Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2nd Thought, Trojandownloader, Etc.,etc.


  • This topic is locked This topic is locked
98 replies to this topic

#1 lostinendicott

lostinendicott

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 22 April 2008 - 09:51 PM

Hello,
My daughter's laptop is infected with several different bugs and I don't really know what I'm doing, but I'm going to do it anyway. I have identified Brave Sentry as one of the culprits, and I know there are several more.

I started in the 'Am I Infected? What Do I Do?' forum (link below) and hope that I am finally ready for this forum.

http://www.bleepingcomputer.com/forums/ind...view=getnewpost

I have ran Malwarebytes' Anti-Malware, SmitfraudFix and DSS. I am still unable to access the internet with the infected laptop so was unable to run HiJackThis.

I am also unable to do any administrative tasks, even though my login account states that I have Administrative Privledges.

Below are the main and extra files generated by DSS:

Deckard's System Scanner v20071014.68
Run by Robert Pierce on 2008-04-22 20:45:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
123: 2008-04-20 20:47:41 UTC - RP386 - Software Distribution Service 3.0
122: 2008-04-20 19:42:34 UTC - RP385 - Software Distribution Service 3.0
121: 2008-04-20 18:31:17 UTC - RP384 - Software Distribution Service 3.0
120: 2008-04-20 08:50:09 UTC - RP383 - Software Distribution Service 3.0
119: 2008-04-20 08:38:55 UTC - RP382 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-20 08:27:09 UTC - RP264 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-22 20:49:52
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Ahead\ODD Toolkit\dvdtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ie.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Documents and Settings\Robert Pierce\My Documents\W?nSxS\fast.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert Pierce\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
F0 - system.ini: Shell=Explorer.exe
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O1 - Hosts: 10.18.250.4 ad.doubleclick.net
O1 - Hosts: 10.18.250.4 ad.fastclick.net
O1 - Hosts: 10.18.250.4 ads.fastclick.net
O1 - Hosts: 10.18.250.4 ar.atwola.com
O1 - Hosts: 10.18.250.4 atdmt.com
O1 - Hosts: 10.18.250.4 avp.ch
O1 - Hosts: 10.18.250.4 avp.com
O1 - Hosts: 10.18.250.4 avp.ru
O1 - Hosts: 10.18.250.4 awaps.net
O1 - Hosts: 10.18.250.4 banner.fastclick.net
O1 - Hosts: 10.18.250.4 banners.fastclick.net
O1 - Hosts: 10.18.250.4 ca.com
O1 - Hosts: 10.18.250.4 click.atdmt.com
O1 - Hosts: 10.18.250.4 clicks.atdmt.com
O1 - Hosts: 10.18.250.4 customer.symantec.com
O1 - Hosts: 10.18.250.4 dispatch.mcafee.com
O1 - Hosts: 10.18.250.4 download.mcafee.com
O1 - Hosts: 10.18.250.4 downloads-us1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads-us3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 downloads4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 engine.awaps.net
O1 - Hosts: 10.18.250.4 f-secure.com
O1 - Hosts: 10.18.250.4 fastclick.net
O1 - Hosts: 10.18.250.4 ftp.avp.ch
O1 - Hosts: 10.18.250.4 ftp.downloads1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.downloads3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 ftp.f-secure.com
O1 - Hosts: 10.18.250.4 ftp.kasperskylab.ru
O1 - Hosts: 10.18.250.4 ftp.sophos.com
O1 - Hosts: 10.18.250.4 ids.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky-labs.com
O1 - Hosts: 10.18.250.4 kaspersky.com
O1 - Hosts: 10.18.250.4 liveupdate.symantec.com
O1 - Hosts: 10.18.250.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 10.18.250.4 mast.mcafee.com
O1 - Hosts: 10.18.250.4 mcafee.com
O1 - Hosts: 10.18.250.4 media.fastclick.net
O1 - Hosts: 10.18.250.4 my-etrust.com
O1 - Hosts: 10.18.250.4 nai.com
O1 - Hosts: 10.18.250.4 networkassociates.com
O1 - Hosts: 10.18.250.4 norton.com
O1 - Hosts: 10.18.250.4 phx.corporate-ir.net
O1 - Hosts: 10.18.250.4 rads.mcafee.com
O1 - Hosts: 10.18.250.4 secure.nai.com
O1 - Hosts: 10.18.250.4 securityresponse.symantec.com
O1 - Hosts: 10.18.250.4 service1.symantec.com
O1 - Hosts: 10.18.250.4 sophos.com
O1 - Hosts: 10.18.250.4 spd.atdmt.com
O1 - Hosts: 10.18.250.4 symantec.com
O1 - Hosts: 10.18.250.4 trendmicro.com
O1 - Hosts: 10.18.250.4 update.symantec.com
O1 - Hosts: 10.18.250.4 updates.symantec.com
O1 - Hosts: 10.18.250.4 updates1.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates2.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates3.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates4.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 updates5.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 us.mcafee.com
O1 - Hosts: 10.18.250.4 vil.nai.com
O1 - Hosts: 10.18.250.4 viruslist.com
O1 - Hosts: 10.18.250.4 viruslist.ru
O1 - Hosts: 10.18.250.4 virusscan.jotti.org
O1 - Hosts: 10.18.250.4 virustotal.com
O1 - Hosts: 10.18.250.4 www.avp.ch
O1 - Hosts: 10.18.250.4 www.avp.com
O1 - Hosts: 10.18.250.4 www.avp.ru
O1 - Hosts: 10.18.250.4 www.awaps.net
O1 - Hosts: 10.18.250.4 www.ca.com
O1 - Hosts: 10.18.250.4 www.f-secure.com
O1 - Hosts: 10.18.250.4 www.fastclick.net
O1 - Hosts: 10.18.250.4 www.grisoft.com
O1 - Hosts: 10.18.250.4 www.kaspersky-labs.com
O1 - Hosts: 10.18.250.4 www.kaspersky.com
O1 - Hosts: 10.18.250.4 www.kaspersky.ru
O1 - Hosts: 10.18.250.4 www.mcafee.com
O1 - Hosts: 10.18.250.4 www.my-etrust.com
O1 - Hosts: 10.18.250.4 www.nai.com
O1 - Hosts: 10.18.250.4 www.networkassociates.com
O1 - Hosts: 10.18.250.4 www.sophos.com
O1 - Hosts: 10.18.250.4 www.symantec.com
O1 - Hosts: 10.18.250.4 www.trendmicro.com
O1 - Hosts: 10.18.250.4 www.viruslist.com
O1 - Hosts: 10.18.250.4 www.viruslist.ru
O1 - Hosts: 10.18.250.4 www.virustotal.com
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4956706A-5C40-49BB-A173-8044AE858D21} - C:\WINDOWS\system32\pmnnOiih.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\nnnnOeEv.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: {0dfb42d4-66fb-d649-fb04-6a284574ceae} - {eaec4754-82a6-40bf-946d-bf664d24bfd0} - C:\WINDOWS\system32\hjwtaxhm.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [hcfozajo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hcfozajo.dll"
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Robert Pierce\Local Settings\Temporary Internet Files\Content.IE5\GLINCH2N\install_sbd_en[1].exe
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [BMN] "C:\Program Files\Common Files\AntiSpywareSuite\bm.exe" dm=http://antispywaresuite.com ad=http://antispywaresuite.com sd=http://ykeeper.antispywaresuite.com
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [peeidasm] rundll32.exe "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\jiagjir.dll" WLEntryPoint
O4 - HKLM\..\Run: [2cb7486d] rundll32.exe "C:\WINDOWS\system32\cbcttcmq.dll",b
O4 - HKLM\..\Run: [BM2f847bf1] Rundll32.exe "C:\WINDOWS\system32\yomidjdu.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Exetender] "C:\Program Files\Verizon Games on Demand Player\GPlayer.exe" /runonstartup
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\ROBERT~1\MYDOCU~1\WNSXS~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [litlwpde] C:\WINDOWS\system32\utsralgb.exe
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [Jzpno] C:\WINDOWS\system32\a?sembly\u?erinit.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Robert Pierce\cftmon.exe
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\170F.tmp.exe
O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKLM\..\Policies\Explorer\Run: [dmqlkotp] rundll32.exe "C:\WINDOWS\system32\bhlerpatnqq.nls" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Verizon Games on Demand Player\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Exetender] "C:\Program Files\Verizon Games on Demand Player\GPlayer.exe /runonstartup" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...8135.6128356481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{10AD0C26-CEC9-4971-BFE6-0D8DF3CD2944}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{5E7F5887-E798-4B58-8E89-2FB12DF40953}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: nnnnOeEv - C:\WINDOWS\system32\nnnnOeEv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 16274 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - rundll32.exe "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\bdghqgq.dll" WLEntry %1 %*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ryjrobpv - c:\windows\system32\drivers\dnxkaovd.dat
R0 Spsmqvsm (auMusicPort SPS Service) - c:\windows\system32\drivers\spsmqvsm.sys <Not Verified; Toshiba Corporation; spsmqvsm>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys

S3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint™>
S3 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)
S3 naecd - c:\docume~1\robert~1\locals~1\temp\naecd.sys (file missing)
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\winself.exe service
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SiS 900-Based PCI Fast Ethernet Adapter
Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_00411462&REV_91\3&267A616A&0&20
Manufacturer: SiS
Name: SiS 900-Based PCI Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_00411462&REV_91\3&267A616A&0&20
Service: SISNIC


-- Scheduled Tasks -------------------------------------------------------------

2008-04-18 17:13:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-22 and 2008-04-22 -----------------------------

2008-04-22 16:42:14 96832 --a------ C:\WINDOWS\system32\hjwtaxhm.dll
2008-04-22 16:39:14 87616 --a------ C:\WINDOWS\system32\cbcttcmq.dll
2008-04-22 16:37:04 97856 --a------ C:\WINDOWS\system32\yomidjdu.dll
2008-04-22 01:02:11 4880 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-22 00:56:39 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-22 00:56:39 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-22 00:56:39 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-22 00:56:39 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-22 00:56:39 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-22 00:56:39 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-22 00:56:39 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-22 00:37:27 25088 --a------ C:\WINDOWS\voiceip.dll
2008-04-22 00:37:27 26624 --a------ C:\WINDOWS\swin32.dll
2008-04-22 00:37:27 25856 --a------ C:\WINDOWS\stcloader.exe
2008-04-22 00:37:26 20480 --a------ C:\WINDOWS\mssvr.exe
2008-04-22 00:37:26 27392 --a------ C:\WINDOWS\mspphe.dll
2008-04-22 00:37:26 15104 --a------ C:\WINDOWS\cdsm32.dll
2008-04-22 00:37:26 25088 --a------ C:\WINDOWS\bokja.exe
2008-04-22 00:37:26 22272 --a------ C:\WINDOWS\bjam.dll
2008-04-22 00:37:25 32000 --a------ C:\WINDOWS\2020search2.dll
2008-04-22 00:37:25 25600 --a------ C:\WINDOWS\2020search.dll
2008-04-22 00:37:22 25600 --a------ C:\WINDOWS\saiemod.dll
2008-04-22 00:37:21 27136 --a------ C:\WINDOWS\msapasrc.dll
2008-04-22 00:37:20 22016 --a------ C:\WINDOWS\msa64chk.dll
2008-04-22 00:37:19 14336 --a------ C:\WINDOWS\shdocpl.dll
2008-04-22 00:37:19 11008 --a------ C:\WINDOWS\ntnut.exe
2008-04-22 00:37:18 12800 --a------ C:\WINDOWS\winsb.dll
2008-04-22 00:37:18 13056 --a------ C:\WINDOWS\shdocpe.dll
2008-04-22 00:37:18 23808 --a------ C:\WINDOWS\browserad.dll
2008-04-22 00:37:18 27648 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-22 00:37:18 30720 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-22 00:37:17 21760 --a------ C:\WINDOWS\avifile32.dll
2008-04-22 00:37:17 26368 --a------ C:\WINDOWS\autodisc32.dll
2008-04-22 00:37:17 29696 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-22 00:37:16 14336 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-22 00:37:16 15104 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-22 00:37:16 9472 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-22 00:37:16 8704 --a------ C:\WINDOWS\athprxy32.dll
2008-04-22 00:37:16 21760 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-22 00:37:16 16896 --a------ C:\WINDOWS\asferror32.dll
2008-04-22 00:37:16 12288 --a------ C:\WINDOWS\apphelp32.dll
2008-04-22 00:35:18 408765 --ahs---- C:\WINDOWS\system32\hiiOnnmp.ini2
2008-04-21 20:46:29 0 d-------- C:\Documents and Settings\Robert Pierce\Application Data\Malwarebytes
2008-04-21 20:14:59 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Malwarebytes
2008-04-21 20:14:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 20:14:24 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-20 20:57:11 94272 --a------ C:\WINDOWS\system32\smexrfvd.dll
2008-04-20 20:48:24 0 d-------- C:\WINDOWS\system32\s?curity
2008-04-20 20:47:10 274432 -----n--- C:\WINDOWS\system32\pmnnOiih.dll
2008-04-20 19:30:18 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Mozilla
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\WINDOWS
2008-04-20 19:13:19 0 d---s---- C:\Documents and Settings\Administrator.AVLAPTOP\UserData
2008-04-20 19:13:19 0 d--h----- C:\Documents and Settings\Administrator.AVLAPTOP\Templates
2008-04-20 19:13:19 0 dr------- C:\Documents and Settings\Administrator.AVLAPTOP\Start Menu
2008-04-20 19:13:19 0 dr-h----- C:\Documents and Settings\Administrator.AVLAPTOP\SendTo
2008-04-20 19:13:19 0 dr-h----- C:\Documents and Settings\Administrator.AVLAPTOP\Recent
2008-04-20 19:13:19 0 d--h----- C:\Documents and Settings\Administrator.AVLAPTOP\PrintHood
2008-04-20 19:13:19 0 d--h----- C:\Documents and Settings\Administrator.AVLAPTOP\NetHood
2008-04-20 19:13:19 0 dr------- C:\Documents and Settings\Administrator.AVLAPTOP\My Documents
2008-04-20 19:13:19 0 d--h----- C:\Documents and Settings\Administrator.AVLAPTOP\Local Settings
2008-04-20 19:13:19 0 dr------- C:\Documents and Settings\Administrator.AVLAPTOP\Favorites
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Desktop
2008-04-20 19:13:19 0 d---s---- C:\Documents and Settings\Administrator.AVLAPTOP\Cookies
2008-04-20 19:13:19 0 dr-h----- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Symantec
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Roxio
2008-04-20 19:13:19 0 d---s---- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Microsoft
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Identities
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\CyberLink
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\AdobeUM
2008-04-20 19:13:19 0 d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Adobe
2008-04-20 19:13:18 1310720 --ah----- C:\Documents and Settings\Administrator.AVLAPTOP\NTUSER.DAT
2008-04-20 17:01:05 577 --ahs---- C:\WINDOWS\system32\Stwwayxx.ini2
2008-04-20 16:18:10 1 --a------ C:\Documents and Settings\Robert Pierce\tmp.dat
2008-04-20 16:16:09 94272 --a------ C:\WINDOWS\system32\nadyjpbg.dll
2008-04-20 16:13:47 96320 --a------ C:\WINDOWS\system32\smoyjkbj.dll
2008-04-20 15:52:49 19584 --a------ C:\WINDOWS\system32\drivers\dnxkaovd.dat
2008-04-20 15:49:25 0 d-------- C:\d19a3a30cc5be469c9d3
2008-04-20 15:42:05 2 --a------ C:\750209218
2008-04-20 15:04:38 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-04-20 13:54:27 0 d-------- C:\Documents and Settings\Robert Pierce\Application Data\InstallShield
2008-04-20 13:51:20 0 d-------- C:\Documents and Settings\Robert Pierce\Application Data\Verizon
2008-04-20 13:50:53 0 d-------- C:\Program Files\Verizon
2008-04-20 13:50:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2008-04-19 20:18:40 0 d-------- C:\WINDOWS\system32\a?sembly
2008-04-19 20:18:30 0 d-------- C:\Documents and Settings\All Users\Application Data\whydqrcv
2008-04-19 20:18:18 0 d-------- C:\WINDOWS\mgwwgmke
2008-04-19 20:18:16 65024 --a------ C:\Documents and Settings\All Users\Application Data\hcfozajo.dll
2008-04-19 20:18:15 192512 --a------ C:\WINDOWS\snkhopkx.dll
2008-04-19 20:18:09 65024 --a------ C:\WINDOWS\ojofchur.dll
2008-04-19 20:18:06 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-04-19 20:17:55 89515 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-19 20:17:55 89515 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-19 20:17:24 28672 --a------ C:\WINDOWS\winself.exe
2008-04-19 20:17:01 36352 -----n--- C:\WINDOWS\system32\nnnnOeEv.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-20 15:31:54 0 d-------- C:\Program Files\Common Files
2008-04-20 15:08:06 0 d-------- C:\Program Files\BHODemon
2008-04-20 15:07:23 0 d-------- C:\Documents and Settings\Robert Pierce\Application Data\Lavasoft
2008-04-20 14:02:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-20 03:56:57 0 d-------- C:\Program Files\Java
2008-04-08 18:09:42 0 d-------- C:\Documents and Settings\Robert Pierce\Application Data\MSN6
2008-04-04 19:34:15 0 d-------- C:\Documents and Settings\Robert Pierce\Application Data\Adobe
2008-04-01 12:25:47 0 d-------- C:\Program Files\Verizon Games on Demand Player
2008-04-01 12:25:46 67 --a------ C:\WINDOWS\GPlrLanc.dat
2008-03-13 15:38:52 0 d-------- C:\Documents and Settings\Robert Pierce\Application Data\PlayFirst
2008-03-03 08:48:24 0 d-------- C:\Program Files\PCFriendly
2008-03-03 08:48:23 0 d-------- C:\Program Files\InterActual
2008-03-03 08:34:48 21504 --a------ C:\WINDOWS\system32\atmliba.dll <Not Verified; ; URL Changer Module>
2008-02-20 22:51:45 21504 --a------ C:\WINDOWS\system32\avwavb.dll <Not Verified; ; URL Changer Module>
2008-02-01 10:26:36 4037 --a----c- C:\WINDOWS\mozver.dat
2008-01-27 18:57:04 21504 --a------ C:\WINDOWS\system32\adsmsextb.dll <Not Verified; ; URL Changer Module>
2008-01-26 18:27:53 21504 --a------ C:\WINDOWS\system32\batmeters.dll <Not Verified; ; URL Changer Module>
2008-01-22 21:38:55 21504 --a------ C:\WINDOWS\system32\avifileb.dll <Not Verified; ; URL Changer Module>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4956706A-5C40-49BB-A173-8044AE858D21}]
04/21/2008 09:19 PM 274432 --------- C:\WINDOWS\system32\pmnnOiih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8EEB996-62AA-4E48-995D-EADDCAC47476}]
04/21/2008 09:19 PM 36352 --------- C:\WINDOWS\system32\nnnnOeEv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eaec4754-82a6-40bf-946d-bf664d24bfd0}]
04/22/2008 04:42 PM 96832 --a------ C:\WINDOWS\system32\hjwtaxhm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [04/16/2004 05:53 PM]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [05/21/2004 03:48 PM]
"SoundMan"="SOUNDMAN.EXE" [05/21/2004 03:51 PM C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [05/01/2003 08:44 PM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [02/24/2004 11:55 AM]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [07/15/2003 02:38 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [05/14/2004 03:53 PM]
"AGRSMMSG"="AGRSMMSG.exe" [05/21/2004 03:48 PM C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [12/05/2003 04:22 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 04:58 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/29/2006 07:36 PM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe" [07/19/2005 10:05 AM]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [07/19/2005 10:05 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [09/03/2004 03:58 AM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"hcfozajo"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\hcfozajo.dll" []
"SBI"="C:\Documents and Settings\Robert Pierce\Local Settings\Temporary Internet Files\Content.IE5\GLINCH2N\install_sbd_en[1].exe" []
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" []
"BMN"="C:\Program Files\Common Files\AntiSpywareSuite\bm.exe" []
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [02/13/2008 01:03 PM]
"peeidasm"="C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\jiagjir.dll" [06/13/2007 05:23 AM]
"2cb7486d"="C:\WINDOWS\system32\cbcttcmq.dll" [04/22/2008 04:39 PM]
"BM2f847bf1"="C:\WINDOWS\system32\yomidjdu.dll" [04/22/2008 04:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [10/13/2004 11:24 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/19/2005 06:34 PM]
"Exetender"="C:\Program Files\Verizon Games on Demand Player\GPlayer.exe" [01/21/2008 09:09 PM]
"Aida"="C:\DOCUME~1\ROBERT~1\MYDOCU~1\WNSXS~1\fast.exe" [04/19/2008 08:17 PM]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" []
"Microsoft Windows Installer"="C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ie.exe" []
"litlwpde"="C:\WINDOWS\system32\utsralgb.exe" []
"QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" []
"Jzpno"="C:\WINDOWS\system32\a?sembly\u?erinit.exe" [04/11/2008 12:52 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" []
"autoload"="C:\Documents and Settings\Robert Pierce\cftmon.exe" []
"jdgf894jrghoiiskd"="C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\winlogan.exe" []
"Jnskdfmf9eldfd"="C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\csrssc.exe" []
"Windows update loader"="C:\Windows\xpupdate.exe" []
"WintelUpdate"="C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\170F.tmp.exe" []
"kavir"="C:\WINDOWS\kavir.exe" []
"Service Pack 1"="C:\WINDOWS\system32\vedxg6ame4.exe" []
"Brave-Sentry"="C:\Program Files\BraveSentry\BraveSentry.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/16/2005 8:15:01 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [5/29/2004 4:06:05 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)
"Wallpaper"=C:\WINDOWS\desktop.html

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"dmqlkotp"=rundll32.exe "C:\WINDOWS\system32\bhlerpatnqq.nls" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)
"NoControlPanel"=1 (0x1)
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A8EEB996-62AA-4E48-995D-EADDCAC47476}"= C:\WINDOWS\system32\nnnnOeEv.dll [04/21/2008 09:19 PM 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe "
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnOeEv]
nnnnOeEv.dll 04/21/2008 09:19 PM 36352 C:\WINDOWS\system32\nnnnOeEv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iSecurity.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f61cc9f3-5eb0-11db-913d-000c76f78021}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e




-- Hosts -----------------------------------------------------------------------

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net

79 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-22 20:52:22 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: mobile AMD Athlon™ XP-M 2400+
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 479.36 MiB / 131.87 MiB
Pagefile Memory (total/avail): 1123.65 MiB / 849.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919.76 MiB

C: is Fixed (NTFS) - 55.89 GiB total, 40.41 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.89 GiB - C:

\\.\PHYSICALDRIVE1 - Memorex TD Classic 003C USB Device - 486.34 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 489.98 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\Application Data\\printer.exe"="C:\\Documents and Settings\\Robert Pierce\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Robert Pierce\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Robert Pierce\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Robert Pierce\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator.AVLAPTOP\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator.AVLAPTOP\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"="C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE:*:Enabled:SC3UpdaterMFC"
"E:\\W40k.exe"="E:\\W40k.exe:*:Enabled:W40K"
"E:\\Dawn Of War\\W40k.exe"="E:\\Dawn Of War\\W40k.exe:*:Enabled:W40K"
"C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"="C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe:*:Enabled:artpschd"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Documents and Settings\\Robert Pierce\\Application Data\\printer.exe"="C:\\Documents and Settings\\Robert Pierce\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Robert Pierce\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Robert Pierce\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Robert Pierce\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Robert Pierce\\tmp.exe"="C:\\Documents and Settings\\Robert Pierce\\tmp.exe:*:Enabled:msdefender.exe"
"C:\\WINDOWS\\system32\\msdefender.exe"="C:\\WINDOWS\\system32\\msdefender.exe:*:Enabled:msdefender.exe"
"C:\\Documents and Settings\\Administrator.AVLAPTOP\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator.AVLAPTOP\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\Administrator.AVLAPTOP\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\kavir.exe"="C:\\WINDOWS\\kavir.exe:*:Enabled:enable"
"C:\\WINDOWS\\taskmon.exe"="C:\\WINDOWS\\taskmon.exe:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Robert Pierce\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AVLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Robert Pierce
LOGONSERVER=\\AVLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp
USERDOMAIN=AVLAPTOP
USERNAME=Robert Pierce
USERPROFILE=C:\Documents and Settings\Robert Pierce
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Robert Pierce (admin)
Administrator.AVLAPTOP (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\SETUP.EXE" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Illustrator CS --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe InDesign CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{416DFEDD-9F1B-4EFC-AF70-FCA891AE0251}\zidxp.exe" -l0x9
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Agere Systems AC'97 Modem v2136D --> agrsmdel
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
Family Feud II --> C:\Remote Programs\Family Feud II\GPlrLanc.exe -LOpCode 2 /RemoveContent cid=516450;name=Family Feud II;dir=C:\Remote Programs\Family Feud II\;prvid=135;cmdid=1;prvdir=Verizon
Flip Words 2 --> C:\Remote Programs\Flip Words 2\GPlrLanc.exe -LOpCode 2 /RemoveContent cid=485050;name=Flip Words 2;dir=C:\Remote Programs\Flip Words 2\;prvid=135;cmdid=1;prvdir=Verizon
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{18E0918E-1060-48f3-925C-56C82E88551B}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iPod Media Studio 2.1 --> C:\PROGRA~1\Makayama.com\IPODME~2\Setup.exe /remove
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Lost Treasures of El Dorado --> C:\Remote Programs\Lost Treasures of El Dorado\GPlrLanc.exe -LOpCode 2 /RemoveContent cid=555050;name=Lost Treasures of El Dorado;dir=C:\Remote Programs\Lost Treasures of El Dorado\;prvid=135;cmdid=1;prvdir=Verizon
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Network Guide --> MsiExec.exe /I{2F30A886-DC9F-4C4D-8CE5-124388C82943}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (1.5.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.12 (en-US)"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
Mythic Marbles --> C:\Remote Programs\Mythic Marbles\GPlrLanc.exe -LOpCode 2 /RemoveContent cid=539050;name=Mythic Marbles;dir=C:\Remote Programs\Mythic Marbles\;prvid=135;cmdid=1;prvdir=Verizon
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RPS Ad Blocker --> MsiExec.exe /I{9AC29B2A-1E86-4CE8-BD05-E3429F244659}
RPS AntiFraud --> MsiExec.exe /I{6F857F57-0868-4333-801F-C6FD1C45D198}
RPS App Detector --> MsiExec.exe /I{CD45C967-BF03-406A-820E-8463B84D0FCD}
RPS Backup --> MsiExec.exe /I{64010327-8AE7-4D4B-A875-8A874862CD4C}
RPS Burn --> MsiExec.exe /I{92F669C7-4D0E-42A8-B7A0-768FFA19972B}
RPS Diagnostic Utility --> MsiExec.exe /I{0EAAC619-A730-4CBB-95D2-70C3ECAD1561}
RPS Firewall --> MsiExec.exe /I{386593CE-E6AF-48DE-B88A-083CB4781652}
RPS ParentalControl --> MsiExec.exe /I{0E0FF2EF-7866-45BE-99F0-475E0DE7733E}
RPS PopupBlocker --> MsiExec.exe /I{DF204DA0-8C19-4EB2-AE78-683D2DE35B7B}
RPS Privacy Manager --> MsiExec.exe /I{3E11A4AA-09DC-414E-BE4C-1F615A235B9B}
RPS Security Cleanup --> MsiExec.exe /I{44629EAF-A233-4AAE-BBCC-26157DC9A40B}
RPS Zip --> MsiExec.exe /I{A1C82B18-A7B2-48EC-853D-5807C635531E}
SimCity 3000 Unlimited --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Maxis\SimCity 3000 Unlimited\DeIsL1.isu" -c"C:\Program Files\Maxis\SimCity 3000 Unlimited\_UnInstall.dll"
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
SiS VGA Utilities --> Rundll32 SiSInst.dll,Uninstall VGA,R
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The Sims Complete Collection --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F2527115-B8BF-4FDB-B5DA-5AADFB7C13E1}\setup.exe" -l0x9 -l0009
Tune Tools for iPod --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31B5C6E6-15A4-4614-8169-DA9576575715}\setup.exe" -l0x9 -removeonly
Verizon Games on Demand Player --> "C:\Program Files\Verizon Games on Demand Player\Uninstall.exe"
Verizon Internet Security Suite --> C:\Program Files\InstallShield Installation Information\{13F8BD99-B753-4007-A060-7EAE3891756F}\setup.exe -runfromtemp -l0x0009 -removeonly
Verizon Servicepoint 1.5.20 --> "C:\Program Files\Verizon\VSP\unins000.exe"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! extras --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5753 / Error
Event Submitted/Written: 04/22/2008 08:50:18 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type5752 / Error
Event Submitted/Written: 04/22/2008 08:50:17 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Event Record #/Type5751 / Error
Event Submitted/Written: 04/22/2008 08:46:33 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Event Record #/Type5743 / Error
Event Submitted/Written: 04/22/2008 04:37:23 PM
Event ID/Source: 11402 / MsiInstaller
Event Description:
Product: MSXML 4.0 SP2 (KB936181) -- Error 1402. Could not open key: HKEY_LOCAL_MACHINE\Software\Classes\Msxml2.DOMDocument.4.0\CLSID. System error 5. Verify that you have sufficient access to that key, or contact your support personnel.

Event Record #/Type5737 / Error
Event Submitted/Written: 04/22/2008 01:57:38 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 681953646.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type70979 / Error
Event Submitted/Written: 04/22/2008 08:45:54 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer TERRISLAPTOP
that believes that it is the master browser for the domain on transport NwlnkNb.
The master browser is stopping or an election is being forced.

Event Record #/Type70970 / Warning
Event Submitted/Written: 04/22/2008 08:40:18 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011090C2637. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type70954 / Error
Event Submitted/Written: 04/22/2008 08:38:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type70953 / Error
Event Submitted/Written: 04/22/2008 04:59:48 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AmdK7
Fips
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
StarOpen
Tcpip
Tcpip6

Event Record #/Type70952 / Error
Event Submitted/Written: 04/22/2008 04:59:48 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-04-22 20:52:22 ------------


Thank you in advance for any help that you are able to give.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 28 April 2008 - 02:35 PM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Step one..

Make sure that DSS.exe is located on your Desktop.
Click on your START button, then choose Run. A little box will appear.
Now copy and paste all the following in bold (including the "" marks) into the run box and click OK.

"%userprofile%\desktop\dss.exe" /daft


This will start DSS in a different way. A small window will appear.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and make sure it says that all associations are OK.

Then, * Download: HostsXpert
Unzip hoster to an own folder, eg C:\HostsXpert
Start HostsExpert.exe, click 'Restore MS Hosts file' and click OK.

Then, * Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in notepad, because I need it later.

Then, * Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log and the log from Avira. You may need more than one reply to post the logs.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Edited by miekiemoes, 28 April 2008 - 02:36 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 29 April 2008 - 05:40 PM

Hi miekiemoes,

Thank you for the reply and the help. I am having difficulties getting past the 1st step. I started dss as you instructed. On the 1st run I had 3 seperate faulty file associations. I placed check marks in the boxes to the left, clicked fix and then scan. I now have only 1 faulty association:

.exe exefile shell\open\command rundll32.exe "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\bdghqgq.dll" WLEntry %1 %*

I have attempted to 'fix' this 4 times now and still get the same result when I 'scan'.

On the 5th attempt I received a pop-up that says "All associations okay!" But when I ran 'Scan' again I get the same faulty file association.

Any suggestions?

#4 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 29 April 2008 - 05:40 PM

Hi miekiemoes,

Thank you for the reply and the help. I am having difficulties getting past the 1st step. I started dss as you instructed. On the 1st run I had 3 seperate faulty file associations. I placed check marks in the boxes to the left, clicked fix and then scan. I now have only 1 faulty association:

.exe exefile shell\open\command rundll32.exe "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\bdghqgq.dll" WLEntry %1 %*

I have attempted to 'fix' this 4 times now and still get the same result when I 'scan'.

On the 5th attempt I received a pop-up that says "All associations okay!" But when I ran 'Scan' again I get the same faulty file association.

Any suggestions?

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 29 April 2008 - 05:47 PM

Hi,

Just proceed with the next steps... we'll deal with it afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 29 April 2008 - 09:48 PM

Hi,

Ran HostsXpert and followed your instructions. Still unable to connect to the internet on the infected laptop so I am downloading to my Traveldrive and then moving the programs to the infected machine.

In trying to install free-av I get a pop-up stating "Cannot load master resource file".

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 30 April 2008 - 12:42 AM

Hi,

As I already explained before - it would be a miracle if we can restore this computer, since it's really crippled with nasty malware. Several system important drivers failed to load here (which also explains why you don't have internet access). I'm actually amazed that this computer still wants to boot.
What I suggest here is, before you proceed with the following instructions, is to back up all important data, files etc you don't want to loose, because your system is really damaged here, so we can never be sure how it acts when we try to remove the malware.
To be honest, if that was my computer, I wouldn't even bother to clean it, but format and reinstall instead, this because even if I would be able to clean all the malware, your system will stay unstable, damage cannot always be restored and you would never be able to trust this system ever again, unless you format and reinstall.
You really should think about that - and make a decision here. In case you still want to proceed with manual removal (keep in mind that we may not be able to fix all the damage), then perform next:

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 30 April 2008 - 02:10 AM

Hi,

I have finished with the combofix and believe it or not the laptop appears to be in much better shape. I now have internet access, although there are no images loading on msn or yahoo homepages at least there are no signs of pop-ups from the Antispyware Applications that were overwhelming everything.

Below is the log from the combofix, I will attempt to run HijackThis to get a log to post.

ComboFix 08-04-29.3 - Robert Pierce 2008-04-30 1:29:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -5:00]
Running from: C:\Documents and Settings\Robert Pierce\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Pierce\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Robert Pierce\Application Data\macromedia\Flash Player\#SharedObjects\HA7VJPZ3\www.broadcaster.com
C:\Documents and Settings\Robert Pierce\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Robert Pierce\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Robert Pierce\My Documents\WNSXS~1
C:\Documents and Settings\Robert Pierce\My Documents\WNSXS~1\fast.exe
C:\Documents and Settings\Robert Pierce\My Documents\WNSXS~1\W?nSxS\
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\scurit~1
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\aletxsvb.ini
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\asembl~1\u?erinit.exe
C:\WINDOWS\system32\atmfda.dll
C:\WINDOWS\system32\bhuxfpow.ini
C:\WINDOWS\system32\ciyvjtno.dll
C:\WINDOWS\system32\drivers\dnxkaovd.dat
C:\WINDOWS\system32\dsihheae.dll
C:\WINDOWS\system32\mkyenavf.dll
C:\WINDOWS\system32\nadyjpbg.dll
C:\WINDOWS\system32\qmcttcbc.ini
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\smexrfvd.dll
C:\WINDOWS\system32\smoyjkbj.dll
C:\WINDOWS\system32\Stwwayxx.ini
C:\WINDOWS\system32\Stwwayxx.ini2
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\xdidjsod.ini
C:\WINDOWS\system32\yomidjdu.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\winself.exe

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ASC3550P
-------\Legacy_icf
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_MSUPDATE
-------\Legacy_NWSAPAGENT
-------\Legacy_ryjrobpv
-------\Service_6to4
-------\Service_MsSecurity1.209.4
-------\Service_NwSapAgent
-------\Service_ryjrobpv


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 01:29 . 2007-06-13 05:23 113,664 --a------ C:\WINDOWS\system32\qasifc.dll
2008-04-30 00:04 . 2007-06-13 05:23 113,664 --a------ C:\WINDOWS\system32\qgeilpmf.drv
2008-04-29 20:14 . 2008-04-29 20:14 <DIR> d-------- C:\HostsXpert
2008-04-22 20:45 . 2008-04-22 20:45 <DIR> d-------- C:\Deckard
2008-04-22 01:02 . 2008-04-22 01:02 4,880 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-22 00:56 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-22 00:56 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-22 00:56 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-22 00:56 . 2008-04-20 00:38 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-22 00:56 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-22 00:56 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-22 00:56 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-21 20:46 . 2008-04-21 20:46 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\Malwarebytes
2008-04-21 20:14 . 2008-04-21 20:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 20:14 . 2008-04-21 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 20:14 . 2008-04-21 20:14 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Malwarebytes
2008-04-20 19:13 . 2004-05-29 04:06 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\WINDOWS
2008-04-20 19:13 . 2004-05-29 08:44 <DIR> d---s---- C:\Documents and Settings\Administrator.AVLAPTOP\UserData
2008-04-20 19:13 . 2004-06-15 01:20 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Symantec
2008-04-20 19:13 . 2004-06-10 05:32 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Roxio
2008-04-20 19:13 . 2004-06-11 02:05 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\CyberLink
2008-04-20 19:13 . 2004-06-02 04:55 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\AdobeUM
2008-04-20 19:13 . 2008-04-20 19:13 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP
2008-04-20 19:13 . 2008-04-30 01:28 1,024 --ah----- C:\Documents and Settings\Administrator.AVLAPTOP\ntuser.dat.LOG
2008-04-20 16:18 . 2008-04-20 16:18 1 --a------ C:\Documents and Settings\Robert Pierce\tmp.dat
2008-04-20 16:13 . 2008-04-29 21:59 109,747 --a------ C:\WINDOWS\BM2f847bf1.xml
2008-04-20 16:09 . 2008-04-20 16:09 29 --a------ C:\WINDOWS\system32\setowoge.tmp
2008-04-20 15:49 . 2008-04-20 15:49 <DIR> d-------- C:\d19a3a30cc5be469c9d3
2008-04-20 15:42 . 2008-04-20 15:47 2 --a------ C:\750209218
2008-04-20 15:04 . 2008-04-20 15:04 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-04-20 15:03 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-04-20 14:22 . 2008-01-09 10:35 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-04-20 14:20 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-04-20 13:54 . 2008-04-20 13:54 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\InstallShield
2008-04-20 13:51 . 2008-04-20 13:51 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\Verizon
2008-04-20 13:50 . 2008-04-29 11:06 <DIR> d-------- C:\Program Files\Verizon
2008-04-20 13:50 . 2008-04-20 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2008-04-20 03:57 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-20 03:38 . 2008-04-29 23:15 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-19 20:23 . 2008-04-20 15:49 345 --ahs---- C:\WINDOWS\system32\xGjilUvw.ini
2008-04-19 20:18 . 2008-04-19 20:18 <DIR> d-------- C:\WINDOWS\mgwwgmke
2008-04-19 20:18 . 2008-04-21 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\whydqrcv
2008-04-19 20:18 . 2008-04-19 20:18 192,512 --a------ C:\WINDOWS\snkhopkx.dll
2008-04-19 20:18 . 2008-04-19 20:18 65,024 --a------ C:\WINDOWS\ojofchur.dll
2008-04-19 20:18 . 2008-04-19 20:18 65,024 --a------ C:\Documents and Settings\All Users\Application Data\hcfozajo.dll
2008-04-19 20:17 . 2008-04-19 20:17 398 --a------ C:\WINDOWS\system32\LE67C.tmp
2008-04-19 20:17 . 2008-04-19 20:17 398 --a------ C:\WINDOWS\system32\LE578.tmp
2008-04-19 20:17 . 2008-04-19 20:17 398 --a------ C:\WINDOWS\system32\LE4CD.tmp
2008-04-19 20:17 . 2008-04-19 20:17 398 --a------ C:\WINDOWS\system32\LE347.tmp
2008-03-26 17:08 . 2008-03-26 17:08 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-03-13 15:38 . 2008-03-13 15:38 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\PlayFirst
2008-03-13 15:38 . 2008-03-13 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-08 12:24 . 2008-04-13 16:06 <DIR> d-------- C:\Remote Programs
2008-03-08 12:24 . 2008-04-01 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Exetender
2008-03-08 12:24 . 2006-08-22 14:24 7,542 --------- C:\WINDOWS\Verizon.ico
2008-03-08 12:24 . 2008-04-01 12:25 67 --a------ C:\WINDOWS\GPlrLanc.dat
2008-03-08 12:23 . 2008-04-01 12:25 <DIR> d-------- C:\Program Files\Verizon Games on Demand Player
2008-03-08 12:23 . 2008-01-21 20:53 53,314 --------- C:\WINDOWS\ExentInfo.exe
2008-03-03 08:51 . 2008-03-03 08:51 0 --a------ C:\WINDOWS\iPlayer.INI
2008-03-03 08:48 . 2008-03-03 08:48 <DIR> d-------- C:\Program Files\InterActual
2008-03-03 08:34 . 2008-03-03 08:34 21,504 --a------ C:\WINDOWS\system32\atmliba.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 20:43 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-20 20:08 --------- d-----w C:\Program Files\BHODemon
2008-04-20 20:07 --------- d-----w C:\Documents and Settings\Robert Pierce\Application Data\Lavasoft
2008-04-20 19:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-20 08:56 --------- d-----w C:\Program Files\Java
2008-04-08 23:09 --------- d-----w C:\Documents and Settings\Robert Pierce\Application Data\MSN6
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 13:48 --------- d-----w C:\Program Files\PCFriendly
2008-02-21 03:51 21,504 ----a-w C:\WINDOWS\system32\avwavb.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-27 23:57 21,504 ----a-w C:\WINDOWS\system32\adsmsextb.dll
2008-01-26 23:27 21,504 ----a-w C:\WINDOWS\system32\batmeters.dll
2008-01-23 02:38 21,504 ----a-w C:\WINDOWS\system32\avifileb.dll
2006-03-18 06:38 0 ----a-w C:\Documents and Settings\Robert Pierce\ignorelist.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 18:34 3084288]
"Exetender"="C:\Program Files\Verizon Games on Demand Player\GPlayer.exe" [2008-01-21 21:09 1945600]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
"litlwpde"="C:\WINDOWS\system32\utsralgb.exe" [ ]
"QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [ ]
"Jzpno"="C:\WINDOWS\system32\a?sembly\u?erinit.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-16 17:53 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2004-05-21 15:48 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-21 15:51 66048 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 20:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 11:55 868352]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 14:38 319488]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-05-14 15:53 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-21 15:48 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 16:22 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 04:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-29 19:36 256576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe" [2005-07-19 10:05 135168]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-07-19 10:05 53248]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 03:58 65536]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"SBI"="C:\Documents and Settings\Robert Pierce\Local Settings\Temporary Internet Files\Content.IE5\GLINCH2N\install_sbd_en[1].exe" [ ]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [ ]
"BMN"="C:\Program Files\Common Files\AntiSpywareSuite\bm.exe" [ ]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"2cb7486d"="C:\WINDOWS\system32\gyjxkssb.dll" [ ]
"peeidasm"="C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ogjpb.drv WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-16 20:15:01 110592]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-05-29 04:06:05 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"dmqlkotp"= rundll32.exe "C:\WINDOWS\system32\bqbej.drv" WLEntryPoint

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43582:TCP"= 43582:TCP:@xpsp2res.dll,-22005
"35221:TCP"= 35221:TCP:@xpsp2res.dll,-22005
"11384:TCP"= 11384:TCP:@xpsp2res.dll,-22005
"5039:TCP"= 5039:TCP:@xpsp2res.dll,-22005

R0 Spsmqvsm;auMusicPort SPS Service;C:\WINDOWS\system32\drivers\spsmqvsm.sys [2003-06-26 22:09]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 X4HSX32;X4HSX32;C:\Program Files\Verizon Games on Demand Player\X4HSX32.Sys [2008-03-04 09:18]
R3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-05-21 15:50]
S3 naecd;naecd;C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\naecd.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 22:13:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 01:34:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-30 1:40:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 06:40:10

Pre-Run: 43,133,480,960 bytes free
Post-Run: 43,091,087,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

288 --- E O F --- 2008-04-29 11:43:08

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 30 April 2008 - 02:23 AM

Hi, we still have a lot to clean...

The images not loading could be because your cache is full, so,

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\qasifc.dll
C:\WINDOWS\system32\qgeilpmf.drv
C:\WINDOWS\BM2f847bf1.xml
C:\WINDOWS\system32\setowoge.tmp
C:\WINDOWS\system32\xGjilUvw.ini
C:\WINDOWS\snkhopkx.dll
C:\WINDOWS\ojofchur.dll
C:\Documents and Settings\All Users\Application Data\hcfozajo.dll
C:\WINDOWS\system32\LE67C.tmp
C:\WINDOWS\system32\LE578.tmp
C:\WINDOWS\system32\LE4CD.tmp
C:\WINDOWS\system32\LE347.tmp
Folder::
C:\WINDOWS\mgwwgmke
C:\Documents and Settings\All Users\Application Data\whydqrcv
C:\Documents and Settings\All Users\Application Data\SalesMon
Driver::
naecd
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule15"=-
"litlwpde"=-
"QdrPack15"=-
"Jzpno"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBI"=-
"-FreedomNeedsReboot"=-
"BMN"=-
"2cb7486d"=-
"peeidasm"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"dmqlkotp"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, what happens if you run this again?

"%userprofile%\desktop\dss.exe" /daft

Can you restore the association for exe files now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 30 April 2008 - 03:31 AM

Hi,

Sorry that it took me so long. Followed all instructions from your last reply, here are the logs:

ComboFix 08-04-29.3 - Robert Pierce 2008-04-30 2:50:38.2 - NTFSx86
Running from: C:\Documents and Settings\Robert Pierce\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Pierce\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Application Data\hcfozajo.dll
C:\WINDOWS\BM2f847bf1.xml
C:\WINDOWS\ojofchur.dll
C:\WINDOWS\snkhopkx.dll
C:\WINDOWS\system32\LE347.tmp
C:\WINDOWS\system32\LE4CD.tmp
C:\WINDOWS\system32\LE578.tmp
C:\WINDOWS\system32\LE67C.tmp
C:\WINDOWS\system32\qasifc.dll
C:\WINDOWS\system32\qgeilpmf.drv
C:\WINDOWS\system32\setowoge.tmp
C:\WINDOWS\system32\xGjilUvw.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\hcfozajo.dll
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Documents and Settings\All Users\Application Data\whydqrcv
C:\Documents and Settings\Robert Pierce\Local Settings\Application Data\n.ini
C:\Documents and Settings\Robert Pierce\tmp.dat
C:\WINDOWS\BM2f847bf1.xml
C:\WINDOWS\mgwwgmke
C:\WINDOWS\mgwwgmke\1.png
C:\WINDOWS\mgwwgmke\2.png
C:\WINDOWS\mgwwgmke\3.png
C:\WINDOWS\mgwwgmke\4.png
C:\WINDOWS\mgwwgmke\5.png
C:\WINDOWS\mgwwgmke\6.png
C:\WINDOWS\mgwwgmke\7.png
C:\WINDOWS\mgwwgmke\8.png
C:\WINDOWS\mgwwgmke\9.png
C:\WINDOWS\mgwwgmke\bottom-rc.gif
C:\WINDOWS\mgwwgmke\config.png
C:\WINDOWS\mgwwgmke\content.png
C:\WINDOWS\mgwwgmke\download.gif
C:\WINDOWS\mgwwgmke\frame-bg.gif
C:\WINDOWS\mgwwgmke\frame-bottom-left.gif
C:\WINDOWS\mgwwgmke\frame-h1bg.gif
C:\WINDOWS\mgwwgmke\head.png
C:\WINDOWS\mgwwgmke\icon.png
C:\WINDOWS\mgwwgmke\indexwp.html
C:\WINDOWS\mgwwgmke\main.css
C:\WINDOWS\mgwwgmke\memory-prots.png
C:\WINDOWS\mgwwgmke\net.png
C:\WINDOWS\mgwwgmke\pc-mag.gif
C:\WINDOWS\mgwwgmke\pc.gif
C:\WINDOWS\mgwwgmke\poloska1.png
C:\WINDOWS\mgwwgmke\poloska2.png
C:\WINDOWS\mgwwgmke\poloska3.png
C:\WINDOWS\mgwwgmke\promowp1.html
C:\WINDOWS\mgwwgmke\promowp2.html
C:\WINDOWS\mgwwgmke\promowp3.html
C:\WINDOWS\mgwwgmke\promowp4.html
C:\WINDOWS\mgwwgmke\promowp5.html
C:\WINDOWS\mgwwgmke\reg.png
C:\WINDOWS\mgwwgmke\repair.png
C:\WINDOWS\mgwwgmke\scr-1.png
C:\WINDOWS\mgwwgmke\scr-2.png
C:\WINDOWS\mgwwgmke\start.png
C:\WINDOWS\mgwwgmke\styles.css
C:\WINDOWS\mgwwgmke\Thumbs.db
C:\WINDOWS\mgwwgmke\top-rc.gif
C:\WINDOWS\mgwwgmke\vline.gif
C:\WINDOWS\mgwwgmke\wp.png
C:\WINDOWS\ojofchur.dll
C:\WINDOWS\snkhopkx.dll
C:\WINDOWS\system32\LE347.tmp
C:\WINDOWS\system32\LE4CD.tmp
C:\WINDOWS\system32\LE578.tmp
C:\WINDOWS\system32\LE67C.tmp
C:\WINDOWS\system32\qasifc.dll
C:\WINDOWS\system32\qgeilpmf.drv
C:\WINDOWS\system32\setowoge.tmp
C:\WINDOWS\system32\xGjilUvw.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAECD
-------\Service_naecd


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 02:57 . <DIR> C:\temp\2539f
2008-04-30 02:51 . 2007-06-13 05:23 113,664 --a------ C:\WINDOWS\system32\mdrojohtiet.dll
2008-04-29 20:14 . 2008-04-29 20:14 <DIR> d-------- C:\HostsXpert
2008-04-22 20:45 . 2008-04-22 20:45 <DIR> d-------- C:\Deckard
2008-04-22 01:02 . 2008-04-22 01:02 4,880 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-22 00:56 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-22 00:56 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-22 00:56 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-22 00:56 . 2008-04-20 00:38 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-22 00:56 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-22 00:56 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-22 00:56 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-21 20:46 . 2008-04-21 20:46 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\Malwarebytes
2008-04-21 20:14 . 2008-04-21 20:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 20:14 . 2008-04-21 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 20:14 . 2008-04-21 20:14 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Malwarebytes
2008-04-20 19:13 . 2004-05-29 04:06 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\WINDOWS
2008-04-20 19:13 . 2004-05-29 08:44 <DIR> d---s---- C:\Documents and Settings\Administrator.AVLAPTOP\UserData
2008-04-20 19:13 . 2004-06-15 01:20 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Symantec
2008-04-20 19:13 . 2004-06-10 05:32 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\Roxio
2008-04-20 19:13 . 2004-06-11 02:05 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\CyberLink
2008-04-20 19:13 . 2004-06-02 04:55 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP\Application Data\AdobeUM
2008-04-20 19:13 . 2008-04-20 19:13 <DIR> d-------- C:\Documents and Settings\Administrator.AVLAPTOP
2008-04-20 19:13 . 2008-04-30 01:28 1,024 --ah----- C:\Documents and Settings\Administrator.AVLAPTOP\ntuser.dat.LOG
2008-04-20 15:49 . 2008-04-20 15:49 <DIR> d-------- C:\d19a3a30cc5be469c9d3
2008-04-20 15:42 . 2008-04-20 15:47 2 --a------ C:\750209218
2008-04-20 15:03 . 2004-10-07 14:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-04-20 14:22 . 2008-01-09 10:35 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-04-20 14:20 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-04-20 13:54 . 2008-04-20 13:54 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\InstallShield
2008-04-20 13:51 . 2008-04-20 13:51 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\Verizon
2008-04-20 13:50 . 2008-04-29 11:06 <DIR> d-------- C:\Program Files\Verizon
2008-04-20 13:50 . 2008-04-20 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2008-04-20 03:57 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-20 03:38 . 2008-04-29 23:15 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-03-26 17:08 . 2008-03-26 17:08 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-03-13 15:38 . 2008-03-13 15:38 <DIR> d-------- C:\Documents and Settings\Robert Pierce\Application Data\PlayFirst
2008-03-13 15:38 . 2008-03-13 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-03-08 12:24 . 2008-04-13 16:06 <DIR> d-------- C:\Remote Programs
2008-03-08 12:24 . 2008-04-01 12:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Exetender
2008-03-08 12:24 . 2006-08-22 14:24 7,542 --------- C:\WINDOWS\Verizon.ico
2008-03-08 12:24 . 2008-04-01 12:25 67 --a------ C:\WINDOWS\GPlrLanc.dat
2008-03-08 12:23 . 2008-04-01 12:25 <DIR> d-------- C:\Program Files\Verizon Games on Demand Player
2008-03-08 12:23 . 2008-01-21 20:53 53,314 --------- C:\WINDOWS\ExentInfo.exe
2008-03-03 08:51 . 2008-03-03 08:51 0 --a------ C:\WINDOWS\iPlayer.INI
2008-03-03 08:48 . 2008-03-03 08:48 <DIR> d-------- C:\Program Files\InterActual
2008-03-03 08:34 . 2008-03-03 08:34 21,504 --a------ C:\WINDOWS\system32\atmliba.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 20:08 --------- d-----w C:\Program Files\BHODemon
2008-04-20 20:07 --------- d-----w C:\Documents and Settings\Robert Pierce\Application Data\Lavasoft
2008-04-20 19:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-20 08:56 --------- d-----w C:\Program Files\Java
2008-04-08 23:09 --------- d-----w C:\Documents and Settings\Robert Pierce\Application Data\MSN6
2008-03-03 13:48 --------- d-----w C:\Program Files\PCFriendly
2006-03-18 06:38 0 ----a-w C:\Documents and Settings\Robert Pierce\ignorelist.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_ 1.39.52.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 06:34:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 07:55:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 07:57:14 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_e8c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 18:34 3084288]
"Exetender"="C:\Program Files\Verizon Games on Demand Player\GPlayer.exe" [2008-01-21 21:09 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2004-04-16 17:53 249856]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2004-05-21 15:48 106496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-21 15:51 66048 C:\WINDOWS\SOUNDMAN.EXE]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 20:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 11:55 868352]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 14:38 319488]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-05-14 15:53 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2004-05-21 15:48 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 16:22 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 04:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-29 19:36 256576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"MMTray"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe" [2005-07-19 10:05 135168]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-07-19 10:05 53248]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 03:58 65536]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"peeidasm"="C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ijrqeh.sys WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-16 20:15:01 110592]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2004-05-29 04:06:05 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"dmqlkotp"= rundll32.exe "C:\WINDOWS\system32\bqbej.drv" WLEntryPoint

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24438:TCP"= 24438:TCP:@xpsp2res.dll,-22005
"39949:TCP"= 39949:TCP:@xpsp2res.dll,-22005
"62752:TCP"= 62752:TCP:@xpsp2res.dll,-22005
"64231:TCP"= 64231:TCP:@xpsp2res.dll,-22005

R0 Spsmqvsm;auMusicPort SPS Service;C:\WINDOWS\system32\drivers\spsmqvsm.sys [2003-06-26 22:09]
R2 X4HSX32;X4HSX32;C:\Program Files\Verizon Games on Demand Player\X4HSX32.Sys [2008-03-04 09:18]
R3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-05-21 15:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 22:13:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 02:55:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\msxml4-KB936181-enu.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-04-30 3:01:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 08:00:35
ComboFix2.txt 2008-04-30 06:40:23

Pre-Run: 43,102,138,368 bytes free
Post-Run: 43,057,115,136 bytes free

244 --- E O F --- 2008-04-29 11:43:08

After running dss again I still have the same results. 1 faulty file association, after doing the fix several times I get the "All associations okay!" but when I re-scan I get the same faulty association. There is a slight difference at the end of the file:

DAFT Log saved on 2008-04-30 03:13:03
-----------------------------------------------------------------------
.exe - exefile - shell\open\command - rundll32.exe "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ltsljslocha.sys" WLEntry %1 %*

My HijackThis log will be in my next reply.

#11 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 30 April 2008 - 03:38 AM

Hello again,

Ran HijackThis again, the log is below. I have not tried to 'fix' anything that the scan showed, I figured that I would let you tell me what I should put a check beside.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:05 AM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Verizon Games on Demand Player\GPlayer.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Pierce\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [msdnilsq] rundll32.exe "C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\paqteekokop.sys" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Exetender] "C:\Program Files\Verizon Games on Demand Player\GPlayer.exe" /runonstartup
O4 - HKLM\..\Policies\Explorer\Run: [mtjjtgtk] rundll32.exe "C:\WINDOWS\system32\bqbej.drv" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Verizon Games on Demand Player\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Exetender] "C:\Program Files\Verizon Games on Demand Player\GPlayer.exe /runonstartup" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{10AD0C26-CEC9-4971-BFE6-0D8DF3CD2944}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E7F5887-E798-4B58-8E89-2FB12DF40953}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{10AD0C26-CEC9-4971-BFE6-0D8DF3CD2944}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\..\{10AD0C26-CEC9-4971-BFE6-0D8DF3CD2944}: NameServer = 85.255.116.172,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.172 85.255.112.142
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8239 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 30 April 2008 - 03:40 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ltsljslocha.sys
C:\WINDOWS\system32\bqbej.drv
C:\WINDOWS\system32\mdrojohtiet.dll
C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\paqteekokop.sys
C:\750209218
Folder::
C:\temp\2539f
Dirlook::
C:\d19a3a30cc5be469c9d3
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"peeidasm"=-
"msdnilsq"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"dmqlkotp"=-
"mtjjtgtk"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

IN case (although Combofix should restore the default association for exe files), you can't run exe files anymore after performing above steps, then, go to start > run and type: command.com
A command prompt will open.

There type:

ftype exefile="%1" %*

Hit enter.

This should restore the association for exe files again.

Edited by miekiemoes, 30 April 2008 - 03:42 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 30 April 2008 - 04:01 AM

Hi,

Ran combofix again, but seems to be a problem. After the laptop rebooted I closed the log.txt file and now I have nothing but a blue screen.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:09 PM

Posted 30 April 2008 - 04:09 AM

Can you open taskmanager (CTRL-ALT-DEL) and run explorer.exe from there? Because it looks like your explorer.exe doesn't run.

Also let me know if you can open taskmanager.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 lostinendicott

lostinendicott
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 30 April 2008 - 04:15 AM

I can open taskmanager, 1st thing I tried to see if anything was running. Problem is that I don't really know what to do now that I have it open.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users