Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help! I'm New And I Have A Problem...


  • This topic is locked This topic is locked
6 replies to this topic

#1 wasslinwabbit

wasslinwabbit

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 22 April 2008 - 05:31 PM

Please help me if you can. My computer is very new and I never had a problem like this before with my old one. Here are the logs...


Deckard's System Scanner v20071014.68
Run by Denver on 2008-04-22 18:17:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
7: 2008-04-22 20:54:05 UTC - RP84 - Windows Update
6: 2008-04-19 13:29:04 UTC - RP83 - Windows Update
5: 2008-04-18 16:20:17 UTC - RP82 - Removed Google Toolbar for Internet Explorer
4: 2008-04-18 16:19:44 UTC - RP81 - Removed VidiotMaps Map Overlay
3: 2008-04-18 12:30:36 UTC - RP79 - Restore Operation


-- First Restore Point --
1: 2008-04-18 12:14:57 UTC - RP77 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Denver.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:57 PM, on 4/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\qjkvczkz\gdohspql.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\IOI\ButtonMonitor.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\NCSoft\Launcher\NCLauncher.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Denver\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Denver.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...TP&M=GM5664
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GM5664
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...TP&M=GM5664
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {62CB0A16-5570-490B-8E1F-DC9D4EF5EC87} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PlayNC Launcher] C:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKLM\..\Policies\Explorer\Run: [21x9hFhxLB] C:\ProgramData\qjkvczkz\gdohspql.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6831 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Microsoft WPD FileSystem Volume Driver
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_IOI-MMC&PROD_&REV_#20021111153705700#
Manufacturer: IOI-MMC
Name: Microsoft WPD FileSystem Volume Driver
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_IOI-MMC&PROD_&REV_#20021111153705700#
Service: WUDFRd


-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-22 18:19:44 0 d-------- C:\Program Files\Trend Micro
2008-04-22 17:03:52 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-04-22 17:03:52 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-04-18 23:56:17 0 d-------- C:\Program Files\a-squared Free
2008-04-18 10:25:58 0 d-------- C:\Users\All Users\PCPitstop
2008-04-18 09:58:53 0 d-------- C:\Program Files\NetDuster
2008-04-14 11:52:15 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-13 22:28:23 183521 --ahs---- C:\Windows\system32\qBJPXFhk.ini2
2008-04-13 22:23:26 0 dr-h----- C:\$VAULT$.AVG
2008-04-13 22:23:20 0 d-------- C:\Users\All Users\qjkvczkz
2008-04-12 20:33:43 0 d-------- C:\Windows\system32\Adobe
2008-04-04 17:51:19 0 d-------- C:\Program Files\QuickTime
2008-04-04 17:51:18 0 d-------- C:\Users\All Users\Apple Computer
2008-03-27 11:14:55 0 d-------- C:\Program Files\Disney
2008-03-22 17:52:44 0 d-------- C:\PerfLogs


-- Find3M Report ---------------------------------------------------------------

2008-04-22 16:51:36 0 d-------- C:\Users\Denver\AppData\Roaming\Spare Backup
2008-04-22 16:51:00 0 d-------- C:\Users\Denver\AppData\Roaming\AVG7
2008-04-21 19:17:33 0 d-------- C:\Program Files\City of Heroes
2008-04-19 00:16:16 0 d-------- C:\Program Files\Google
2008-04-18 12:19:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 23:28:51 0 d-------- C:\Users\Denver\AppData\Roaming\LimeWire
2008-04-09 14:07:45 0 d-------- C:\Program Files\Windows Mail
2008-04-06 16:24:50 0 d-------- C:\Program Files\World of Warcraft
2008-03-22 17:58:38 174 --ahs---- C:\Program Files\desktop.ini
2008-03-22 17:55:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-22 17:54:05 0 d-------- C:\Program Files\Windows Sidebar
2008-03-22 17:54:05 0 d-------- C:\Program Files\Windows Calendar
2008-03-22 17:54:05 0 d-------- C:\Program Files\Movie Maker
2008-03-22 17:54:03 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-22 17:54:03 0 d-------- C:\Program Files\Windows Journal
2008-03-22 17:54:03 0 d-------- C:\Program Files\Windows Collaboration
2008-03-22 17:53:59 0 d-------- C:\Program Files\Windows Defender
2008-03-22 16:45:20 0 d-------- C:\Program Files\Norton Internet Security
2008-03-17 11:08:19 0 d-------- C:\Program Files\Common Files
2008-03-12 20:58:53 0 d-------- C:\Program Files\IOI
2008-03-02 10:13:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-01 21:50:49 0 d-------- C:\Users\Denver\AppData\Roaming\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62CB0A16-5570-490B-8E1F-DC9D4EF5EC87}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 04:35 PM]
"RtHDVCpl"="RtHDVCpl.exe" [10/31/2007 12:35 AM C:\Windows\RtHDVCpl.exe]
"ButtonMonitor"="C:\Program Files\IOI\ButtonMonitor.exe" [05/11/2007 01:55 AM]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [09/13/2007 08:22 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [03/14/2007 10:01 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [02/07/2007 05:21 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 10:33 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 03:33 AM]
"PlayNC Launcher"="C:\Program Files\NCSoft\Launcher\NCLauncher.exe" [02/02/2008 09:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

C:\Users\Denver\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 8:45:42 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"21x9hFhxLB"=C:\ProgramData\qjkvczkz\gdohspql.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 03/19/2008 09:29 AM 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\khFXPJBq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fe04bdb-9c11-11dc-b62d-806e6f6e6963}]
AutoRun\command- F:\Autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8307 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-22 18:21:31 ------------


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 22, 2008 6:15:05 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/04/2008
Kaspersky Anti-Virus database records: 645368
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\Windows
C:\Users\Denver\AppData\Local\Temp\

Scan Statistics:
Total number of scanned objects: 54786
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:18:06

Infected Object Name / Virus Name / Last Action
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{E3CB28B1-017C-4A40-BEC1-F4CF20EDC93E}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{672a9ab3-0d40-11dd-80af-001e90641780}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{672a9ab3-0d40-11dd-80af-001e90641780}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{672a9ab3-0d40-11dd-80af-001e90641780}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{672a9ab3-0d40-11dd-80af-001e90641780}.TxR.blf Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\ACEEventLog.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 26 April 2008 - 04:05 PM

Hi

Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 wasslinwabbit

wasslinwabbit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 27 April 2008 - 12:11 PM

Thank you so much! I have ran these programs and here are the logs...

ComboFix 08-04-26.5 - Denver 2008-04-27 12:58:35.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2055 [GMT -4:00]
Running from: C:\Users\Denver\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\System32\qBJPXFhk.ini
C:\Windows\System32\qBJPXFhk.ini2
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://launcher.patcher.ncsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 12:31 . 2008-04-27 12:31 <DIR> d-------- C:\Users\Denver\AppData\Roaming\Malwarebytes
2008-04-27 12:31 . 2008-04-27 12:31 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-27 12:31 . 2008-04-27 12:31 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-27 12:30 . 2008-04-27 12:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 12:18 . 2008-04-27 12:18 102,400 --a------ C:\Windows\System32\yladonqz.exe
2008-04-25 21:12 . 2008-04-25 21:12 <DIR> d-------- C:\Users\All Users\media center programs
2008-04-25 21:12 . 2008-04-25 21:12 <DIR> d-------- C:\ProgramData\media center programs
2008-04-25 20:33 . 2008-04-25 20:33 <DIR> d-------- C:\Program Files\Funcom
2008-04-25 20:31 . 2008-04-25 20:31 <DIR> d-------- C:\Users\All Users\Funcom
2008-04-25 20:31 . 2008-04-25 20:31 <DIR> d-------- C:\ProgramData\Funcom
2008-04-23 23:10 . 2008-04-25 17:34 <DIR> d-------- C:\Users\Denver\AppData\Roaming\IGN_DLM
2008-04-23 23:03 . 2008-04-23 23:03 <DIR> d-------- C:\Program Files\Download Manager
2008-04-22 18:19 . 2008-04-22 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 18:17 . 2008-04-22 18:17 <DIR> d-------- C:\Deckard
2008-04-22 17:03 . 2008-04-22 17:03 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-04-22 17:03 . 2008-04-22 17:03 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-04-22 17:03 . 2008-04-22 17:03 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-04-18 23:56 . 2008-04-19 12:14 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-18 10:25 . 2008-04-18 10:25 <DIR> d-------- C:\Users\All Users\PCPitstop
2008-04-18 10:25 . 2008-04-18 10:25 <DIR> d-------- C:\ProgramData\PCPitstop
2008-04-18 09:58 . 2008-04-18 10:04 <DIR> d-------- C:\Program Files\NetDuster
2008-04-18 08:33 . 2008-04-18 08:35 524,288 --ahs---- C:\Users\Denver\ntuser.dat{672a9ad0-0d40-11dd-80af-001e90641780}.TMContainer00000000000000000002.regtrans-ms
2008-04-18 08:33 . 2008-04-27 13:01 524,288 --ahs---- C:\Users\Denver\ntuser.dat{672a9ad0-0d40-11dd-80af-001e90641780}.TMContainer00000000000000000001.regtrans-ms
2008-04-18 08:33 . 2008-04-27 13:01 65,536 --ahs---- C:\Users\Denver\ntuser.dat{672a9ad0-0d40-11dd-80af-001e90641780}.TM.blf
2008-04-14 11:52 . 2008-04-18 08:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-14 11:52 . 2008-04-18 08:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-14 11:52 . 2008-04-14 11:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-13 22:23 . 2008-04-27 12:51 <DIR> d-------- C:\Users\All Users\qjkvczkz
2008-04-13 22:23 . 2008-04-27 12:51 <DIR> d-------- C:\ProgramData\qjkvczkz
2008-04-13 22:23 . 2008-04-26 22:43 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-12 20:33 . 2008-04-12 20:45 <DIR> d-------- C:\Windows\System32\Adobe
2008-04-11 17:28 . 2008-04-21 13:28 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-11 17:28 . 2008-04-11 17:28 1,409 --a------ C:\Windows\QTFont.for
2008-04-08 18:00 . 2008-02-29 03:11 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-08 18:00 . 2008-02-29 03:11 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-08 18:00 . 2008-02-22 01:05 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-08 18:00 . 2008-02-29 02:53 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-08 18:00 . 2008-02-29 00:12 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-08 18:00 . 2008-02-29 02:53 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-08 18:00 . 2008-02-29 02:53 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-08 18:00 . 2008-02-29 03:14 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-08 18:00 . 2008-02-29 00:12 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-08 18:00 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 17:59 . 2008-02-29 00:21 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-08 17:59 . 2008-02-21 22:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-08 17:59 . 2008-02-22 01:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-08 17:59 . 2008-02-22 00:57 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-04 17:51 . 2008-04-04 17:51 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-04 17:51 . 2008-04-04 17:51 <DIR> d-------- C:\ProgramData\Apple Computer
2008-04-04 17:51 . 2008-04-04 17:51 <DIR> d-------- C:\Program Files\QuickTime
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-03-27 11:14 . 2008-03-27 11:14 <DIR> d-------- C:\Program Files\Disney

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 17:02 --------- d-----w C:\Users\Denver\AppData\Roaming\Spare Backup
2008-04-27 16:19 --------- d-----w C:\Users\Denver\AppData\Roaming\AVG7
2008-04-26 23:59 --------- d-----w C:\Program Files\City of Heroes
2008-04-19 04:16 --------- d-----w C:\Program Files\Google
2008-04-18 16:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 03:28 --------- d-----w C:\Users\Denver\AppData\Roaming\LimeWire
2008-04-09 18:07 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 01:34 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-06 20:24 --------- d-----w C:\Program Files\World of Warcraft
2008-03-23 15:41 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-22 21:58 174 --sha-w C:\Program Files\desktop.ini
2008-03-22 21:56 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-22 21:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Journal
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Calendar
2008-03-22 21:53 --------- d-----w C:\Program Files\Windows Defender
2008-03-22 21:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-22 21:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-22 20:45 --------- d-----w C:\ProgramData\Symantec
2008-03-22 20:45 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-19 13:34 --------- d-----w C:\ProgramData\avg7
2008-03-19 13:29 9,216 ----a-w C:\Windows\System32\avgwlntf.dll
2008-03-19 13:29 --------- d-----w C:\ProgramData\Grisoft
2008-03-13 00:58 --------- d-----w C:\Program Files\IOI
2008-03-05 20:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-02 14:13 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 03:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62CB0A16-5570-490B-8E1F-DC9D4EF5EC87}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"PlayNC Launcher"="C:\Program Files\NCSoft\Launcher\NCLauncher.exe" [2008-02-02 21:10 38128]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 17:57 1103480]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 16:35 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 00:35 4702208 C:\Windows\RtHDVCpl.exe]
"ButtonMonitor"="C:\Program Files\IOI\ButtonMonitor.exe" [2007-05-11 01:55 53248]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-09-13 20:22 5252936]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 22:01 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 17:21 54832]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:33 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-19 09:29 219136]

C:\Users\Denver\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 08:45:42 101784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-03-19 09:29 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1093248893-2495564940-1162472623-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0998DE3E-871A-462E-BFAB-85AA02834860}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{00E24E32-92E5-48DC-95D5-95B07E33F103}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0D63AB6A-7C8E-4E19-8D47-1D16B5D0E568}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{9584D6B6-6965-43DA-B9A4-EA5052303FF6}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{95D6AF77-AE39-48EE-A455-A0AE22012BF3}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{6F227384-35B0-455C-8040-38D283AE39D5}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{079C4249-F13D-468E-A552-D786C291AAA0}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{61811093-0662-412A-A93D-6FD802541398}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{C390193F-C22A-4EA1-B6B3-086E2B9A9503}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{9CD9B82C-8451-401B-BF98-19228043B699}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{38E950A2-A08B-4EFF-A1FB-72443928035A}"= C:\Program Files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{2D8D63AD-7CF7-4213-B517-629058D7385A}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{678D9CCA-B25F-4147-9063-9B24630A641C}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{8A1C313B-EBBD-4D42-AF03-8E11AFCD84AA}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{DD75C9AB-D346-4354-9DA8-DD16F39C802E}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{FBB49A82-A033-4B62-9CFE-9F10EDCD42FC}"= UDP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{D97E7799-F932-4185-ABD9-6ABAF017641B}"= TCP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"TCP Query User{D18AE5EC-D58D-47A6-AF2A-09B7A7AD8DE7}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{629DE0B8-7C79-4AC7-98BC-128163A63259}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-09-04 23:40]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 06:39]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-24 01:41]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-23 11:41]
R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2007-05-12 00:09]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);C:\Windows\system32\DRIVERS\xcbda.sys [2007-05-29 02:51]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 03:30]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 13:02:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-04-27 13:04:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 17:04:23

Pre-Run: 375,507,648,512 bytes free
Post-Run: 375,751,155,712 bytes free

218 --- E O F --- 2008-04-22 20:54:28

Malwarebytes' Anti-Malware 1.11
Database version: 689

Scan type: Quick Scan
Objects scanned: 32355
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\ProgramData\qjkvczkz\gdohspql.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\21x9hFhxLB (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\qjkvczkz\gdohspql.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:11 PM, on 4/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\IOI\ButtonMonitor.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\NCSoft\Launcher\NCLauncher.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GM5664
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {62CB0A16-5570-490B-8E1F-DC9D4EF5EC87} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PlayNC Launcher] C:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6672 bytes

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 27 April 2008 - 04:08 PM

Hi

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\Windows\System32\yladonqz.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62CB0A16-5570-490B-8E1F-DC9D4EF5EC87}]

DirLook::
C:\Users\All Users\qjkvczkz
C:\ProgramData\qjkvczkz


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 wasslinwabbit

wasslinwabbit
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 28 April 2008 - 05:19 PM

Hi again! I did what you asked, the computer seems alot faster but my AVG Virus still is detecting the Obfuskasted trojan. Here are the new combo fix and hijackthis logs:

ComboFix 08-04-26.5 - Denver 2008-04-28 18:04:11.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2241 [GMT -4:00]
Running from: C:\Users\Denver\Downloads\ComboFix.exe
Command switches used :: C:\Users\Denver\Downloads\CFScript.txt
* Created a new restore point

FILE ::
C:\Windows\System32\yladonqz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://launcher.patcher.ncsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 12:31 . 2008-04-27 12:31 <DIR> d-------- C:\Users\Denver\AppData\Roaming\Malwarebytes
2008-04-27 12:31 . 2008-04-27 12:31 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-27 12:31 . 2008-04-27 12:31 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-27 12:30 . 2008-04-27 12:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 21:12 . 2008-04-25 21:12 <DIR> d-------- C:\Users\All Users\media center programs
2008-04-25 21:12 . 2008-04-25 21:12 <DIR> d-------- C:\ProgramData\media center programs
2008-04-25 20:33 . 2008-04-25 20:33 <DIR> d-------- C:\Program Files\Funcom
2008-04-25 20:31 . 2008-04-25 20:31 <DIR> d-------- C:\Users\All Users\Funcom
2008-04-25 20:31 . 2008-04-25 20:31 <DIR> d-------- C:\ProgramData\Funcom
2008-04-23 23:10 . 2008-04-25 17:34 <DIR> d-------- C:\Users\Denver\AppData\Roaming\IGN_DLM
2008-04-23 23:03 . 2008-04-23 23:03 <DIR> d-------- C:\Program Files\Download Manager
2008-04-22 18:19 . 2008-04-22 18:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 18:17 . 2008-04-22 18:17 <DIR> d-------- C:\Deckard
2008-04-22 17:03 . 2008-04-22 17:03 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-04-22 17:03 . 2008-04-22 17:03 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-04-22 17:03 . 2008-04-22 17:03 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-04-18 23:56 . 2008-04-19 12:14 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-18 10:25 . 2008-04-18 10:25 <DIR> d-------- C:\Users\All Users\PCPitstop
2008-04-18 10:25 . 2008-04-18 10:25 <DIR> d-------- C:\ProgramData\PCPitstop
2008-04-18 09:58 . 2008-04-18 10:04 <DIR> d-------- C:\Program Files\NetDuster
2008-04-18 08:33 . 2008-04-18 08:35 524,288 --ahs---- C:\Users\Denver\ntuser.dat{672a9ad0-0d40-11dd-80af-001e90641780}.TMContainer00000000000000000002.regtrans-ms
2008-04-18 08:33 . 2008-04-27 21:55 524,288 --ahs---- C:\Users\Denver\ntuser.dat{672a9ad0-0d40-11dd-80af-001e90641780}.TMContainer00000000000000000001.regtrans-ms
2008-04-18 08:33 . 2008-04-27 21:55 65,536 --ahs---- C:\Users\Denver\ntuser.dat{672a9ad0-0d40-11dd-80af-001e90641780}.TM.blf
2008-04-14 11:52 . 2008-04-18 08:31 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-14 11:52 . 2008-04-18 08:31 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-14 11:52 . 2008-04-14 11:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-13 22:23 . 2008-04-27 12:51 <DIR> d-------- C:\Users\All Users\qjkvczkz
2008-04-13 22:23 . 2008-04-27 12:51 <DIR> d-------- C:\ProgramData\qjkvczkz
2008-04-13 22:23 . 2008-04-28 17:59 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-12 20:33 . 2008-04-12 20:45 <DIR> d-------- C:\Windows\System32\Adobe
2008-04-11 17:28 . 2008-04-21 13:28 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-11 17:28 . 2008-04-11 17:28 1,409 --a------ C:\Windows\QTFont.for
2008-04-08 18:00 . 2008-02-29 03:11 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-08 18:00 . 2008-02-29 03:11 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-08 18:00 . 2008-02-22 01:05 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-08 18:00 . 2008-02-29 02:53 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-08 18:00 . 2008-02-29 00:12 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-08 18:00 . 2008-02-29 02:53 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-08 18:00 . 2008-02-29 02:53 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-08 18:00 . 2008-02-29 03:14 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-08 18:00 . 2008-02-29 00:12 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-08 18:00 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 17:59 . 2008-02-29 00:21 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-08 17:59 . 2008-02-21 22:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-08 17:59 . 2008-02-22 01:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-08 17:59 . 2008-02-22 00:57 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-04 17:51 . 2008-04-04 17:51 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-04 17:51 . 2008-04-04 17:51 <DIR> d-------- C:\ProgramData\Apple Computer
2008-04-04 17:51 . 2008-04-04 17:51 <DIR> d-------- C:\Program Files\QuickTime
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 21:34 --------- d-----w C:\Program Files\City of Heroes
2008-04-28 21:32 --------- d-----w C:\Users\Denver\AppData\Roaming\Spare Backup
2008-04-28 21:32 --------- d-----w C:\Users\Denver\AppData\Roaming\AVG7
2008-04-19 04:16 --------- d-----w C:\Program Files\Google
2008-04-18 16:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 03:28 --------- d-----w C:\Users\Denver\AppData\Roaming\LimeWire
2008-04-09 18:07 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 01:34 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-06 20:24 --------- d-----w C:\Program Files\World of Warcraft
2008-03-27 15:14 --------- d-----w C:\Program Files\Disney
2008-03-23 15:41 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-22 21:58 174 --sha-w C:\Program Files\desktop.ini
2008-03-22 21:56 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-22 21:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Journal
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-22 21:54 --------- d-----w C:\Program Files\Windows Calendar
2008-03-22 21:53 --------- d-----w C:\Program Files\Windows Defender
2008-03-22 21:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-22 21:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-22 20:45 --------- d-----w C:\ProgramData\Symantec
2008-03-22 20:45 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-19 13:34 --------- d-----w C:\ProgramData\avg7
2008-03-19 13:29 9,216 ----a-w C:\Windows\System32\avgwlntf.dll
2008-03-19 13:29 --------- d-----w C:\ProgramData\Grisoft
2008-03-13 00:58 --------- d-----w C:\Program Files\IOI
2008-03-05 20:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 20:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 20:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 19:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 19:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-02 14:13 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 03:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\ProgramData\qjkvczkz ----


---- Directory of C:\Users\All Users\qjkvczkz ----



((((((((((((((((((((((((((((( snapshot@2008-04-27_13.03.56.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 17:02:00 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-28 21:32:01 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-28 21:32:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-28 21:32:01 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-27 16:30:04 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-28 21:47:13 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-04-27 17:02:20 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-28 21:33:05 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-27 16:58:05 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-04-28 22:03:45 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-04-27 17:02:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-28 21:33:00 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-28 21:33:00 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-27 16:52:15 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-28 22:00:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-27 16:52:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 22:00:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-27 16:52:15 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-28 22:00:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-27 16:22:29 101,144 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-28 21:38:25 101,144 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-27 16:22:29 595,446 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-28 21:38:25 595,446 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-27 16:20:30 9,342 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1093248893-2495564940-1162472623-1000_UserData.bin
+ 2008-04-28 21:33:59 9,620 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1093248893-2495564940-1162472623-1000_UserData.bin
- 2008-04-27 16:20:29 77,820 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-28 21:33:58 78,096 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-27 16:20:28 35,946 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-28 21:33:53 35,962 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"PlayNC Launcher"="C:\Program Files\NCSoft\Launcher\NCLauncher.exe" [2008-02-02 21:10 38128]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 17:57 1103480]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 16:35 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 00:35 4702208 C:\Windows\RtHDVCpl.exe]
"ButtonMonitor"="C:\Program Files\IOI\ButtonMonitor.exe" [2007-05-11 01:55 53248]
"Spare Backup"="C:\Program Files\Spare Backup\SpareBackup.exe" [2007-09-13 20:22 5252936]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 22:01 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 17:21 54832]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:33 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-19 09:29 219136]

C:\Users\Denver\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 08:45:42 101784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-03-19 09:29 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1093248893-2495564940-1162472623-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0998DE3E-871A-462E-BFAB-85AA02834860}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{00E24E32-92E5-48DC-95D5-95B07E33F103}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0D63AB6A-7C8E-4E19-8D47-1D16B5D0E568}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{9584D6B6-6965-43DA-B9A4-EA5052303FF6}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{95D6AF77-AE39-48EE-A455-A0AE22012BF3}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{6F227384-35B0-455C-8040-38D283AE39D5}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{079C4249-F13D-468E-A552-D786C291AAA0}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{61811093-0662-412A-A93D-6FD802541398}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{C390193F-C22A-4EA1-B6B3-086E2B9A9503}"= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{9CD9B82C-8451-401B-BF98-19228043B699}"= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{38E950A2-A08B-4EFF-A1FB-72443928035A}"= C:\Program Files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{2D8D63AD-7CF7-4213-B517-629058D7385A}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{678D9CCA-B25F-4147-9063-9B24630A641C}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{8A1C313B-EBBD-4D42-AF03-8E11AFCD84AA}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{DD75C9AB-D346-4354-9DA8-DD16F39C802E}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{FBB49A82-A033-4B62-9CFE-9F10EDCD42FC}"= UDP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"{D97E7799-F932-4185-ABD9-6ABAF017641B}"= TCP:C:\Program Files\Grisoft\AVG7\avgw.exe:AVG Test Center
"TCP Query User{D18AE5EC-D58D-47A6-AF2A-09B7A7AD8DE7}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{629DE0B8-7C79-4AC7-98BC-128163A63259}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-09-04 23:40]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 06:39]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-24 01:41]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-23 11:41]
R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2007-05-12 00:09]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);C:\Windows\system32\DRIVERS\xcbda.sys [2007-05-29 02:51]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 03:30]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 18:06:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 18:07:17
ComboFix-quarantined-files.txt 2008-04-28 22:07:15
ComboFix2.txt 2008-04-27 17:04:33

Pre-Run: 374,715,600,896 bytes free
Post-Run: 374,688,948,224 bytes free

232 --- E O F --- 2008-04-22 20:54:28


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:01 PM, on 4/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\IOI\ButtonMonitor.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\NCSoft\Launcher\NCLauncher.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Grisoft\AVG7\avginet.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TP&M=GM5664
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PlayNC Launcher] C:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6498 bytes


Thank you for all your help!!!

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 April 2008 - 02:13 PM

Hi

Please look for these folders :-

C:\Users\All Users\qjkvczkz
C:\ProgramData\qjkvczkz

It would appear they are empty, please confirm this & delete the folders ...

AVG Virus still is detecting the Obfuskasted trojan


Could you tell me the location & name of the file AVG is detecting the Obfuskasted trojan ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 20 May 2008 - 04:24 PM

Due to lack of feedback this topic is now closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users