Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryp Tap - Help


  • This topic is locked This topic is locked
17 replies to this topic

#1 leeper

leeper

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 24 April 2008 - 11:50 PM

My wife did something. And, suddenly I was infected. Trend Micro says its "cryp tap" but can't remove it.

I am now filled with suspicious programs (fake antispyware) and fake spyware warnings. My task manager has been disabled. Help.

Here is my log... Thanks.




Deckard's System Scanner v20071014.68
Run by Jonathan Leepson on 2008-04-25 00:41:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
80: 2008-04-25 04:37:29 UTC - RP454 - Deckard's System Scanner Restore Point
79: 2008-04-25 01:23:22 UTC - RP453 - Last known good configuration
78: 2008-04-25 01:23:18 UTC - RP452 - System Checkpoint
77: 2008-04-25 01:23:18 UTC - RP451 - System Checkpoint
76: 2008-04-25 01:23:18 UTC - RP450 - System Checkpoint


-- First Restore Point --
1: 2008-04-25 01:22:38 UTC - RP375 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.




-- HijackThis (run as Jonathan Leepson.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:21 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jonathan Leepson\Desktop\dss.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\avujcbqh.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jonathan Leepson.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CC22B01-DC2C-44E7-969D-2914DF3899A1} - C:\WINDOWS\system32\urqOFWqr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: DVA Gate - {7A6FD945-14B0-41F8-84FB-74DEF17528BB} - C:\WINDOWS\qnmargolxgn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:\WINDOWS\system32\iiFvUkhE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: dpevflbg - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - C:\WINDOWS\dpevflbg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [LogEnable] 
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [c8eeee02] rundll32.exe "C:\WINDOWS\system32\bstmchpx.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [xxgmlwvt] C:\WINDOWS\system32\avujcbqh.exe
O4 - HKCU\..\Policies\Explorer\Run: [Fgco0YG89s] C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.secure.hiwired.com (HKLM)
O15 - ESC Trusted Zone: *.secure.hiwired.com (HKLM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: iiFvUkhE - C:\WINDOWS\SYSTEM32\iiFvUkhE.dll
O21 - SSODL: vadokmxt - {DA364FAB-6412-4D5F-9731-77B846E8DBFE} - C:\WINDOWS\vadokmxt.dll
O21 - SSODL: wdpoefan - {F89A6AE1-4635-423E-B27A-9D2F1D541966} - C:\WINDOWS\wdpoefan.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HiWired Client Core Service (HiWiredCore) - HiWired Inc. - C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PatchLink Update - HiWired - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 11177 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*
.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*

And,

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6300 @ 1.86GHz
CPU 1: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 1021.85 MiB / 461.09 MiB
Pagefile Memory (total/avail): 2458.38 MiB / 2003.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.4 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 228.13 GiB total, 209.68 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-75NCB3 - 232.83 GiB - 3 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 228.13 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v12 (Trend Micro, Inc.) Disabled
AV: Trend Micro PC-cillin Internet Security v12.7.1019 (Trend Micro, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"D:\\setup\\HPZnet01.exe"="D:\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"D:\\setup\\HPONICIFS01.EXE"="D:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Spooler SubSystem App"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jonathan Leepson\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DEN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jonathan Leepson
LOGONSERVER=\\DEN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JONATH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JONATH~1\LOCALS~1\Temp
USERDOMAIN=DEN
USERNAME=Jonathan Leepson
USERPROFILE=C:\Documents and Settings\Jonathan Leepson
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jonathan Leepson (admin)
Janet Lefkowitz
Nettie Leepson
Daisy Leepson
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Chinese Simplified Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-2447-0000-800000000003}
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Corel Snapfire Plus --> MsiExec.exe /I{7ADE3A47-B425-45E9-8FF6-11BE2B775645}
Cox Tech Solutions Data Backup --> C:\Program Files\Carbonite\Carbonite Backup\CarboniteSetup.exe /remove
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Game Console --> "C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe"
Dell Support 3.2.1 --> MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Documentation & Support Launcher --> MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
Games, Music, & Photos Launcher --> MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
Garmin Training Center v5 --> MsiExec.exe /X{DE659AC8-EEF0-4115-AA0C-6500D194FB10}
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HiWired Agent --> MsiExec.exe /X{71E58776-706C-4070-8343-989E59456072}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Extended Capabilities 5.3 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel® Matrix Storage Manager --> C:\WINDOWS\System32\Imsmudlg.exe
Intel® Quick Resume Technology Drivers --> C:\WINDOWS\System32\Elusetup.exe
Intel® Viiv™ Software --> MsiExec.exe /X{7EAB1D85-7BA3-47C1-BBF7-A0EBC241DB94}
Internet Service Offers Launcher --> MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Japanese Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5760-0000-800000000003}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Mavis Beacon Teaches Typing 17 --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 17\Uninstall.xml"
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money 2007 Home & Business --> "C:\Program Files\Microsoft Money 2007\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MotionBased Agent --> MsiExec.exe /I{70C4EFA5-F8B8-4015-9378-FCAA9000DF19}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZero For Riverdeep --> MsiExec.exe /X{86C1A488-24AD-42F0-BCEF-FDB11FC2BEFA}
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PC Check & Connect --> "C:\Program Files\HiWired\PC Check & Connect\LKI\HiWired.Client.Bootstrap.exe" -maintenance
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SearchAssist --> C:\DELL\SearchAssist\UninstSA.bat
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
TBS WMP Plug-in --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{DB5F474C-B584-417F-810B-DEBBC1893C2A}
Trend Micro PC-cillin Internet Security 12 --> MsiExec.exe /X{7698EDA5-A90F-4205-99CB-8FF6F9048ED9}
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
URL Assistant --> regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtual Earth 3D (Beta) --> MsiExec.exe /X{619B8475-0F48-41B7-A370-5147F7092989}
WebMail Sync --> MsiExec.exe /I{AFDEB866-9354-4346-B546-AB93F98EDC85}
WebVideo Support --> C:\WINDOWS\wxvgsdbq.exe
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Worldwide Soccer Manager 2005 --> MsiExec.exe /I{BFA3DC7E-0C31-4008-B8B2-589CBC5305FF}
Yahoo! Music Jukebox --> MsiExec.exe /X{7C49EA42-5647-4051-84C2-E6404F25A931}


-- Application Event Log -------------------------------------------------------

Event Record #/Type3553 / Error
Event Submitted/Written: 04/25/2008 00:32:35 AM
Event ID/Source: 5013 / VSS
Event Description:
Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager called routine OpenNtmsSessionW which failed with status 0x80070422 (converted to 0x800423f4).

Event Record #/Type3534 / Error
Event Submitted/Written: 04/23/2008 08:07:58 PM
Event ID/Source: 5013 / VSS
Event Description:
Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager called routine OpenNtmsSessionW which failed with status 0x80070422 (converted to 0x800423f4).

Event Record #/Type3533 / Error
Event Submitted/Written: 04/23/2008 07:01:46 PM
Event ID/Source: 5013 / VSS
Event Description:
Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager called routine OpenNtmsSessionW which failed with status 0x80070422 (converted to 0x800423f4).

Event Record #/Type3532 / Error
Event Submitted/Written: 04/23/2008 06:01:21 PM
Event ID/Source: 5013 / VSS
Event Description:
Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager called routine OpenNtmsSessionW which failed with status 0x80070422 (converted to 0x800423f4).

Event Record #/Type3531 / Error
Event Submitted/Written: 04/23/2008 10:35:06 AM
Event ID/Source: 5013 / VSS
Event Description:
Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager called routine OpenNtmsSessionW which failed with status 0x80070422 (converted to 0x800423f4).



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type177856 / Error
Event Submitted/Written: 04/25/2008 00:32:34 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service ntmssvc with arguments "-Service"
in order to run the server:
{D61A27C6-8F53-11D0-BFA0-00A024151983}

Event Record #/Type177387 / Error
Event Submitted/Written: 04/23/2008 07:26:29 AM / 04/23/2008 07:26:30 AM
Event ID/Source: 25 / VolSnap
Event Description:
The shadow copy of volume C: was aborted because the diff area file could
not grow in time. Consider reducing the IO load on this system to avoid
this problem in the future.

Event Record #/Type177386 / Error
Event Submitted/Written: 04/23/2008 07:26:23 AM / 04/23/2008 07:26:24 AM
Event ID/Source: 12 / VolSnap
Event Description:
The shadow copy of volume C: became low on diff area space before it was properly installed.

Event Record #/Type177144 / Error
Event Submitted/Written: 04/22/2008 09:55:03 AM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user DEN\Daisy Leepson SID (S-1-5-21-1667049025-3889499756-1881231508-1009). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type177106 / Error
Event Submitted/Written: 04/22/2008 06:54:32 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service ntmssvc with arguments "-Service"
in order to run the server:
{D61A27C6-8F53-11D0-BFA0-00A024151983}



-- End of Deckard's System Scanner: finished at 2008-04-25 00:45:50 ------------

Edited by leeper, 25 April 2008 - 05:30 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:15 PM

Posted 25 April 2008 - 02:11 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Click Start -> Control Panel -> Add Remove Programs and uninstall these programs:

Internet Service Offers Launcher
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1



===============




Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 leeper

leeper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 25 April 2008 - 07:28 PM

Sam - Thank you for your help!

I followed your instructions and here is the log


ComboFix 08-04-24.1 - Jonathan Leepson 2008-04-25 19:45:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.555 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan Leepson\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jonathan Leepson\Desktop\Error Cleaner.url
C:\Documents and Settings\Jonathan Leepson\Desktop\Privacy Protector.url
C:\Documents and Settings\Jonathan Leepson\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Jonathan Leepson\Favorites\Error Cleaner.url
C:\Documents and Settings\Jonathan Leepson\Favorites\Privacy Protector.url
C:\Documents and Settings\Jonathan Leepson\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Nettie Leepson\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\bstmchpx.dll
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\rqWFOqru.ini
C:\WINDOWS\system32\rqWFOqru.ini2
C:\WINDOWS\system32\urqOFWqr.dll
C:\WINDOWS\system32\xphcmtsb.ini
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 00:37 . 2008-04-25 00:37 <DIR> d-------- C:\Deckard
2008-04-24 23:03 . 2008-04-25 19:35 <DIR> d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons
2008-04-24 22:24 . 2008-04-24 22:24 <DIR> d-------- C:\VundoFix Backups
2008-04-24 21:13 . 2008-04-24 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ghazynsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 23:41 --------- d-----w C:\Program Files\Java
2008-04-25 04:45 --------- d-----w C:\Program Files\Trend Micro
2008-04-24 09:29 98,304 ----a-w C:\WINDOWS\olgdqarf.exe
2008-04-24 09:29 90,112 ----a-w C:\WINDOWS\wxvgsdbq.exe
2008-04-24 09:29 319,488 ----a-w C:\WINDOWS\wdpoefan.dll
2008-04-24 09:29 270,336 ----a-w C:\WINDOWS\qnmargolxgn.dll
2008-04-24 09:29 221,184 ----a-w C:\WINDOWS\vadokmxt.dll
2008-04-24 09:29 200,704 ----a-w C:\WINDOWS\dpevflbg.dll
2008-02-26 00:46 --------- d-----w C:\Documents and Settings\Jonathan Leepson\Application Data\Corel
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}]
2008-04-24 05:29 270336 --a------ C:\WINDOWS\qnmargolxgn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}]
2008-04-24 21:13 40448 --a------ C:\WINDOWS\system32\iiFvUkhE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B21EAD36-EC0C-4B82-B102-1AB20B481977}"= "C:\WINDOWS\dpevflbg.dll" [2008-04-24 05:29 200704]

[HKEY_CLASSES_ROOT\clsid\{b21ead36-ec0c-4b82-b102-1ab20b481977}]
[HKEY_CLASSES_ROOT\dpevflbg.1]
[HKEY_CLASSES_ROOT\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}]
[HKEY_CLASSES_ROOT\dpevflbg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 09:13 68856]
"xxgmlwvt"="C:\WINDOWS\system32\avujcbqh.exe" [2008-04-24 21:13 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 16:39 7323648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 18:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:36 823362]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-16 04:59 1836544]
"BuildBU"="c:\dell\bldbubg.exe" [2006-11-28 04:43 61440]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-28 05:06 98304]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2006-06-30 15:43 446464]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-01-19 10:01 587712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-28 05:01:47 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}"= C:\WINDOWS\system32\iiFvUkhE.dll [2008-04-24 21:13 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"= {DA364FAB-6412-4D5F-9731-77B846E8DBFE} - C:\WINDOWS\vadokmxt.dll [2008-04-24 05:29 221184]
"wdpoefan"= {F89A6AE1-4635-423E-B27A-9D2F1D541966} - C:\WINDOWS\wdpoefan.dll [2008-04-24 05:29 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiFvUkhE]
iiFvUkhE.dll 2008-04-24 21:13 40448 C:\WINDOWS\system32\iiFvUkhE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=

R2 HiWiredCore;HiWired Client Core Service;"C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe" [2007-11-10 00:06]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 19:54:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iiFvUkhE.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-04-25 20:04:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 00:04:42

Pre-Run: 225,326,919,680 bytes free
Post-Run: 225,998,606,336 bytes free

216 --- E O F --- 2008-04-11 12:58:59

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:15 PM

Posted 26 April 2008 - 02:26 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\VundoFix Backups
C:\Documents and Settings\All Users\Application Data\ghazynsp

File::
C:\WINDOWS\olgdqarf.exe
C:\WINDOWS\wxvgsdbq.exe
C:\WINDOWS\wdpoefan.dll
C:\WINDOWS\qnmargolxgn.dll
C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\dpevflbg.dll
C:\WINDOWS\system32\avujcbqh.exe
C:\WINDOWS\system32\iiFvUkhE.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B21EAD36-EC0C-4B82-B102-1AB20B481977}"= -
[-HKEY_CLASSES_ROOT\clsid\{b21ead36-ec0c-4b82-b102-1ab20b481977}]
[-HKEY_CLASSES_ROOT\dpevflbg.1]
[-HKEY_CLASSES_ROOT\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}]
[-HKEY_CLASSES_ROOT\dpevflbg]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xxgmlwvt"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"=-
"wdpoefan"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiFvUkhE]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


==================



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 leeper

leeper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 April 2008 - 06:37 AM

Hi thanks. First the combofix log:

ComboFix 08-04-24.1 - Jonathan Leepson 2008-04-26 7:12:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.651 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan Leepson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jonathan Leepson\Desktop\Error Cleaner.url
C:\Documents and Settings\Jonathan Leepson\Desktop\Privacy Protector.url
C:\Documents and Settings\Jonathan Leepson\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Jonathan Leepson\Favorites\Error Cleaner.url
C:\Documents and Settings\Jonathan Leepson\Favorites\Privacy Protector.url
C:\Documents and Settings\Jonathan Leepson\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\system32\ajcvrqah.dll
C:\WINDOWS\system32\awtsqpPI.dll
C:\WINDOWS\system32\haqrvcja.ini
C:\WINDOWS\system32\IPpqstwa.ini
C:\WINDOWS\system32\IPpqstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 07:01 . 2008-04-26 07:01 106,496 --a------ C:\WINDOWS\system32\obihyral.exe
2008-04-25 00:37 . 2008-04-25 00:37 <DIR> d-------- C:\Deckard
2008-04-24 23:03 . 2008-04-25 19:35 <DIR> d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons
2008-04-24 22:24 . 2008-04-24 22:24 <DIR> d-------- C:\VundoFix Backups
2008-04-24 21:13 . 2008-04-26 07:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ghazynsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 23:41 --------- d-----w C:\Program Files\Java
2008-04-25 04:45 --------- d-----w C:\Program Files\Trend Micro
2008-04-24 09:29 98,304 ----a-w C:\WINDOWS\olgdqarf.exe
2008-04-24 09:29 90,112 ----a-w C:\WINDOWS\wxvgsdbq.exe
2008-04-24 09:29 319,488 ----a-w C:\WINDOWS\wdpoefan.dll
2008-04-24 09:29 270,336 ----a-w C:\WINDOWS\qnmargolxgn.dll
2008-04-24 09:29 221,184 ----a-w C:\WINDOWS\vadokmxt.dll
2008-04-24 09:29 200,704 ----a-w C:\WINDOWS\dpevflbg.dll
2008-02-26 00:46 --------- d-----w C:\Documents and Settings\Jonathan Leepson\Application Data\Corel
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_20.04.33.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 23:53:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 11:16:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}]
2008-04-24 05:29 270336 --a------ C:\WINDOWS\qnmargolxgn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}]
2008-04-24 21:13 40448 --a------ C:\WINDOWS\system32\iiFvUkhE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B21EAD36-EC0C-4B82-B102-1AB20B481977}"= "C:\WINDOWS\dpevflbg.dll" [2008-04-24 05:29 200704]

[HKEY_CLASSES_ROOT\clsid\{b21ead36-ec0c-4b82-b102-1ab20b481977}]
[HKEY_CLASSES_ROOT\dpevflbg.1]
[HKEY_CLASSES_ROOT\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}]
[HKEY_CLASSES_ROOT\dpevflbg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 09:13 68856]
"xxgmlwvt"="C:\WINDOWS\system32\avujcbqh.exe" [2008-04-24 21:13 106496]
"unpcnpvi"="C:\WINDOWS\system32\obihyral.exe" [2008-04-26 07:01 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 16:39 7323648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 18:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:36 823362]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-16 04:59 1836544]
"BuildBU"="c:\dell\bldbubg.exe" [2006-11-28 04:43 61440]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-28 05:06 98304]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2006-06-30 15:43 446464]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-01-19 10:01 587712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-28 05:01:47 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}"= C:\WINDOWS\system32\iiFvUkhE.dll [2008-04-24 21:13 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"= {DA364FAB-6412-4D5F-9731-77B846E8DBFE} - C:\WINDOWS\vadokmxt.dll [2008-04-24 05:29 221184]
"wdpoefan"= {F89A6AE1-4635-423E-B27A-9D2F1D541966} - C:\WINDOWS\wdpoefan.dll [2008-04-24 05:29 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiFvUkhE]
iiFvUkhE.dll 2008-04-24 21:13 40448 C:\WINDOWS\system32\iiFvUkhE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=

R2 HiWiredCore;HiWired Client Core Service;"C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe" [2007-11-10 00:06]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 07:19:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iiFvUkhE.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-04-26 7:28:35 - machine was rebooted [Jonathan Leepson]
ComboFix-quarantined-files.txt 2008-04-26 11:28:30
ComboFix2.txt 2008-04-26 00:04:46

Pre-Run: 226,259,390,464 bytes free
Post-Run: 226,245,472,256 bytes free

194 --- E O F --- 2008-04-11 12:58:59


Now, the hijack this log:


Deckard's System Scanner v20071014.68
Run by Jonathan Leepson on 2008-04-26 07:34:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jonathan Leepson.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:09 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\avujcbqh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jonathan Leepson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JONATH~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: DVA Gate - {7A6FD945-14B0-41F8-84FB-74DEF17528BB} - C:\WINDOWS\qnmargolxgn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:\WINDOWS\system32\iiFvUkhE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: dpevflbg - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - C:\WINDOWS\dpevflbg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [LogEnable] 
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [xxgmlwvt] C:\WINDOWS\system32\avujcbqh.exe
O4 - HKCU\..\Run: [unpcnpvi] C:\WINDOWS\system32\obihyral.exe
O4 - HKLM\..\Policies\Explorer\Run: [Fgco0YG89s] C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe
O4 - HKCU\..\Policies\Explorer\Run: [Fgco0YG89s] C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.secure.hiwired.com (HKLM)
O15 - ESC Trusted Zone: *.secure.hiwired.com (HKLM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: iiFvUkhE - C:\WINDOWS\SYSTEM32\iiFvUkhE.dll
O21 - SSODL: vadokmxt - {DA364FAB-6412-4D5F-9731-77B846E8DBFE} - C:\WINDOWS\vadokmxt.dll
O21 - SSODL: wdpoefan - {F89A6AE1-4635-423E-B27A-9D2F1D541966} - C:\WINDOWS\wdpoefan.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HiWired Client Core Service (HiWiredCore) - HiWired Inc. - C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PatchLink Update - HiWired - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10000 bytes

-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 07:01:51 106496 --a------ C:\WINDOWS\system32\obihyral.exe
2008-04-25 19:44:16 68096 --a------ C:\WINDOWS\zip.exe
2008-04-25 19:44:16 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-25 19:44:16 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-25 19:44:16 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-25 19:44:16 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-25 19:44:16 98816 --a------ C:\WINDOWS\sed.exe
2008-04-25 19:44:16 80412 --a------ C:\WINDOWS\grep.exe
2008-04-25 19:44:16 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 23:03:00 0 d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons
2008-04-24 22:24:10 0 d-------- C:\VundoFix Backups
2008-04-24 21:13:48 40448 --a------ C:\WINDOWS\system32\khffCSjK.dll
2008-04-24 21:13:48 40448 --a------ C:\WINDOWS\system32\iiFvUkhE.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\winsystem.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\winlogonpc.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\vcatchpi.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\thun32.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\thun.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\temp#01.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\taack.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\taack.dat
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\ssvchost.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\ssvchost.com
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\ssurf022.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\sncntr.exe
2008-04-24 21:13:38 0 d-------- C:\WINDOWS\system32\smp
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\Rundl1.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\regm64.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\regc64.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\psoft1.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\psof1.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\ps1.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\newsd32.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\netode.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\mwin32.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\mtr2.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\msvchost.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\msnbho.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\msgp.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\medup020.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\medup012.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.dat
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\hoproxy.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\h@tkeysh@@k.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\dpcproxy.exe
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\anticipator.dll
2008-04-24 21:13:38 4096 --a------ C:\WINDOWS\system32\akttzn.exe
2008-04-24 21:13:37 4096 --a------ C:\WINDOWS\system32\WINWGPX.EXE
2008-04-24 21:13:37 4096 --a------ C:\WINDOWS\system32\vbsys2.dll
2008-04-24 21:13:37 4096 --a------ C:\WINDOWS\system32\sysreq.exe
2008-04-24 21:13:37 4096 --a------ C:\WINDOWS\system32\mssecu.exe
2008-04-24 21:13:37 4096 --a------ C:\WINDOWS\system32\bdn.com
2008-04-24 21:13:37 4096 --a------ C:\WINDOWS\system32\awtoolb.dll
2008-04-24 21:13:35 90112 --a------ C:\WINDOWS\wxvgsdbq.exe
2008-04-24 21:13:35 319488 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-24 21:13:35 221184 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-24 21:13:35 270336 --a------ C:\WINDOWS\qnmargolxgn.dll
2008-04-24 21:13:35 98304 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-24 21:13:35 200704 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-24 21:13:32 106496 --a------ C:\WINDOWS\system32\avujcbqh.exe
2008-04-24 21:13:32 0 d-------- C:\Documents and Settings\All Users\Application Data\ghazynsp


-- Find3M Report ---------------------------------------------------------------

2008-04-25 19:41:23 0 d-------- C:\Program Files\Java
2008-04-25 19:41:23 0 d-------- C:\Program Files\Common Files
2008-04-25 00:45:08 0 d-------- C:\Program Files\Trend Micro
2008-02-25 20:46:18 3764 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-25 20:45:53 88 -r-hs---- C:\WINDOWS\system32\F7B8629B68.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}]
04/24/2008 05:29 AM 270336 --a------ C:\WINDOWS\qnmargolxgn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}]
04/24/2008 09:13 PM 40448 --a------ C:\WINDOWS\system32\iiFvUkhE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 03:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/16/2006 04:39 PM]
"SigmatelSysTrayApp"="stsystra.exe" [07/24/2006 06:20 PM C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [07/06/2006 08:15 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 04:12 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 05:36 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/16/2007 04:59 AM]
"BuildBU"="c:\dell\bldbubg.exe" [11/28/2006 04:43 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/28/2006 05:06 AM]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [06/30/2006 03:43 PM]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [01/19/2008 10:01 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/27/2007 09:13 AM]
"xxgmlwvt"="C:\WINDOWS\system32\avujcbqh.exe" [04/24/2008 09:13 PM]
"unpcnpvi"="C:\WINDOWS\system32\obihyral.exe" [04/26/2008 07:01 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/28/2006 5:01:47 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 1:49:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Fgco0YG89s"=C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Fgco0YG89s"=C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}"= C:\WINDOWS\system32\iiFvUkhE.dll [04/24/2008 09:13 PM 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"= {DA364FAB-6412-4D5F-9731-77B846E8DBFE} - C:\WINDOWS\vadokmxt.dll [04/24/2008 05:29 AM 221184]
"wdpoefan"= {F89A6AE1-4635-423E-B27A-9D2F1D541966} - C:\WINDOWS\wdpoefan.dll [04/24/2008 05:29 AM 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiFvUkhE]
iiFvUkhE.dll 04/24/2008 09:13 PM 40448 C:\WINDOWS\system32\iiFvUkhE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-26 07:34:24 ------------

Thanks.

#6 leeper

leeper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 April 2008 - 07:35 AM

And, the log from the anti-spyware package


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2008 at 08:18 AM

Application Version : 4.0.1154

Core Rules Database Version : 3448
Trace Rules Database Version: 1440

Scan type : Complete Scan
Total Scan Time : 00:35:22

Memory items scanned : 523
Memory threats detected : 6
Registry items scanned : 5689
Registry threats detected : 41
File items scanned : 70939
File threats detected : 326

Trojan.Vundo-Variant/F
C:\WINDOWS\SYSTEM32\IIFVUKHE.DLL
C:\WINDOWS\SYSTEM32\IIFVUKHE.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iiFvUkhE
C:\WINDOWS\SYSTEM32\KHFFCSJK.DLL

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\GSXCMAIM.DLL
C:\WINDOWS\SYSTEM32\GSXCMAIM.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP462\A0168862.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP464\A0169971.DLL

Trojan.Unclassified/Multi-Dropper
C:\WINDOWS\SYSTEM32\AVUJCBQH.EXE
C:\WINDOWS\SYSTEM32\AVUJCBQH.EXE
[xxgmlwvt] C:\WINDOWS\SYSTEM32\AVUJCBQH.EXE
[unpcnpvi] C:\WINDOWS\SYSTEM32\OBIHYRAL.EXE
C:\WINDOWS\SYSTEM32\OBIHYRAL.EXE
C:\WINDOWS\Prefetch\AVUJCBQH.EXE-2552E710.pf
C:\WINDOWS\Prefetch\OBIHYRAL.EXE-259C4078.pf

Adware.Vundo-Variant/J
C:\WINDOWS\VADOKMXT.DLL
C:\WINDOWS\VADOKMXT.DLL
C:\WINDOWS\WDPOEFAN.DLL
C:\WINDOWS\WDPOEFAN.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\GEBQKDDW.DLL
C:\WINDOWS\SYSTEM32\GEBQKDDW.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}\InprocServer32
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}\InprocServer32#ThreadingModel
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}\ProgID
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}\Programmable
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}\TypeLib
HKCR\CLSID\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}\VersionIndependentProgID
C:\WINDOWS\QNMARGOLXGN.DLL
HKLM\Software\Classes\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
HKCR\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
HKCR\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}\InprocServer32
HKCR\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
HKCR\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}

Adware.Vundo-Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F0DE9B0-CE7D-417F-95AA-CF29418A0615}
HKCR\CLSID\{4F0DE9B0-CE7D-417F-95AA-CF29418A0615}
HKCR\CLSID\{4F0DE9B0-CE7D-417F-95AA-CF29418A0615}\InprocServer32
HKCR\CLSID\{4F0DE9B0-CE7D-417F-95AA-CF29418A0615}\InprocServer32#ThreadingModel

Trojan.Unclassified/GTS
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{B21EAD36-EC0C-4B82-B102-1AB20B481977}
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}\InprocServer32
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}\InprocServer32#ThreadingModel
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}\ProgID
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}\Programmable
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}\TypeLib
HKCR\CLSID\{B21EAD36-EC0C-4B82-B102-1AB20B481977}\VersionIndependentProgID
HKCR\dpevflbg.1
HKCR\dpevflbg
HKCR\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}
HKCR\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}\1.0
HKCR\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}\1.0\0
HKCR\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}\1.0\0\win32
HKCR\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}\1.0\FLAGS
HKCR\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}\1.0\HELPDIR
C:\WINDOWS\DPEVFLBG.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@revsci[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.active[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@media.adrevolver[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.revsci[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@countercentral[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@adopt.euroclick[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@snapfish.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjl4whcjieo.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@gomyhit[4].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjlycidpweo.stats.esomniture[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjkyenazsco.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@my-calorie-counter[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjl4ckc5mho.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@adinterax[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@tacoda[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.belointeractive[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@cratebarrel.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@adopt.specificclick[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@roiservice[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@2o7[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sales.liveperson[3].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@kontera[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@adnetserver[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sales.liveperson[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sitestat.mayoclinic[3].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@indextools[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@112.2o7[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@adrevolver[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.googleadservices[4].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ad.yieldmanager[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@tripod[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@tjx.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@specificclick[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.googleadservices[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjkoejcjelo.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@dealtime[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjk4enczmdo.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@samsung.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@anat.tacoda[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sale.antispywaremaster[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjl4gkcjikp.stats.esomniture[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@homestore.122.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@marketlive.122.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.findgift[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sales.liveperson[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@richmedia.yahoo[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@tremor.adbureau[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@secure.advancedcleaner[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@statse.webtrendslive[7].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@insightexpressai[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@interclick[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sales.liveperson[5].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@imrworldwide[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@stat.dealtime[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.googleadservices[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@rotator.adjuggler[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.caretracker[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@neocounter.neoworx-blog-tools[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@travidia.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjkyqkdpedq.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@collective-media[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@atdmt[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@anad.tacoda[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjnysmd5cgo.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@adfarm1.adition[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@gomyhit[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@apmebf[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@zillow.adbureau[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@media.adrevolver[3].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.cnn[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@advancedcleaner[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@adbrite[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.as4x.tmcs.ticketmaster[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ads.associatedcontent[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.googleadservices[3].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.system-defender[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@indexstats[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@iad.liveperson[3].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@coxhsi.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@nextag[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@ordie.adbureau[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjkygpd5cbo.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@systemerrorfixer[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.shop-vermontcountrystore[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@porno-tube20008[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@gomyhit[3].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@leapfrogonline.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@porno-tube20008[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@iad.liveperson[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjkyunc5ifo.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wjkycgczwlp.stats.esomniture[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@antispywaremaster[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@azjmp[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@iacas.adbureau[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@zipzoomfly.122.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wdkysodzmdq.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@www.vermontcountrystore[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@healthgrades.112.2o7[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@secure.systemerrorfixer[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@e-2dj6wbloslczecp.stats.esomniture[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@reunion.adbureau[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@sales.liveperson[6].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@ad.yieldmanager[2].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@adinterax[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@advertising[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@atdmt[2].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@c5.zedo[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@doubleclick[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@hitbox[2].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@media.adrevolver[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@msnportal.112.2o7[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@questionmarket[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@statcounter[2].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@statse.webtrendslive[2].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@statse.webtrendslive[3].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@tracker.pegsanalytics[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@tracker.pegsanalytics[2].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@www.caretracker[1].txt
C:\Documents and Settings\Daisy Leepson\Cookies\daisy_leepson@zedo[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@accounts[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@account[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@adbrite[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@adopt.euroclick[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@ads.belointeractive[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@ads.cnn[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@adv.medscape[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@adv.webmd[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@atdmt[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@bizrate[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@bluestreak[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@bravenet[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@bs.serving-sys[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@clickability[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@cnn.122.2o7[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@e-2dj6wgmycic5cap.stats.esomniture[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@e-2dj6wjk4gjdjsfo.stats.esomniture[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@e-2dj6wjnysidzwgo.stats.esomniture[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@edge.ru4[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@geosign.112.2o7[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@media.hotels[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@mercury.bravenet[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@overture[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@serving-sys[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@statcounter[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@trafficmp[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet lefkowitz@twci.coremetrics[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@2o7[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@ad.yieldmanager[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@adinterax[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@adopt.specificclick[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@ads.as4x.tmcs[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@ads.pointroll[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@ads.revsci[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@adserver.matchcraft[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@adtech[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@advertising[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@apmebf[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@atwola[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@casalemedia[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@data.coremetrics[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@doubleclick[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@e-2dj6wgkiapczcbo.stats.esomniture[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@e-2dj6wjl4kjcjshp.stats.esomniture[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@e-2dj6wjl4slcjcko.stats.esomniture[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@e-2dj6wjmyghcjibq.stats.esomniture[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@ehg-rodale.hitbox[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@ehg-tigerdirect2.hitbox[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@fastclick[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@focusin.ads.targetnet[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@hertzfurniture.112.2o7[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@hitbox[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@imrworldwide[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@insightexpressai[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@media.adrevolver[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@mediaplex[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@networksolutions.112.2o7[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@nextag[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@perf.overture[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@precisionclick[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@questionmarket[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@revsci[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@richmedia.yahoo[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@rotator.adjuggler[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@sales.liveperson[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@sales.liveperson[3].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@server.iad.liveperson[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@server.iad.liveperson[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@shopping.112.2o7[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@specificclick[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@stat.dealtime[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@statse.webtrendslive[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@tacoda[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@targetnet[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@tribalfusion[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@trifind[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@www.addfreestats[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@www.burstnet[1].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@www.caretracker[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@www.googleadservices[2].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@www.googleadservices[3].txt
C:\Documents and Settings\Janet Lefkowitz\Cookies\janet_lefkowitz@zedo[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@statse.webtrendslive[1].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@statse.webtrendslive[2].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@statse.webtrendslive[3].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@statse.webtrendslive[4].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@statse.webtrendslive[5].txt
C:\Documents and Settings\Jonathan Leepson\Cookies\jonathan_leepson@statse.webtrendslive[6].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@2o7[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@adrevolver[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@adrevolver[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@ads.as4x.tmcs[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@adserver[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@adv.webmd[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@anad.tacoda[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@atdmt[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@atwola[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@doubleclick[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@maxserving[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@nextag[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@overture[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@statse.webtrendslive[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@tacoda[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie leepson@www.burstbeacon[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@112.2o7[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@ad.yieldmanager[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@adinterax[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@adopt.euroclick[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@ads.belointeractive[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@ads.pointroll[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@advertising[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@bs.serving-sys[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@fastclick[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@imrworldwide[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@insightexpressai[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@insightfirst[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@media6degrees[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@mediaplex[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@monstersandcritics.advertserve[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@partner2profit[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@prospect.adbureau[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@questionmarket[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@realmedia[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@revsci[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@serving-sys[2].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@statcounter[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@trafficmp[1].txt
C:\Documents and Settings\Nettie Leepson\Cookies\nettie_leepson@zedo[1].txt

Trojan.Unknown Origin
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\smp

Trojan.Unclassified/Multi-Dropper (Packed)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\GHAZYNSP\MLIBKHQH.EXE.BAK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP463\A0168936.EXE

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Trojan.Downloader-Gen/Win
C:\WINDOWS\OLGDQARF.EXE
C:\WINDOWS\WXVGSDBQ.EXE

Trojan.Fake-Drop/Gen
C:\WINDOWS\SYSTEM32\AKTTZN.EXE
C:\WINDOWS\SYSTEM32\ANTICIPATOR.DLL
C:\WINDOWS\SYSTEM32\AWTOOLB.DLL
C:\WINDOWS\SYSTEM32\BDN.COM
C:\WINDOWS\SYSTEM32\H@TKEYSH@@K.DLL
C:\WINDOWS\SYSTEM32\HOPROXY.DLL
C:\WINDOWS\SYSTEM32\HXIWLGPM.DAT
C:\WINDOWS\SYSTEM32\HXIWLGPM.EXE
C:\WINDOWS\SYSTEM32\MEDUP012.DLL
C:\WINDOWS\SYSTEM32\MEDUP020.DLL
C:\WINDOWS\SYSTEM32\MSGP.EXE
C:\WINDOWS\SYSTEM32\MSNBHO.DLL
C:\WINDOWS\SYSTEM32\MSSECU.EXE
C:\WINDOWS\SYSTEM32\MSVCHOST.EXE
C:\WINDOWS\SYSTEM32\MTR2.EXE
C:\WINDOWS\SYSTEM32\MWIN32.EXE
C:\WINDOWS\SYSTEM32\NETODE.EXE
C:\WINDOWS\SYSTEM32\NEWSD32.EXE
C:\WINDOWS\SYSTEM32\PS1.EXE
C:\WINDOWS\SYSTEM32\REGC64.DLL
C:\WINDOWS\SYSTEM32\REGM64.DLL
C:\WINDOWS\SYSTEM32\RUNDL1.EXE
C:\WINDOWS\SYSTEM32\SSURF022.DLL
C:\WINDOWS\SYSTEM32\SSVCHOST.COM
C:\WINDOWS\SYSTEM32\SSVCHOST.EXE
C:\WINDOWS\SYSTEM32\SYSREQ.EXE
C:\WINDOWS\SYSTEM32\TAACK.DAT
C:\WINDOWS\SYSTEM32\TAACK.EXE
C:\WINDOWS\SYSTEM32\TEMP#01.EXE
C:\WINDOWS\SYSTEM32\THUN.DLL
C:\WINDOWS\SYSTEM32\THUN32.DLL
C:\WINDOWS\SYSTEM32\VBIEWER.OCX
C:\WINDOWS\SYSTEM32\VBSYS2.DLL
C:\WINDOWS\SYSTEM32\VCATCHPI.DLL
C:\WINDOWS\SYSTEM32\WINLOGONPC.EXE
C:\WINDOWS\SYSTEM32\WINSYSTEM.EXE
C:\WINDOWS\SYSTEM32\WINWGPX.EXE

Dpcproxy
C:\WINDOWS\SYSTEM32\DPCPROXY.EXE

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\PSOF1.EXE

Adware.Pacer D
C:\WINDOWS\SYSTEM32\PSOFT1.EXE

Trojan.Dluca-I
C:\WINDOWS\SYSTEM32\SNCNTR.EXE

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:15 PM

Posted 26 April 2008 - 09:17 AM

The Combofix script did not go through for some reason.
Please post a new log from Combofix and we'll see what's left.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 leeper

leeper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 April 2008 - 09:46 AM

Hi,

One item - upon boot up I get the following message:

ERROR LOADING: C:\WINDOWS\system32\gscxmaim.dll
The specified module could not be found


And, here is the combofix log per your request:

ComboFix 08-04-24.1 - Jonathan Leepson 2008-04-26 10:27:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan Leepson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\miamcxsg.ini
C:\WINDOWS\system32\wDdKQBeg.ini
C:\WINDOWS\system32\wDdKQBeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 07:40 . 2008-04-26 07:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 07:40 . 2008-04-26 07:40 <DIR> d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\SUPERAntiSpyware.com
2008-04-26 07:40 . 2008-04-26 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-26 07:39 . 2008-04-26 07:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 00:37 . 2008-04-25 00:37 <DIR> d-------- C:\Deckard
2008-04-24 23:03 . 2008-04-25 19:35 <DIR> d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons
2008-04-24 22:24 . 2008-04-24 22:24 <DIR> d-------- C:\VundoFix Backups
2008-04-24 21:13 . 2008-04-26 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ghazynsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 23:41 --------- d-----w C:\Program Files\Java
2008-04-25 04:45 --------- d-----w C:\Program Files\Trend Micro
2008-02-26 00:46 --------- d-----w C:\Documents and Settings\Jonathan Leepson\Application Data\Corel
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_20.04.33.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 23:53:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 14:30:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 11:40:04 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-26 11:40:04 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}]
C:\WINDOWS\system32\geBQKdDw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 09:13 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 16:39 7323648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 18:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:36 823362]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-16 04:59 1836544]
"BuildBU"="c:\dell\bldbubg.exe" [2006-11-28 04:43 61440]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-28 05:06 98304]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2006-06-30 15:43 446464]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-01-19 10:01 587712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"c8eeee02"="C:\WINDOWS\system32\gsxcmaim.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-28 05:01:47 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"= {DA364FAB-6412-4D5F-9731-77B846E8DBFE} - C:\WINDOWS\vadokmxt.dll [ ]
"wdpoefan"= {F89A6AE1-4635-423E-B27A-9D2F1D541966} - C:\WINDOWS\wdpoefan.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=

R2 HiWiredCore;HiWired Client Core Service;"C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe" [2007-11-10 00:06]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 10:31:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-04-26 10:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 14:40:46
ComboFix2.txt 2008-04-26 11:28:35
ComboFix3.txt 2008-04-26 00:04:46

Pre-Run: 226,074,951,680 bytes free
Post-Run: 226,063,290,368 bytes free

178 --- E O F --- 2008-04-11 12:58:59

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:15 PM

Posted 26 April 2008 - 09:51 AM

Ok, let's try this again. Let me know if you have problems with these steps.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\VundoFix Backups
C:\Documents and Settings\All Users\Application Data\ghazynsp

File::
C:\WINDOWS\olgdqarf.exe
C:\WINDOWS\wxvgsdbq.exe
C:\WINDOWS\wdpoefan.dll
C:\WINDOWS\qnmargolxgn.dll
C:\WINDOWS\vadokmxt.dll
C:\WINDOWS\dpevflbg.dll
C:\WINDOWS\system32\avujcbqh.exe
C:\WINDOWS\system32\iiFvUkhE.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A6FD945-14B0-41F8-84FB-74DEF17528BB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B21EAD36-EC0C-4B82-B102-1AB20B481977}"= -
[-HKEY_CLASSES_ROOT\clsid\{b21ead36-ec0c-4b82-b102-1ab20b481977}]
[-HKEY_CLASSES_ROOT\dpevflbg.1]
[-HKEY_CLASSES_ROOT\TypeLib\{DC33216E-1322-437E-9D55-2DD312F190C2}]
[-HKEY_CLASSES_ROOT\dpevflbg]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xxgmlwvt"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"=-
"wdpoefan"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiFvUkhE]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 leeper

leeper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 April 2008 - 10:02 AM

OK,

Here is the combofix log:

ComboFix 08-04-24.1 - Jonathan Leepson 2008-04-26 10:27:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT -4:00]
Running from: C:\Documents and Settings\Jonathan Leepson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\miamcxsg.ini
C:\WINDOWS\system32\wDdKQBeg.ini
C:\WINDOWS\system32\wDdKQBeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 07:40 . 2008-04-26 07:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 07:40 . 2008-04-26 07:40 <DIR> d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\SUPERAntiSpyware.com
2008-04-26 07:40 . 2008-04-26 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-26 07:39 . 2008-04-26 07:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 00:37 . 2008-04-25 00:37 <DIR> d-------- C:\Deckard
2008-04-24 23:03 . 2008-04-25 19:35 <DIR> d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons
2008-04-24 22:24 . 2008-04-24 22:24 <DIR> d-------- C:\VundoFix Backups
2008-04-24 21:13 . 2008-04-26 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ghazynsp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 23:41 --------- d-----w C:\Program Files\Java
2008-04-25 04:45 --------- d-----w C:\Program Files\Trend Micro
2008-02-26 00:46 --------- d-----w C:\Documents and Settings\Jonathan Leepson\Application Data\Corel
.

((((((((((((((((((((((((((((( snapshot@2008-04-25_20.04.33.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 23:53:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 14:30:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 11:40:04 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-26 11:40:04 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}]
C:\WINDOWS\system32\geBQKdDw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@={E300CD91-100F-4E67-9AF3-1384A6124015}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@={95A27763-F62A-4114-9072-E81D87DE3B68}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@={01CCCC8C-1D50-4b13-B96D-4B922DD3128B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@={5E529433-B50E-4bef-A63B-16A6B71B071A}

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-01-19 10:01 483264 -ra------ C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39 176201]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 09:13 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 16:39 7323648]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 18:20 282624 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 17:36 823362]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-16 04:59 1836544]
"BuildBU"="c:\dell\bldbubg.exe" [2006-11-28 04:43 61440]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-28 05:06 98304]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [2006-06-30 15:43 446464]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-01-19 10:01 587712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"c8eeee02"="C:\WINDOWS\system32\gsxcmaim.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 17:18 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-28 05:01:47 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"Fgco0YG89s"= C:\Documents and Settings\All Users\Application Data\ghazynsp\mlibkhqh.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"= {DA364FAB-6412-4D5F-9731-77B846E8DBFE} - C:\WINDOWS\vadokmxt.dll [ ]
"wdpoefan"= {F89A6AE1-4635-423E-B27A-9D2F1D541966} - C:\WINDOWS\wdpoefan.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=

R2 HiWiredCore;HiWired Client Core Service;"C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe" [2007-11-10 00:06]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 10:31:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-04-26 10:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 14:40:46
ComboFix2.txt 2008-04-26 11:28:35
ComboFix3.txt 2008-04-26 00:04:46

Pre-Run: 226,074,951,680 bytes free
Post-Run: 226,063,290,368 bytes free

178 --- E O F --- 2008-04-11 12:58:59

And, the hijackthis log:

Deckard's System Scanner v20071014.68
Run by Jonathan Leepson on 2008-04-26 11:01:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jonathan Leepson.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:29 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jonathan Leepson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JONATH~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A8DF1DA-5433-4E5B-B416-C2A273E6CD08} - C:\WINDOWS\system32\geBQKdDw.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [LogEnable] 
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [c8eeee02] rundll32.exe "C:\WINDOWS\system32\gsxcmaim.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.secure.hiwired.com (HKLM)
O15 - ESC Trusted Zone: *.secure.hiwired.com (HKLM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HiWired Client Core Service (HiWiredCore) - HiWired Inc. - C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PatchLink Update - HiWired - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9551 bytes

-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 10:55:05 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-26 07:40:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-26 07:40:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 07:40:01 0 d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\SUPERAntiSpyware.com
2008-04-26 07:39:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 19:44:16 68096 --a------ C:\WINDOWS\zip.exe
2008-04-25 19:44:16 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-25 19:44:16 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-25 19:44:16 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-25 19:44:16 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-25 19:44:16 98816 --a------ C:\WINDOWS\sed.exe
2008-04-25 19:44:16 80412 --a------ C:\WINDOWS\grep.exe
2008-04-25 19:44:16 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 23:03:00 0 d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-04-26 07:39:26 0 d-------- C:\Program Files\Common Files
2008-04-25 19:41:23 0 d-------- C:\Program Files\Java
2008-04-25 00:45:08 0 d-------- C:\Program Files\Trend Micro
2008-02-25 20:46:18 3764 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-25 20:45:53 88 -r-hs---- C:\WINDOWS\system32\F7B8629B68.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}]
C:\WINDOWS\system32\geBQKdDw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 03:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/16/2006 04:39 PM]
"SigmatelSysTrayApp"="stsystra.exe" [07/24/2006 06:20 PM C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [07/06/2006 08:15 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 04:12 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 05:36 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/16/2007 04:59 AM]
"BuildBU"="c:\dell\bldbubg.exe" [11/28/2006 04:43 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/28/2006 05:06 AM]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [06/30/2006 03:43 PM]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [01/19/2008 10:01 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"c8eeee02"="C:\WINDOWS\system32\gsxcmaim.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/27/2007 09:13 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/28/2006 5:01:47 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 1:49:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-26 11:01:46 ------------


Thanks.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:15 PM

Posted 26 April 2008 - 11:31 AM

Again, it's not correct. Let's go another route.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\VundoFix Backups
    C:\Documents and Settings\All Users\Application Data\ghazynsp
    HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | c8eeee02
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | Fgco0YG89s
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run | Fgco0YG89s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | vadokmxt
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | wdpoefan
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 leeper

leeper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 April 2008 - 01:55 PM

OK - here is the log from moveit

File/Folder C:\VundoFix Backups not found.
File/Folder C:\Documents and Settings\All Users\Application Data\ghazynsp not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | c8eeee02 >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | c8eeee02\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | Fgco0YG89s >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | Fgco0YG89s\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run | Fgco0YG89s >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run | Fgco0YG89s\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | vadokmxt >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | vadokmxt\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | wdpoefan >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | wdpoefan\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04262008_145152


And, the DSS log

Deckard's System Scanner v20071014.68
Run by Jonathan Leepson on 2008-04-26 14:53:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jonathan Leepson.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:49 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PatchLink\Update Agent\Dagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Jonathan Leepson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JONATH~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A8DF1DA-5433-4E5B-B416-C2A273E6CD08} - C:\WINDOWS\system32\geBQKdDw.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [LogEnable] 
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [c8eeee02] rundll32.exe "C:\WINDOWS\system32\gsxcmaim.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.secure.hiwired.com (HKLM)
O15 - ESC Trusted Zone: *.secure.hiwired.com (HKLM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HiWired Client Core Service (HiWiredCore) - HiWired Inc. - C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PatchLink Update - HiWired - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9560 bytes

-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 10:55:05 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-26 07:40:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-26 07:40:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 07:40:01 0 d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\SUPERAntiSpyware.com
2008-04-26 07:39:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 19:44:16 68096 --a------ C:\WINDOWS\zip.exe
2008-04-25 19:44:16 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-25 19:44:16 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-25 19:44:16 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-25 19:44:16 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-25 19:44:16 98816 --a------ C:\WINDOWS\sed.exe
2008-04-25 19:44:16 80412 --a------ C:\WINDOWS\grep.exe
2008-04-25 19:44:16 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 23:03:00 0 d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-04-26 07:39:26 0 d-------- C:\Program Files\Common Files
2008-04-25 19:41:23 0 d-------- C:\Program Files\Java
2008-04-25 00:45:08 0 d-------- C:\Program Files\Trend Micro
2008-02-25 20:46:18 3764 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-25 20:45:53 88 -r-hs---- C:\WINDOWS\system32\F7B8629B68.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}]
C:\WINDOWS\system32\geBQKdDw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 03:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/16/2006 04:39 PM]
"SigmatelSysTrayApp"="stsystra.exe" [07/24/2006 06:20 PM C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [07/06/2006 08:15 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 04:12 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 05:36 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/16/2007 04:59 AM]
"BuildBU"="c:\dell\bldbubg.exe" [11/28/2006 04:43 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/28/2006 05:06 AM]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [06/30/2006 03:43 PM]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [01/19/2008 10:01 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"c8eeee02"="C:\WINDOWS\system32\gsxcmaim.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/27/2007 09:13 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/28/2006 5:01:47 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 1:49:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-26 14:54:05 ------------

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:15 PM

Posted 27 April 2008 - 07:32 AM

Copy this text and run it through OTMoveIt just as you did before.

HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\c8eeee02
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run\\Fgco0YG89s
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run\\Fgco0YG89s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\vadokmxt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wdpoefan


Please post a the log from OTMoveIt and also a new log from DSS.
Let me know how your computer is working now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 leeper

leeper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 27 April 2008 - 04:41 PM

Hi,

The computer is running much better, thanks. I do get the error that I previously mentioned upon boot-up.

Here is the OTmoveit:

< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\c8eeee02 >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\c8eeee02 deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run\\Fgco0YG89s >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run\\Fgco0YG89s not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run\\Fgco0YG89s >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run\\Fgco0YG89s not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\vadokmxt >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\vadokmxt not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wdpoefan >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wdpoefan not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_173546


And, here is the DSS scan:

Deckard's System Scanner v20071014.68
Run by Jonathan Leepson on 2008-04-27 17:37:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jonathan Leepson.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:39 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Desktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PatchLink\Update Agent\Dagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Jonathan Leepson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JONATH~1.EXE
C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Host.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3A8DF1DA-5433-4E5B-B416-C2A273E6CD08} - C:\WINDOWS\system32\geBQKdDw.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [LogEnable] 
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.secure.hiwired.com (HKLM)
O15 - ESC Trusted Zone: *.secure.hiwired.com (HKLM)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HiWired Client Core Service (HiWiredCore) - HiWired Inc. - C:\Program Files\HiWired\PC Check & Connect\HiWired.Client.Core.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PatchLink Update - HiWired - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9638 bytes

-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-26 10:55:05 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-26 07:40:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-26 07:40:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 07:40:01 0 d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\SUPERAntiSpyware.com
2008-04-26 07:39:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 19:44:16 68096 --a------ C:\WINDOWS\zip.exe
2008-04-25 19:44:16 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-25 19:44:16 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-25 19:44:16 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-25 19:44:16 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-25 19:44:16 98816 --a------ C:\WINDOWS\sed.exe
2008-04-25 19:44:16 80412 --a------ C:\WINDOWS\grep.exe
2008-04-25 19:44:16 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 23:03:00 0 d-------- C:\Documents and Settings\Jonathan Leepson\Application Data\TmpRecentIcons


-- Find3M Report ---------------------------------------------------------------

2008-04-26 07:39:26 0 d-------- C:\Program Files\Common Files
2008-04-25 19:41:23 0 d-------- C:\Program Files\Java
2008-04-25 00:45:08 0 d-------- C:\Program Files\Trend Micro
2008-02-25 20:46:18 3764 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-25 20:45:53 88 -r-hs---- C:\WINDOWS\system32\F7B8629B68.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8DF1DA-5433-4E5B-B416-C2A273E6CD08}]
C:\WINDOWS\system32\geBQKdDw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 03:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/16/2006 04:39 PM]
"SigmatelSysTrayApp"="stsystra.exe" [07/24/2006 06:20 PM C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [07/06/2006 08:15 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 04:12 AM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [08/30/2005 05:36 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/16/2007 04:59 AM]
"BuildBU"="c:\dell\bldbubg.exe" [11/28/2006 04:43 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/28/2006 05:06 AM]
"PDDM"="C:\Program Files\PatchLink\Update Agent\pddm.exe" [06/30/2006 03:43 PM]
"LogEnable"="1 (0x1)" []
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [01/19/2008 10:01 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [04/11/2006 08:39 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/27/2007 09:13 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [11/28/2006 5:01:47 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/12/2005 1:49:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-04-27 17:37:55 ------------




Thanks again for your assistance.

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:15 PM

Posted 28 April 2008 - 07:59 AM

I do get the error that I previously mentioned upon boot-up.

You are still getting that error?

Run Hijackthis again, click scan, and Put a checkmark next to the line listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {3A8DF1DA-5433-4E5B-B416-C2A273E6CD08} - C:\WINDOWS\system32\geBQKdDw.dll (file missing)


Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users