 . 2008-04-24 10:46 21 --a------ C:\WINDOWS\atid.ini
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-24 10:45 . 2008-04-24 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-24 10:44 . 2008-04-24 10:48 <DIR> d-------- C:\Program Files\AIM6
2008-04-24 10:44 . 2008-04-24 10:49 1,293 --ah----- C:\IPH.PH
2008-04-17 16:28 . 2008-04-17 16:28 449,784 --a------ C:\Program Files\msgr8us.exe
2008-04-16 22:01 . 2008-04-16 22:02 <DIR> d-------- C:\Program Files\kSolo
2008-04-16 12:44 . 2008-04-16 12:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Snapfish
2008-04-15 07:48 . 2008-05-06 09:00 <DIR> d-------- C:\fixwareout
2008-04-15 03:06 . 2008-04-15 03:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 03:05 . 2008-04-15 03:05 <DIR> d-------- C:\Deckard
2008-04-14 14:52 . 2008-04-14 14:52 <DIR> d-------- C:\Program Files\Virtools
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLX
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2008-04-14 08:57 . 2004-03-08 17:40 57,344 --a------ C:\WINDOWS\system32\icmfilter.dll
2008-04-14 08:57 . 2004-03-08 17:40 32,768 --a------ C:\WINDOWS\system32\plugin.dll
2008-04-13 01:42 . 2008-05-06 19:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-13 01:14 . 2008-04-13 01:14 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-13 00:55 . 2008-04-13 00:55 1,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 00:41 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-13 00:41 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-13 00:41 . 2008-04-12 17:34 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-13 00:41 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-13 00:41 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-13 00:41 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-13 00:41 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 23:49 . 2008-04-12 23:49 <DIR> d-------- C:\Program Files\CCleaner
2008-04-12 23:35 . 2008-04-12 23:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 21:25 . 2008-04-16 12:44 2,400 --a------ C:\WINDOWS\mozver.dat
2008-04-12 21:14 . 2008-04-12 21:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-12 21:13 . 2008-04-12 21:13 6,039,144 --a------ C:\Program Files\Firefox Setup 2.0.0.13.exe
2008-04-12 21:02 . 2008-04-12 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc
2008-04-11 16:21 . 2008-04-11 16:21 <DIR> d-------- C:\Program Files\SimPE
2008-04-11 14:36 . 2008-04-25 13:02 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-04-09 23:23 . 2008-04-29 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-09 23:21 . 2008-04-24 12:10 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-09 23:21 . 2008-04-24 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 10:21 . 2008-04-09 10:21 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-04-08 10:25 . 2008-04-08 10:25 <DIR> d-------- C:\Program Files\MySpace
2008-04-08 10:25 . 2008-04-08 10:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 16:19 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-07 14:48 --------- d-----w C:\Program Files\Corel
2008-05-07 06:47 --------- d-----w C:\Program Files\LimeWire
2008-05-07 02:05 --------- d-----w C:\Program Files\John Deere American Farmer Deluxe
2008-05-06 04:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-13 06:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 05:23 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-10 16:13 --------- d-----w C:\Program Files\Google
2008-04-07 19:54 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-07 19:54 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-07 19:54 --------- d-----w C:\Program Files\Real
2008-04-07 19:54 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-07 19:54 --------- d-----w C:\Program Files\Common Files\Real
2008-04-07 00:39 4,506,256 ----a-w C:\Program Files\LimeWireWin.exe
2008-04-06 21:17 --------- d-----w C:\Program Files\EA GAMES
2008-04-06 21:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-06 10:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-06 10:19 --------- d-----w C:\Program Files\iTunes
2008-04-06 10:19 --------- d-----w C:\Program Files\iPod
2008-04-06 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-06 10:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-06 10:17 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-06 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-05 15:58 --------- d-----w C:\Program Files\Java
2008-04-05 15:57 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 15:36 --------- d-----w C:\Program Files\McAfee
2008-04-05 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b83f2c8c-8d3b-4c42-ae38-e6c5182df0b5}]
C:\WINDOWS\system32\{03d38b22-bafd-7bfd-875c-58ae1b0d217e}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18 15360]
"Aim6"="" []
"WinUpdater"="C:\Program Files\winvi\update.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"tkbellexe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-07 14:54 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"dbar_starter"="C:\Documents and Settings\Administrator\Application Data\Deskbar_{7BD5D344-D077-4c8e-8318-CBECF4E9908D}\starter.exe" [ ]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBstsqn]
geBstsqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 21:44:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 21:46:38
ComboFix-quarantined-files.txt 2008-05-08 02:46:27
ComboFix2.txt 2008-05-08 01:25:47
ComboFix3.txt 2008-04-16 02:41:33
ComboFix4.txt 2008-04-15 19:45:59

Pre-Run: 27,654,639,616 bytes free
Post-Run: 27,646,001,152 bytes free

186

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 08 May 2008 - 10:26 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Documents and Settings\Administrator\Application Data\Deskbar_{7BD5D344-D077-4c8e-8318-CBECF4E9908D}
C:\Program Files\winvi
C:\WINDOWS\VmFsdWVkIEN1c3RvbWVy
C:\WINDOWS\system32\xdb4
C:\WINDOWS\system32\din3
C:\WINDOWS\system32\cNF
C:\WINDOWS\system32\cdTMP
C:\WINDOWS\system32\bkEur18
C:\WINDOWS\system32\12033
C:\Temp\maxsv15

File::
C:\WINDOWS\system32\{03d38b22-bafd-7bfd-875c-58ae1b0d217e}.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\tahyjsre.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBstsqn]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dbar_starter"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinUpdater"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b83f2c8c-8d3b-4c42-ae38-e6c5182df0b5}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 DropShadow

DropShadow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 08 May 2008 - 10:40 PM

ComboFix 08-05-01.3 - Administrator 2008-05-08 20:48:25.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\{03d38b22-bafd-7bfd-875c-58ae1b0d217e}.dll
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\tahyjsre.exe
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\maxsv15
C:\Temp\maxsv15\rLCubd.log
C:\WINDOWS\system32\12033
C:\WINDOWS\system32\bkEur18
C:\WINDOWS\system32\bkEur18\bkEur182328.exe
C:\WINDOWS\system32\cdTMP
C:\WINDOWS\system32\cNF
C:\WINDOWS\system32\cNF\srkcont3.exe
C:\WINDOWS\system32\din3
C:\WINDOWS\system32\din3\is-setup03x.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\tahyjsre.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xdb4
C:\WINDOWS\system32\xdb4\DB-1bn.exe
C:\WINDOWS\VmFsdWVkIEN1c3RvbWVy

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-08 09:38 . 2008-05-08 09:40 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-07 09:55 . 2008-05-08 09:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-05-07 09:54 . 2008-05-07 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-07 09:34 . 2008-05-07 09:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-06 14:50 . 2008-05-06 14:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 14:50 . 2008-05-06 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 10:35 . 2008-05-06 10:37 <DIR> d-------- C:\Program Files\Executive Software
2008-05-06 10:02 . 2008-05-06 10:02 <DIR> d-------- C:\Program Files\Csvnro
2008-05-06 07:35 . 2008-05-06 07:35 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-05 23:09 . 2008-05-05 23:09 402,097 --a------ C:\WINDOWS\system32\g19.exe
2008-05-05 23:04 . 2008-05-06 23:04 109,709 --a------ C:\WINDOWS\BM8fe4465b.xml
2008-05-05 22:55 . 2008-05-05 22:55 <DIR> d-------- C:\WINDOWS\system32\bkEur07
2008-05-05 22:55 . 2008-05-05 22:55 269 --a------ C:\WINDOWS\system32\7717.bat
2008-05-05 22:50 . 2008-05-05 22:59 <DIR> d-------- C:\Program Files\Svconr
2008-05-05 22:50 . 2008-05-05 23:08 <DIR> d-------- C:\Program Files\Spcron
2008-05-05 22:50 . 2008-05-05 22:50 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-05 22:46 . 2008-05-08 20:48 <DIR> d-------- C:\Temp
2008-05-05 21:52 . 2008-05-05 22:50 <DIR> d-------- C:\Program Files\Incomplete
2008-05-02 23:58 . 2008-05-02 23:58 <DIR> d-------- C:\Program Files\SuperBladePro
2008-04-24 11:11 . 2008-04-24 11:12 <DIR> d-------- C:\Program Files\QuickTime
2008-04-24 11:00 . 2008-04-24 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\QQ Games Plugin
2008-04-24 10:50 . 2008-04-24 10:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-04-24 10:48 . 2008-04-24 10:48 <DIR> d-------- C:\Program Files\Tencent
2008-04-24 10:46 . 2008-04-24 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-24 10:46 . 2008-04-24 10:46 21 --a------ C:\WINDOWS\atid.ini
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-24 10:45 . 2008-04-24 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-24 10:44 . 2008-04-24 10:48 <DIR> d-------- C:\Program Files\AIM6
2008-04-24 10:44 . 2008-04-24 10:49 1,293 --ah----- C:\IPH.PH
2008-04-17 16:28 . 2008-04-17 16:28 449,784 --a------ C:\Program Files\msgr8us.exe
2008-04-16 22:01 . 2008-04-16 22:02 <DIR> d-------- C:\Program Files\kSolo
2008-04-16 12:44 . 2008-04-16 12:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Snapfish
2008-04-15 07:48 . 2008-05-06 09:00 <DIR> d-------- C:\fixwareout
2008-04-15 03:06 . 2008-04-15 03:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 03:05 . 2008-04-15 03:05 <DIR> d-------- C:\Deckard
2008-04-14 14:52 . 2008-04-14 14:52 <DIR> d-------- C:\Program Files\Virtools
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLX
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2008-04-14 08:57 . 2004-03-08 17:40 57,344 --a------ C:\WINDOWS\system32\icmfilter.dll
2008-04-14 08:57 . 2004-03-08 17:40 32,768 --a------ C:\WINDOWS\system32\plugin.dll
2008-04-13 01:42 . 2008-05-06 19:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-13 01:14 . 2008-04-13 01:14 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-13 00:55 . 2008-04-13 00:55 1,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 00:41 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-13 00:41 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-13 00:41 . 2008-04-12 17:34 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-13 00:41 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-13 00:41 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-13 00:41 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-13 00:41 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 23:49 . 2008-04-12 23:49 <DIR> d-------- C:\Program Files\CCleaner
2008-04-12 23:35 . 2008-04-12 23:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 21:25 . 2008-04-16 12:44 2,400 --a------ C:\WINDOWS\mozver.dat
2008-04-12 21:14 . 2008-04-12 21:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-12 21:13 . 2008-04-12 21:13 6,039,144 --a------ C:\Program Files\Firefox Setup 2.0.0.13.exe
2008-04-12 21:02 . 2008-04-12 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc
2008-04-11 16:21 . 2008-04-11 16:21 <DIR> d-------- C:\Program Files\SimPE
2008-04-11 14:36 . 2008-04-25 13:02 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-04-09 23:23 . 2008-04-29 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-09 23:21 . 2008-04-24 12:10 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-09 23:21 . 2008-04-24 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 10:21 . 2008-04-09 10:21 50,688 --a------ C:\Program Files\ATF-Cleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 16:36 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-08 14:38 --------- d-----w C:\Program Files\Corel
2008-05-07 06:47 --------- d-----w C:\Program Files\LimeWire
2008-05-07 02:05 --------- d-----w C:\Program Files\John Deere American Farmer Deluxe
2008-05-06 04:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-13 06:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 05:23 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-10 16:13 --------- d-----w C:\Program Files\Google
2008-04-08 15:25 --------- d-----w C:\Program Files\MySpace
2008-04-08 15:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MySpace
2008-04-07 19:54 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-07 19:54 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-07 19:54 --------- d-----w C:\Program Files\Real
2008-04-07 19:54 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-07 19:54 --------- d-----w C:\Program Files\Common Files\Real
2008-04-07 00:39 4,506,256 ----a-w C:\Program Files\LimeWireWin.exe
2008-04-06 21:17 --------- d-----w C:\Program Files\EA GAMES
2008-04-06 21:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-06 10:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-06 10:19 --------- d-----w C:\Program Files\iTunes
2008-04-06 10:19 --------- d-----w C:\Program Files\iPod
2008-04-06 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-06 10:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-06 10:17 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-06 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-05 15:58 --------- d-----w C:\Program Files\Java
2008-04-05 15:57 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 15:36 --------- d-----w C:\Program Files\McAfee
2008-04-05 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
.

((((((((((((((((((((((((((((( snapshot_2008-05-07_20.23.51.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-08 01:10:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 20:30:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-07 14:52:26 394,534 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\ARPPRODUCTICON.exe
+ 2008-05-08 14:40:55 394,534 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\ARPPRODUCTICON.exe
- 2008-05-07 14:52:26 22,486 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\NewShortcut1.73D5A293_D496_4B44_B535_AA8F98088895.exe
+ 2008-05-08 14:40:55 22,486 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\NewShortcut1.73D5A293_D496_4B44_B535_AA8F98088895.exe
- 2008-05-07 14:50:22 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-05-08 14:39:39 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
- 2008-05-07 14:50:22 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2008-05-08 14:39:40 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18 15360]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"tkbellexe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-07 14:54 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

*Newly Created Service* - catchme
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 20:50:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-08 20:53:13
ComboFix-quarantined-files.txt 2008-05-09 01:52:57
ComboFix2.txt 2008-05-08 02:46:39
ComboFix3.txt 2008-05-08 01:25:47
ComboFix4.txt 2008-04-16 02:41:33
ComboFix5.txt 2008-04-15 19:45:59

Pre-Run: 26,915,483,648 bytes free
Post-Run: 26,907,836,416 bytes free

210





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 08, 2008 10:38:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 748659
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 55371
Number of viruses found: 42
Number of infected objects: 137
Number of suspicious objects: 0
Duration of the scan process: 01:00:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.15929 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.32942/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.32942 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.42488 Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.49407 Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.53250 Infected: Backdoor.Win32.EggDrop.v skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.70412 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.71626 Infected: P2P-Worm.Win32.VB.dw skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.82081 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.88250 Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.95699 Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\Pc Cleaners\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008050820080509\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Csvnro\Csvnro.exe Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\Program Files\LimeWire\Incomplete\T-113234-Corel Paint Shop Pro Photo X2 v12.0.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\Program Files\LimeWire\Incomplete\T-113234-Corel Paint Shop Pro Photo X2 v12.0.zip ZIP: infected - 1 skipped
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro 9 ( Full Working).zip/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro 9 ( Full Working).zip ZIP: infected - 1 skipped
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro Photo X2 v12.0.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro Photo X2 v12.0.zip ZIP: infected - 1 skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\QooBox\Quarantine\C\jgkpt.exe.vir Infected: Trojan-Downloader.Win32.Agent.mws skipped
C:\QooBox\Quarantine\C\WINDOWS\ogxtsepr.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\QooBox\Quarantine\C\WINDOWS\Resources\DrvComponent.dll.vir Infected: Trojan.Win32.Agent.jvv skipped
C:\QooBox\Quarantine\C\WINDOWS\Resources\SrvRom.dll.vir Infected: Trojan.Win32.Agent.jvv skipped
C:\QooBox\Quarantine\C\WINDOWS\spnkfwad.exe.vir Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bkEur18\bkEur182328.exe.vir Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\byXpmNEx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.nmz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cNF\srkcont3.exe.vir/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cNF\srkcont3.exe.vir/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cNF\srkcont3.exe.vir/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cNF\srkcont3.exe.vir/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cNF\srkcont3.exe.vir NSIS: infected - 4 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\din3\is-setup03x.exe.vir Infected: Trojan.Win32.Agent.lom skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ferkdutj.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geBstsqn.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\luylqxef.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mkrbgswn.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntmcylkb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRHBTnK.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xdb4\DB-1bn.exe.vir Infected: Trojan-Downloader.Win32.Small.vab skipped
C:\QooBox\Quarantine\catchme2008-04-15_213705.48.zip/Documents and Settings/Administrator/Desktop/catchme.zip/zeqbqwp.sys Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\QooBox\Quarantine\catchme2008-04-15_213705.48.zip/Documents and Settings/Administrator/Desktop/catchme.zip Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\QooBox\Quarantine\catchme2008-04-15_213705.48.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2008-05-07_200822.56.zip/ddcYpqon.dll Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-05-07_200822.56.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP23\A0008480.exe Infected: Trojan-Downloader.Win32.Homles.bf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP24\A0008495.dll Infected: Trojan-Downloader.Win32.Zlob.lec skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP24\A0008496.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP24\A0008498.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP24\A0008499.exe/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.nmp skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP24\A0008499.exe/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP24\A0008499.exe/serial.exe Infected: Trojan-Downloader.Win32.Small.ugy skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP24\A0008499.exe RAR: infected - 3 skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008593.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008595.dll Infected: Trojan-Downloader.Win32.Zlob.lec skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008596.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008599.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008602.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008603.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008604.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008677.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008679.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008680.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008686.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008689.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008691.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008695.exe Infected: Trojan-Downloader.Win32.Zlob.lde skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008696.dll Infected: Trojan-Downloader.Win32.Zlob.lcz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008697.exe Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008699.exe Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008700.exe Infected: Trojan-Downloader.Win32.Zlob.ldd skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008701.exe Infected: Trojan-Downloader.Win32.Homles.bf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008714.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008715.dll Infected: Trojan-Downloader.Win32.Zlob.lec skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008788.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008789.dll Infected: Trojan-Downloader.Win32.Zlob.lec skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008791.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008798.dll Infected: Trojan-Downloader.Win32.Zlob.lec skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008799.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008806.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008807.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008814.dll Infected: Trojan-Downloader.Win32.Zlob.lec skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008815.exe Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008817.exe Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008818.exe Infected: Trojan-Downloader.Win32.Zlob.ldc skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008819.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008820.exe Infected: Trojan-Downloader.Win32.Zlob.ldd skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008822.dll Infected: Trojan-Downloader.Win32.Zlob.lcz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008823.exe Infected: Trojan-Downloader.Win32.Zlob.lde skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008832.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP25\A0008834.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP27\A0008868.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP27\A0008869.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP27\A0008870.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP27\A0008872.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nmz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP29\A0009106.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP29\A0009107.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP29\A0009108.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nmz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP29\A0009109.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009195.exe Infected: Trojan-Downloader.Win32.Agent.mws skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009197.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009198.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dxz skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009741.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009741.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009742.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009742.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009743.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP30\A0009743.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP34\A0011558.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP34\A0011558.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP34\A0011565.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP34\A0011566.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP34\A0011576.exe/data0006 Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP34\A0011576.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP34\A0012567.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP39\A0012904.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP39\A0012905.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP39\A0012906.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP39\A0012907.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP39\A0012908.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013657.exe Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013658.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013658.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013658.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013658.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013658.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013659.exe Infected: Trojan.Win32.Agent.lom skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\A0013660.exe Infected: Trojan-Downloader.Win32.Small.vab skipped
C:\System Volume Information\_restore{07F39A20-5D26-4714-A64D-831B86EA8DDD}\RP42\change.log Object is locked skipped
C:\WINDOWS\b999.exe Infected: Trojan-Downloader.Win32.Agent.ofz skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{d6b81159-8dba-45e0-b0fe-971f93b1dd70}\zip.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bkEur07\bkEur071084.exe Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\g19.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bks skipped
C:\WINDOWS\system32\g19.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.bks skipped
C:\WINDOWS\system32\g19.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 09 May 2008 - 08:27 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\bkEur07
C:\Program Files\Csvnro

File::
C:\WINDOWS\system32\g19.exe
C:\WINDOWS\system32\7717.bat
C:\WINDOWS\Installer\{d6b81159-8dba-45e0-b0fe-971f93b1dd70}\zip.dll
C:\WINDOWS\b999.exe
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro Photo X2 v12.0.zip
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro 9 ( Full Working).zip
C:\Program Files\LimeWire\Incomplete\T-113234-Corel Paint Shop Pro Photo X2 v12.0.zip
C:\Documents and Settings\Administrator\Desktop\Pc Cleaners\Download_mbam-setup.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 DropShadow

DropShadow
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 09 May 2008 - 03:54 PM

I think it's running fine now...no more pop-ups! But I still can't change my homepage back to Google, it's change back on IE but not Firefox....thanks for the help:)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:33 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [tkbellexe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189513246687
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4627 bytes










ComboFix 08-05-01.3 - Administrator 2008-05-09 14:31:04.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.138 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Administrator\Desktop\Pc Cleaners\Download_mbam-setup.exe
C:\Program Files\LimeWire\Incomplete\T-113234-Corel Paint Shop Pro Photo X2 v12.0.zip
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro 9 ( Full Working).zip
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro Photo X2 v12.0.zip
C:\WINDOWS\b999.exe
C:\WINDOWS\Installer\{d6b81159-8dba-45e0-b0fe-971f93b1dd70}\zip.dll
C:\WINDOWS\system32\7717.bat
C:\WINDOWS\system32\g19.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Pc Cleaners\Download_mbam-setup.exe
C:\Program Files\Csvnro
C:\Program Files\Csvnro\Csvnro.exe
C:\Program Files\LimeWire\Incomplete\T-113234-Corel Paint Shop Pro Photo X2 v12.0.zip
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro 9 ( Full Working).zip
C:\Program Files\LimeWire\Shared\Corel Paint Shop Pro Photo X2 v12.0.zip
C:\WINDOWS\b999.exe
C:\WINDOWS\Installer\{d6b81159-8dba-45e0-b0fe-971f93b1dd70}\zip.dll
C:\WINDOWS\system32\7717.bat
C:\WINDOWS\system32\bkEur07
C:\WINDOWS\system32\bkEur07\bkEur071084.exe
C:\WINDOWS\system32\g19.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 00:52 . 2008-05-09 00:53 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-07 09:55 . 2008-05-09 00:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-05-07 09:54 . 2008-05-07 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-07 09:34 . 2008-05-07 09:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-06 14:50 . 2008-05-06 14:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 14:50 . 2008-05-06 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 10:35 . 2008-05-06 10:37 <DIR> d-------- C:\Program Files\Executive Software
2008-05-06 07:35 . 2008-05-06 07:35 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-05 23:04 . 2008-05-06 23:04 109,709 --a------ C:\WINDOWS\BM8fe4465b.xml
2008-05-05 22:50 . 2008-05-05 22:59 <DIR> d-------- C:\Program Files\Svconr
2008-05-05 22:50 . 2008-05-05 23:08 <DIR> d-------- C:\Program Files\Spcron
2008-05-05 22:50 . 2008-05-05 22:50 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-05-05 22:46 . 2008-05-08 20:48 <DIR> d-------- C:\Temp
2008-05-05 21:52 . 2008-05-05 22:50 <DIR> d-------- C:\Program Files\Incomplete
2008-05-02 23:58 . 2008-05-02 23:58 <DIR> d-------- C:\Program Files\SuperBladePro
2008-04-24 11:11 . 2008-04-24 11:12 <DIR> d-------- C:\Program Files\QuickTime
2008-04-24 11:00 . 2008-04-24 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\QQ Games Plugin
2008-04-24 10:50 . 2008-04-24 10:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-04-24 10:48 . 2008-04-24 10:48 <DIR> d-------- C:\Program Files\Tencent
2008-04-24 10:46 . 2008-04-24 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-24 10:46 . 2008-04-24 10:46 21 --a------ C:\WINDOWS\atid.ini
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Program Files\Viewpoint
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-24 10:45 . 2008-04-24 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-24 10:45 . 2008-04-24 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-24 10:44 . 2008-04-24 10:48 <DIR> d-------- C:\Program Files\AIM6
2008-04-24 10:44 . 2008-04-24 10:49 1,293 --ah----- C:\IPH.PH
2008-04-17 16:28 . 2008-04-17 16:28 449,784 --a------ C:\Program Files\msgr8us.exe
2008-04-16 22:01 . 2008-04-16 22:02 <DIR> d-------- C:\Program Files\kSolo
2008-04-16 12:44 . 2008-04-16 12:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Snapfish
2008-04-15 07:48 . 2008-05-06 09:00 <DIR> d-------- C:\fixwareout
2008-04-15 03:06 . 2008-04-15 03:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 03:05 . 2008-04-15 03:05 <DIR> d-------- C:\Deckard
2008-04-14 14:52 . 2008-04-14 14:52 <DIR> d-------- C:\Program Files\Virtools
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLX
2008-04-14 08:57 . 2004-03-08 17:40 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll
2008-04-14 08:57 . 2004-03-08 17:40 57,344 --a------ C:\WINDOWS\system32\icmfilter.dll
2008-04-14 08:57 . 2004-03-08 17:40 32,768 --a------ C:\WINDOWS\system32\plugin.dll
2008-04-13 01:42 . 2008-05-06 19:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-13 01:42 . 2008-04-13 01:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 01:15 . 2008-04-13 01:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-13 01:14 . 2008-04-13 01:14 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-13 00:55 . 2008-04-13 00:55 1,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 00:41 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-13 00:41 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-13 00:41 . 2008-04-12 17:34 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-13 00:41 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-13 00:41 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-13 00:41 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-13 00:41 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-12 23:49 . 2008-04-12 23:49 <DIR> d-------- C:\Program Files\CCleaner
2008-04-12 23:35 . 2008-04-12 23:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 21:25 . 2008-04-16 12:44 2,400 --a------ C:\WINDOWS\mozver.dat
2008-04-12 21:14 . 2008-04-12 21:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-12 21:13 . 2008-04-12 21:13 6,039,144 --a------ C:\Program Files\Firefox Setup 2.0.0.13.exe
2008-04-12 21:02 . 2008-04-12 21:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc
2008-04-11 16:21 . 2008-04-11 16:21 <DIR> d-------- C:\Program Files\SimPE
2008-04-11 14:36 . 2008-04-25 13:02 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-04-09 23:23 . 2008-04-29 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-09 23:21 . 2008-04-24 12:10 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-09 23:21 . 2008-04-24 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-09 10:21 . 2008-04-09 10:21 50,688 --a------ C:\Program Files\ATF-Cleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 07:42 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-09 05:52 --------- d-----w C:\Program Files\Corel
2008-05-07 06:47 --------- d-----w C:\Program Files\LimeWire
2008-05-07 02:05 --------- d-----w C:\Program Files\John Deere American Farmer Deluxe
2008-05-06 04:34 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-13 06:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 05:23 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-10 16:13 --------- d-----w C:\Program Files\Google
2008-04-08 15:25 --------- d-----w C:\Program Files\MySpace
2008-04-08 15:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MySpace
2008-04-07 19:54 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-04-07 19:54 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-04-07 19:54 --------- d-----w C:\Program Files\Real
2008-04-07 19:54 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-07 19:54 --------- d-----w C:\Program Files\Common Files\Real
2008-04-07 00:39 4,506,256 ----a-w C:\Program Files\LimeWireWin.exe
2008-04-06 21:17 --------- d-----w C:\Program Files\EA GAMES
2008-04-06 21:11 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-06 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-06 10:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-06 10:19 --------- d-----w C:\Program Files\iTunes
2008-04-06 10:19 --------- d-----w C:\Program Files\iPod
2008-04-06 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-06 10:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-06 10:17 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-06 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-05 15:58 --------- d-----w C:\Program Files\Java
2008-04-05 15:57 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 15:36 --------- d-----w C:\Program Files\McAfee
2008-04-05 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
.

((((((((((((((((((((((((((((( snapshot_2008-05-07_20.23.51.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-08 01:10:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 18:53:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-07 14:52:26 394,534 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\ARPPRODUCTICON.exe
+ 2008-05-09 05:54:43 394,534 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\ARPPRODUCTICON.exe
- 2008-05-07 14:52:26 22,486 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\NewShortcut1.73D5A293_D496_4B44_B535_AA8F98088895.exe
+ 2008-05-09 05:54:43 22,486 ----a-r C:\WINDOWS\Installer\{64E72FB1-2343-4977-B4A8-262CD53D0BD3}\NewShortcut1.73D5A293_D496_4B44_B535_AA8F98088895.exe
- 2008-05-07 14:50:22 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-05-09 05:53:27 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
- 2008-05-07 14:50:22 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2008-05-09 05:53:28 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:18 15360]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-13 14:07 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-13 13:53 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"tkbellexe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-07 14:54 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 15:32 8699904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 14:33:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-09 14:36:34
ComboFix-quarantined-files.txt 2008-05-09 19:35:38
ComboFix2.txt 2008-05-09 01:53:14
ComboFix3.txt 2008-05-08 02:46:39
ComboFix4.txt 2008-05-08 01:25:47
ComboFix5.txt 2008-04-16 02:41:33

Pre-Run: 26,170,384,384 bytes free
Post-Run: 26,162,532,352 bytes free

205

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 10 May 2008 - 07:03 AM

What's your home page in Firefox stuck on?

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Dirlook::
C:\Program Files\Svconr
C:\Program Files\Spcron
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users