Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojandownloader.xs?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Chuck S

Chuck S

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 01 May 2008 - 05:46 AM

I am having difficulty removing several "spyware occurences" on a PC for a family member. I have installed and run Spybot which seems to catch and remove all but 5. The PC has pop ups from "Windows Security Center" informing that TrojanDownloader.xs is detected and to click here to remove. I'm sure this is part of the problem, and not a solution. It is also getting Alerts in the Taskbar that the computer is infected with spyware and to click here to remove. I installed and ran Malwarebytes' Anti-Maleware as suggested in another post in this forum, but it was unable to finish the initial scan. I've run Dss. Here are the results. I greatly appreciate any additional help you can provide.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-30 21:20:24
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
40: 2008-05-01 02:36:59 UTC - RP293 - Deckard's System Scanner Restore Point
39: 2008-04-25 19:33:04 UTC - RP292 - Software Distribution Service 3.0
38: 2008-04-25 18:37:08 UTC - RP291 - Installed AVG 7.5
37: 2008-04-25 18:14:58 UTC - RP290 - Removed TMASOLDL
36: 2008-04-25 18:14:43 UTC - RP289 - Removed TMASOEDL


-- First Restore Point --
1: 2008-04-20 01:46:47 UTC - RP254 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:22 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {00376d83-a433-d393-b6a8-07e61f05074f} - C:\WINDOWS\system32\apisrvmnt.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: DVA Storm - {4c9c9447-3658-44c9-8490-d96b0ab57c88} - C:\WINDOWS\lgmxvpatgbn.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: DVA Gate - {66f72b26-da47-4b7c-a2e1-5046043496b5} - C:\WINDOWS\qnmargoldpq.dll
O2 - BHO: (no name) - {6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} - C:\WINDOWS\system32\jkkLDTlj.dll
O2 - BHO: (no name) - {7c109800-a5d5-438f-9640-18d17e168b88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: 717305 helper - {963916cd-6311-485d-93dc-3bd1b9e2d2cb} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: iSecurity - {a8311e8f-e459-4d22-89b4-cb9dcf10a425} - iSecurity.cpl (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {C89FFBB5-80A8-46E4-99ED-D94752017688} - C:\WINDOWS\system32\ssqRICvs.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {d4c26798-1dd1-11b2-bde1-ad5ae0b31ca6} - C:\WINDOWS\qfopqdih.dll
O2 - BHO: (no name) - {ee8963f5-a46a-f093-44e7-a68f73577d91} - C:\WINDOWS\system32\khfvll.dll
O2 - BHO: 382077 helper - {f0a035ec-c865-4e47-bf73-b17741dd5232} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: qtvglped - {3D91099B-562D-49EC-BDBD-78C5DE9CAED9} - C:\WINDOWS\qtvglped.dll (file missing)
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Administrator\cftmon.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 \3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ulufkdmf] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ulufkdmf.dll"
O4 - HKLM\..\Run: [Winupdates] gpld2.exe
O4 - HKLM\..\Run: [cjb] C:\Program Files\cjb\cjb8.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [ivmzcrqh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ivmzcrqh.dll"
O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [VirusHeat 4.3] "C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h
O4 - HKLM\..\Run: [705d901e] rundll32.exe "C:\WINDOWS\system32\ehltmxet.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Administrator\cftmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: jkkldtlj - C:\WINDOWS\SYSTEM32\jkkLDTlj.dll
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\system32\cryper.dll
O21 - SSODL: DrvDrv - {c6a757d5-6ba9-4ef1-bb12-9cb9e26faf30} - C:\WINDOWS\Resources\DrvDrv.dll
O21 - SSODL: omlbpkaw - {B12CB2E3-12E2-4063-B350-5627738D0D7A} - C:\WINDOWS\omlbpkaw.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
O21 - SSODL: UqkioEp - {705D90B2-DAF7-3A18-722E-160481C4CB2B} - C:\WINDOWS\system32\bwsra.dll
O21 - SSODL: MonPrx - {beb2a0c3-7cec-4e22-aa0f-7c70da9c8fea} - C:\WINDOWS\Resources\MonPrx.dll
O21 - SSODL: zip - {9226c9da-aa23-4cc4-b54e-87fcd90e2f0e} - C:\WINDOWS\Installer\{9226c9da-aa23-4cc4-b54e-87fcd90e2f0e}\zip.dll (file missing)
O21 - SSODL: CheckCD - {1f7be175-40ed-4bca-86cb-ab14b88e91e5} - C:\WINDOWS\Resources\CheckCD.dll
O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - C:\WINDOWS\system32\zfaiqwr.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Media Center Receiver Service ehRecvrSQLAgent$MICROSOFTSMLBIZ (ehRecvrSQLAgent$MICROSOFTSMLBIZ) - Unknown owner - C:\WINDOWS\system32\3com_dmix.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 14074 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 widuxngq - c:\windows\widuxngq.sys
S2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 service.sys - c:\windows\system32\service.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
S2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S2 ehRecvrSQLAgent$MICROSOFTSMLBIZ (Media Center Receiver Service ehRecvrSQLAgent$MICROSOFTSMLBIZ) - c:\windows\system32\3com_dmix.exe srv
S2 icf - c:\windows\system32\svchost.exe:exe.exe
S2 MSSysInterv1 (MSSysInterv) - c:\windows\winself.exe service
S3 MHN - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-12 07:02:12 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-25 13:54:11 96320 --a------ C:\WINDOWS\system32\ehltmxet.dll
2008-04-25 13:14:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 13:14:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 13:14:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-25 13:10:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-25 13:09:45 13824 --a------ C:\Documents and Settings\Administrator\cftmon.exe
2008-04-25 13:08:40 0 d--hs---- C:\WINDOWS\CSC
2008-04-25 13:05:55 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 13:04:27 0 d-------- C:\WINDOWS\system32\717305
2008-04-25 13:00:10 18368 --a------ C:\WINDOWS\system32\service.sys
2008-04-25 13:00:09 53760 --a------ C:\WINDOWS\system32\service.exe
2008-04-25 12:59:57 37376 --a------ C:\WINDOWS\system32\pmnNfgDw.dll
2008-04-25 12:59:47 4096 --a------ C:\atpjpfl.exe
2008-04-25 12:59:45 10000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-04-25 12:59:32 118784 --a------ C:\WINDOWS\system32\apisrvmnt.dll
2008-04-25 12:59:32 0 d-------- C:\Documents and Settings\All Users\Application Data\zszszezk
2008-04-25 12:59:32 118784 --a------ C:\Documents and Settings\All Users\Application Data\ivmzcrqh.dll
2008-04-25 12:58:59 43520 --a------ C:\WINDOWS\system32\jkkKbCuR.dll
2008-04-25 12:58:45 81920 --a------ C:\WINDOWS\wxvgsdbq.exe
2008-04-25 12:58:45 212992 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-25 12:58:45 217088 --a------ C:\WINDOWS\qnmargoldpq.dll
2008-04-25 12:58:45 94208 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-25 12:58:44 167936 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-25 12:58:11 0 d-------- C:\WINDOWS\system32\382077
2008-04-25 12:57:54 24064 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-04-25 12:52:59 60928 --a------ C:\WINDOWS\system32\khfvll.dll
2008-04-25 12:06:56 0 dr-h----- C:\$VAULT$.AVG
2008-04-25 11:38:29 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\AVG7
2008-04-25 11:38:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-25 11:37:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-25 11:37:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-25 10:51:29 16464 -r-hs---- C:\Program Files\tmp3.exe
2008-04-25 10:51:21 16464 -r-hs---- C:\Program Files\tmp2.exe
2008-04-25 10:39:59 0 d-------- C:\WINDOWS\privacy_danger
2008-04-20 10:20:01 0 d-------- C:\Program Files\VirusIsolator
2008-04-19 20:07:15 0 d-------- C:\WINDOWS\privacy_danger(2)
2008-04-19 19:10:01 0 d-------- C:\Program Files\VirusHeat 4.3
2008-04-19 19:09:47 0 d-------- C:\Program Files\NetProject
2008-04-19 18:47:43 4194304 --a------ C:\Documents and Settings\MARIA FRIAS\ntuser.dat
2008-04-19 18:47:37 262144 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-04-19 18:47:31 16464 -r-hs---- C:\Program Files\tmp1.exe
2008-04-19 18:47:29 112 --a------ C:\tempdel.bat
2008-04-19 18:47:23 16464 -r-hs---- C:\Program Files\tmp0.exe
2008-04-19 18:47:19 21588 --a------ C:\Program Files\antiviirus.exe
2008-04-19 18:47:10 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-19 18:46:26 425960 --ahs---- C:\WINDOWS\system32\svCIRqss.ini2
2008-04-19 18:46:20 275456 --a------ C:\WINDOWS\system32\ssqRICvs.dll
2008-04-19 10:12:43 16 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-04-19 10:12:16 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\TmpRecentIcons
2008-04-18 23:29:44 0 d-------- C:\iSecurity
2008-04-18 22:57:27 38912 --a------ C:\WINDOWS\system32\jkkLDTlj.dll
2008-04-18 22:57:18 53760 --a------ C:\d.exe
2008-04-18 22:57:10 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-18 22:57:09 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-18 22:57:09 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-18 22:57:09 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-18 22:57:08 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-18 22:57:08 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-18 22:57:08 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-18 22:57:08 4096 --a------ C:\WINDOWS\a.bat
2008-04-18 22:57:07 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-18 22:57:07 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-18 22:57:05 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-18 22:57:05 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-18 22:57:05 0 d-------- C:\Documents and Settings\MARIA FRIAS\Desktopvirii
2008-04-18 22:57:04 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-18 22:57:04 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-18 22:57:04 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-18 22:57:04 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-18 22:57:04 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-18 22:57:03 0 d-------- C:\WINDOWS\system32smp
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-18 22:57:03 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-18 22:57:03 0 d-------- C:\Program Files\Inet Delivery
2008-04-18 22:57:03 4096 --a------ C:\Documents and Settings\MARIA FRIAS\Desktopfilemanagerclient.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\mssecu.exe
2008-04-18 22:57:02 4096 --a------ C:\WINDOWS\bdn.com
2008-04-18 22:57:02 4096 --a------ C:\Documents and Settings\MARIA FRIAS\DesktopFWebdEditor.exe
2008-04-18 22:57:02 4096 --a------ C:\Documents and Settings\MARIA FRIAS\Desktopfwebd.exe
2008-04-18 22:57:01 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-18 22:57:01 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-18 22:57:01 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-18 22:57:01 98304 --a------ C:\WINDOWS\rtqmekwg.exe
2008-04-18 22:57:01 225280 --a------ C:\WINDOWS\pmsoarbf.dll
2008-04-18 22:57:01 335872 --a------ C:\WINDOWS\omlbpkaw.dll
2008-04-18 22:57:00 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-18 22:57:00 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-18 22:57:00 106496 --a------ C:\WINDOWS\npqtsrak.exe
2008-04-18 22:57:00 0 d-------- C:\WINDOWS\mslagent
2008-04-18 22:57:00 0 d-------- C:\Program Files\akl
2008-04-18 22:56:59 0 d-------- C:\Program Files\cjb
2008-04-18 22:56:47 0 d-------- C:\Documents and Settings\All Users\Application Data\hirixsla
2008-04-18 22:56:46 110592 --a------ C:\WINDOWS\system32\babctwjw.exe
2008-04-18 22:56:46 0 d-------- C:\Program Files\iSecurity
2008-04-18 22:56:46 79360 --a------ C:\lilsesn.exe
2008-04-18 22:56:43 9216 --a------ C:\gjtxc.exe
2008-04-18 22:56:28 25040 --a------ C:\WINDOWS\system32\wind32.exe
2008-04-18 22:55:40 10 --a------ C:\WINDOWS\system32\kr_done1
2008-04-18 19:39:37 53760 --a------ C:\WINDOWS\system32\gpld2.exe
2008-04-18 19:39:33 2 --a------ C:\1885180081
2008-04-18 19:39:23 75698 --a------ C:\WINDOWS\widuxngq.sys
2008-04-18 19:39:19 79360 --a------ C:\vqvtx.exe
2008-04-18 19:39:18 13824 --a------ C:\dssic.exe
2008-04-17 16:33:03 20480 --ahs---- C:\WINDOWS\system32\000090y.dll
2008-04-17 16:32:53 22016 --ahs---- C:\WINDOWS\system32\acluid.dll
2008-04-17 16:31:41 133 --a-s---- C:\WINDOWS\system32\2399076128.dat
2008-04-17 16:31:31 41984 -rahs---- C:\WINDOWS\system32\3com_dmix.exe
2008-04-16 21:01:46 261632 --a------ C:\WINDOWS\system32\cryper.dll
2008-04-15 21:02:22 60928 --a------ C:\Documents and Settings\All Users\Application Data\ulufkdmf.dll
2008-04-15 21:02:21 60928 --a------ C:\WINDOWS\qfopqdih.dll
2008-04-15 21:02:02 85504 --a------ C:\WINDOWS\system32\sbwltbxa.exe <Not Verified; Microsoft; runbll>
2008-04-15 21:01:52 7680 --a------ C:\hqsS.exe
2008-04-15 18:32:01 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\s?curity
2008-04-14 16:10:43 16384 --a------ C:\WINDOWS\2020search2.dll
2008-04-14 16:10:43 31744 --a------ C:\WINDOWS\2020search.dll
2008-04-14 16:10:40 25088 --a------ C:\WINDOWS\saiemod.dll
2008-04-14 15:38:53 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\Mozilla
2008-04-14 15:34:40 0 d-------- C:\Program Files\RcvSystem
2008-04-14 15:32:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 22:57:54 0 d-------- C:\Program Files\??mantec
2008-04-13 22:37:15 66770 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-04-13 13:24:14 0 d-------- C:\Program Files\AntiVirusPro
2008-04-13 13:23:07 13824 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-04-13 13:23:07 78929 --a------ C:\Documents and Settings\MARIA FRIAS\cftmon.exe
2008-04-13 13:23:06 9216 --a------ C:\WINDOWS\system32\~.exe
2008-04-13 13:11:41 0 d-------- C:\Program Files\InetGet2
2008-04-13 13:01:40 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\WinTouch
2008-04-13 13:01:36 0 d-------- C:\Program Files\Inet_Get_2
2008-04-13 12:46:27 0 d-------- C:\Program Files\Temporary
2008-04-13 12:46:27 0 d-------- C:\Program Files\CPV
2008-04-12 18:15:19 6656 --a------ C:\WINDOWS\ons.dll
2008-04-12 07:07:53 0 d-------- C:\Program Files\iPod
2008-04-12 07:05:20 0 d-------- C:\Program Files\Bonjour
2008-04-12 07:02:07 0 d-------- C:\Program Files\Apple Software Update
2008-04-12 07:01:51 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-12 07:01:26 0 d-------- C:\Program Files\Common Files\Apple
2008-04-12 07:01:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-12 02:50:17 24064 --a------ C:\WINDOWS\stcloader.exe
2008-04-12 02:50:16 23808 --a------ C:\WINDOWS\voiceip.dll
2008-04-12 02:50:16 9984 --a------ C:\WINDOWS\swin32.dll
2008-04-12 02:50:16 28928 --a------ C:\WINDOWS\mssvr.exe
2008-04-12 02:50:16 27392 --a------ C:\WINDOWS\cdsm32.dll
2008-04-12 02:50:16 16384 --a------ C:\WINDOWS\bokja.exe
2008-04-12 02:50:15 31232 --a------ C:\WINDOWS\mspphe.dll
2008-04-12 02:50:15 11520 --a------ C:\WINDOWS\bjam.dll
2008-04-12 02:50:11 15872 --a------ C:\WINDOWS\msapasrc.dll
2008-04-12 02:50:10 26880 --a------ C:\WINDOWS\shdocpl.dll
2008-04-12 02:50:10 31488 --a------ C:\WINDOWS\msa64chk.dll
2008-04-12 02:50:09 26112 --a------ C:\WINDOWS\shdocpe.dll
2008-04-12 02:50:09 27648 --a------ C:\WINDOWS\ntnut.exe
2008-04-12 02:50:08 26624 --a------ C:\WINDOWS\winsb.dll
2008-04-12 02:50:08 29440 --a------ C:\WINDOWS\browserad.dll
2008-04-12 02:50:08 24832 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-12 02:50:07 8448 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-12 02:50:07 8448 --a------ C:\WINDOWS\avifile32.dll
2008-04-12 02:50:07 20224 --a------ C:\WINDOWS\autodisc32.dll
2008-04-12 02:50:07 20736 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-12 02:50:07 28928 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-12 02:50:07 17408 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-12 02:50:06 8704 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-12 02:50:06 19456 --a------ C:\WINDOWS\athprxy32.dll
2008-04-12 02:50:06 12800 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-12 02:50:06 14336 --a------ C:\WINDOWS\asferror32.dll
2008-04-12 02:50:06 22272 --a------ C:\WINDOWS\apphelp32.dll
2008-04-12 02:23:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-12 02:21:26 0 d-------- C:\Program Files\QdrPack
2008-04-12 02:21:24 0 d-------- C:\Program Files\Outerinfo
2008-04-12 02:21:21 0 d-------- C:\WINDOWS\W?nSxS
2008-04-12 02:21:16 0 d-------- C:\Program Files\QdrModule
2008-04-12 02:21:15 0 d-------- C:\Program Files\QdrDrive
2008-04-12 02:21:14 0 d-------- C:\Program Files\ISM
2008-04-12 02:20:59 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-04-12 02:20:58 0 d-------- C:\WINDOWS\system32\??stem32
2008-04-12 02:20:46 0 d-------- C:\Program Files\webHancer
2008-04-12 02:20:43 0 d-------- C:\Program Files\Bat
2008-04-12 02:20:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-12 02:20:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-04-12 02:20:35 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-04-12 02:20:35 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-12 02:20:34 87979 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-12 02:20:34 87979 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-12 02:20:30 28160 --a------ C:\WINDOWS\winself.exe
2008-04-11 23:14:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-11 20:22:28 6656 --a------ C:\WINDOWS\system32\000060.exe
2008-04-11 12:44:48 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-04-11 07:48:26 11264 --a------ C:\WINDOWS\b138.exe
2008-04-08 16:33:56 68096 --a------ C:\WINDOWS\b155.exe
2008-04-07 14:20:46 4876 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-04 22:29:14 270694 --a------ C:\WINDOWS\system32\000090.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-25 13:04:10 13312 --a-s---- C:\WINDOWS\system32\zfaiqwr.dll
2008-04-25 12:10:58 0 d-------- C:\Program Files\Trend Micro
2008-04-25 11:33:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 19:48:44 0 d-------- C:\Program Files\Common Files
2008-04-18 22:55:59 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 20:20:29 0 d-------- C:\Program Files\World of Warcraft
2008-04-14 20:35:22 0 d-------- C:\Program Files\BearShare Applications
2008-04-14 03:29:24 0 d-------- C:\Program Files\iTunes
2008-04-13 22:57:54 0 d-------- C:\Program Files\??mantec
2008-04-12 07:05:01 0 d-------- C:\Program Files\QuickTime
2008-04-10 23:18:45 0 d-------- C:\Program Files\Warcraft III
2008-03-31 16:23:26 82210 --a------ C:\WINDOWS\War3Unin.dat
2008-03-31 16:11:25 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-31 16:11:25 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-03-22 08:19:00 0 d-------- C:\Program Files\Dl_cats
2008-03-06 00:48:54 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00376d83-a433-d393-b6a8-07e61f05074f}]
04/25/2008 12:59 PM 118784 --a------ C:\WINDOWS\system32\apisrvmnt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c9c9447-3658-44c9-8490-d96b0ab57c88}]
C:\WINDOWS\lgmxvpatgbn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f72b26-da47-4b7c-a2e1-5046043496b5}]
04/25/2008 08:27 AM 217088 --a------ C:\WINDOWS\qnmargoldpq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3}]
04/18/2008 10:57 PM 38912 --a------ C:\WINDOWS\system32\jkkLDTlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c109800-a5d5-438f-9640-18d17e168b88}]
04/25/2008 01:04 PM 7680 --a------ C:\Program Files\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{963916cd-6311-485d-93dc-3bd1b9e2d2cb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a8311e8f-e459-4d22-89b4-cb9dcf10a425}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C89FFBB5-80A8-46E4-99ED-D94752017688}]
04/19/2008 06:46 PM 275456 --a------ C:\WINDOWS\system32\ssqRICvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]
C:\Program Files\webHancer\programs\whiehlpr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4c26798-1dd1-11b2-bde1-ad5ae0b31ca6}]
04/15/2008 09:02 PM 60928 --a------ C:\WINDOWS\qfopqdih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ee8963f5-a46a-f093-44e7-a68f73577d91}]
04/11/2008 10:51 AM 60928 --a------ C:\WINDOWS\system32\khfvll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f0a035ec-c865-4e47-bf73-b17741dd5232}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 12:01 PM]
"SigmatelSysTrayApp"="stsystra.exe" [02/10/2006 09:17 AM C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/05/2005 07:05 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 01:12 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 08:44 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 08:44 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 03:20 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [03/20/2007 09:20 AM]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [10/20/2005 05:40 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [04/07/2004 10:07 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/20/2007 09:30 AM]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [03/29/2005 12:41 PM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [12/16/2004 06:49 PM]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [02/16/2008 04:09 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 11:49 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 11:46 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 11:50 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"runner1"="C:\WINDOWS\mrofinu72.exe" []
"webHancer Agent"="C:\Program Files\webHancer\Programs\whagent.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/25/2008 12:58 PM]
"autoload"="C:\Documents and Settings\Administrator\cftmon.exe" [04/25/2008 12:58 PM]
"DLCCCATS"="\3\DLCCtime.dll" []
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"ulufkdmf"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\ulufkdmf.dll" []
"Winupdates"="gpld2.exe" [04/18/2008 07:39 PM C:\WINDOWS\system32\gpld2.exe]
"cjb"="C:\Program Files\cjb\cjb8.exe" [04/18/2008 10:56 PM]
"csrss"="C:\WINDOWS\system32\wbem\csrss.exe" [04/18/2008 10:56 PM]
"iSecurity applet"="iSecurity.cpl" [04/18/2008 10:56 PM C:\WINDOWS\system32\iSecurity.cpl]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/25/2008 11:37 AM]
"BluetoothAuthorizationAgent"="C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe" [04/25/2008 12:57 PM]
"antiviirus"="C:\Program Files\antiviirus.exe" [04/25/2008 12:58 PM]
"ivmzcrqh"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\ivmzcrqh.dll" []
"service.exe"="C:\WINDOWS\system32\service.exe" [04/25/2008 12:59 PM]
"VirusHeat 4.3"="C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" [04/24/2008 04:54 AM]
"705d901e"="C:\WINDOWS\system32\ehltmxet.dll" [04/25/2008 01:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [04/25/2008 11:37 AM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [04/25/2008 12:58 PM]
"autoload"="C:\Documents and Settings\Administrator\cftmon.exe" [04/25/2008 12:58 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/28/2006 8:13:34 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [3/19/2007 10:40:40 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [3/10/2005 9:40:30 AM]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 2:12:08 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 8:07:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b0fdc513-46b9-46fc-8e70-d575ee546dae}"= C:\WINDOWS\system32\zfaiqwr.dll [04/25/2008 01:04 PM 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}"= C:\WINDOWS\system32\jkkLDTlj.dll [04/18/2008 10:57 PM 38912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"= {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\system32\cryper.dll [04/16/2008 09:01 PM 261632]
"DrvDrv"= {c6a757d5-6ba9-4ef1-bb12-9cb9e26faf30} - C:\WINDOWS\Resources\DrvDrv.dll [04/18/2008 10:56 PM 14374]
"omlbpkaw"= {B12CB2E3-12E2-4063-B350-5627738D0D7A} - C:\WINDOWS\omlbpkaw.dll [04/18/2008 08:48 AM 335872]
"iSecurity"= {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl [ ]
"UqkioEp"= {705D90B2-DAF7-3A18-722E-160481C4CB2B} - C:\WINDOWS\system32\bwsra.dll [04/16/2007 08:52 AM 32768]
"MonPrx"= {beb2a0c3-7cec-4e22-aa0f-7c70da9c8fea} - C:\WINDOWS\Resources\MonPrx.dll [04/19/2008 06:47 PM 14374]
"zip"= {9226c9da-aa23-4cc4-b54e-87fcd90e2f0e} - C:\WINDOWS\Installer\{9226c9da-aa23-4cc4-b54e-87fcd90e2f0e}\zip.dll [ ]
"CheckCD"= {1f7be175-40ed-4bca-86cb-ab14b88e91e5} - C:\WINDOWS\Resources\CheckCD.dll [04/25/2008 12:58 PM 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,C:\WINDOWS\system32\sbwltbxa.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkldtlj]
jkkLDTlj.dll 04/18/2008 10:57 PM 38912 C:\WINDOWS\system32\jkkLDTlj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iSecurity.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqRICvs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - DCFS2K



-- End of Deckard's System Scanner: finished at 2008-04-30 21:25:10 ------------

************************************************************************8

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.66GHz
CPU 1: Intel® Pentium® D CPU 2.66GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 1022.07 MiB / 790.64 MiB
Pagefile Memory (total/avail): 2461.96 MiB / 2361.41 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.77 MiB

C: is Fixed (NTFS) - 144.19 GiB total, 124.7 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (FAT)

\\.\PHYSICALDRIVE0 - SAMSUNG HD160JJ/P - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 144.19 GiB - C:
\PARTITION2 - Unknown - 4.77 GiB

\\.\PHYSICALDRIVE5 - Memorex TD 2C USB Device - 235.33 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 237.99 MiB - J:

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"c:\\windows\\system32\\gpld2.exe"="c:\\windows\\system32\\gpld2.exe:*:Enabled:gpld2"
"C:\\WINDOWS\\system32\\service.exe"="C:\\WINDOWS\\system32\\service.exe:*:Enabled:enable"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D8LH7PB1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\D8LH7PB1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=D8LH7PB1
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

MARIA FRIAS (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
924PLC32 --> MsiExec.exe /I{94721EA3-7EA6-43EA-B99C-A5D0E3C66240}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AirPlus G --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{2B7E4354-0492-460A-BDB1-1F59EE141025} /l1033
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Banctec Service Agreement --> MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
Bat --> "C:\Program Files\Bat\un_BatSetup_15041.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCHelp --> MsiExec.exe /I{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Photo AIO Printer 924 --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dlccUNST.EXE -NOLICENSE
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Documentation & Support Launcher --> MsiExec.exe /X{B0DF58A2-40DF-4465-AA56-38623EC9938C}
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
ESSAdpt --> MsiExec.exe /I{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}
ESSANUP --> MsiExec.exe /I{A6F18A67-B771-4191-8A33-36D2E742D6D9}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCAM --> MsiExec.exe /I{469730CC-78DF-4CD3-B286-562D459EA619}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Games, Music, & Photos Launcher --> MsiExec.exe /X{B6884A07-0305-47AE-9969-8F26FADC17DE}
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Pack Screensaver --> C:\WINDOWS\Google Pack Screensaver Uninstaller.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPCCTR --> MsiExec.exe /I{F2D0C1B1-80FF-46F9-BA61-33B01A07FAFC}
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Internet Service --> "C:\Program Files\NetProject\waun.exe"
Internet Service Offers Launcher --> MsiExec.exe /X{E42BD75A-FC23-4E3F-9F91-2658334C644F}
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_9_2e9dc6e\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OpenMG Secure Module 4.7.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{CCD663AE-610D-4BDF-AAB0-E914B044527D} UNINSTALL
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
PCDLNCH --> MsiExec.exe /I{69BD6399-3D8F-45B7-81D9-819361F5101D}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerStrip 3 (remove only) --> C:\Program Files\PowerStrip\uninstal.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Secure Browsing --> "C:\Program Files\NetProject\sbun.exe"
SFR --> MsiExec.exe /I{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}
SFR2 --> MsiExec.exe /I{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}
Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
URL Assistant --> regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
VCAMCEN --> MsiExec.exe /I{10E98E14-832C-4AF7-A4D1-6A9EF83B282E}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VirusHeat 4.3 --> C:\Program Files\VirusHeat 4.3\uninst.exe
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
webHancer Customer Companion --> C:\Program Files\webHancer\Programs\whInstaller.exe -uninstall
WebVideo Support --> C:\WINDOWS\rtqmekwg.exe
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows Safety Alert --> C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\zfe1.exe /del
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB912067 -->
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2488 / Warning
Event Submitted/Written: 04/30/2008 08:25:30 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type2487 / Error
Event Submitted/Written: 04/30/2008 07:47:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x0000231f.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type2486 / Error
Event Submitted/Written: 04/30/2008 07:38:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module dss.dll, version 0.0.0.0, fault address 0x00002120.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type2485 / Error
Event Submitted/Written: 04/30/2008 07:37:59 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type2484 / Error
Event Submitted/Written: 04/30/2008 07:34:51 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x0000231f.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10934 / Error
Event Submitted/Written: 04/30/2008 09:21:11 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Fips
intelppm

Event Record #/Type10933 / Error
Event Submitted/Written: 04/30/2008 09:19:37 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type10932 / Error
Event Submitted/Written: 04/30/2008 09:19:28 PM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 192.168.1.3,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type10931 / Error
Event Submitted/Written: 04/30/2008 09:19:28 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service ALG with arguments ""
in order to run the server:
{D6015EC3-FA16-4813-9CA1-DA204574F5DA}

Event Record #/Type10930 / Error
Event Submitted/Written: 04/30/2008 09:19:28 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}



-- End of Deckard's System Scanner: finished at 2008-04-30 21:25:10 ------------

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 02 May 2008 - 12:17 PM

Hello Chuck,



Welcome to Bleeping Computer! My name is SifuMike and I will be helping you. :thumbsup:

AV: AVG 7.5.519 v7.5.519 (Grisoft) Outdated


You need to update your AVG antivirus.




Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new Deckard System Scanner log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Edited by SifuMike, 02 May 2008 - 12:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Chuck S

Chuck S
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 02 May 2008 - 02:56 PM

Hello Chuck,



Welcome to Bleeping Computer! My name is SifuMike and I will be helping you. :thumbsup:

AV: AVG 7.5.519 v7.5.519 (Grisoft) Outdated


You need to update your AVG antivirus.




Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new Deckard System Scanner log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe


*********************************************************************
Thanks for the Advice SifuMike. Here are the DSS scan and SDFix reports. Looking forward to your reply.

Deckard's System Scanner v20071014.68
Run by MARIA FRIAS on 2008-05-02 12:49:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as MARIA FRIAS.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:19 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\STEM32~1\cmd.exe
C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\ie.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\babctwjw.exe
C:\Documents and Settings\MARIA FRIAS\My Documents\??pPatch\??anregw.exe
C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\csrssc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MARIA FRIAS\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MARIA FRIAS.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {00376d83-a433-d393-b6a8-07e61f05074f} - C:\WINDOWS\system32\apisrvmnt.dll
O2 - BHO: (no name) - {2871c785-3cf5-f931-30cd-08b21fb17f67} - C:\WINDOWS\system32\strdsc.dll
O2 - BHO: (no name) - {2e006df2-4579-42a6-817d-2ca19e4f45b5} - C:\WINDOWS\system32\ssqRICvs.dll (file missing)
O2 - BHO: (no name) - {346c6e2f-cb48-49d9-a789-11d74484ca15} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: (no name) - {66CC32CC-B688-848B-8C97-08B7B7F36734} - C:\WINDOWS\system32\HlpSet.dll
O2 - BHO: (no name) - {6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} - C:\WINDOWS\system32\jkkLDTlj.dll (file missing)
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\mljkhgg.dll (file missing)
O2 - BHO: (no name) - {ABD8615E-F38F-482D-86AE-736823F5EBAC} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {d4c26798-1dd1-11b2-bde1-ad5ae0b31ca6} - C:\WINDOWS\qfopqdih.dll
O2 - BHO: (no name) - {e88d66a4-a739-a496-40e7-a68f73572996} - C:\WINDOWS\system32\muirjpm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM736ea382] Rundll32.exe "C:\WINDOWS\system32\iaeyvgfa.dll",s
O4 - HKLM\..\Run: [lozwdurq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lozwdurq.dll"
O4 - HKLM\..\Run: [bwfifsfw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bwfifsfw.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\system32\STEM32~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Fyuqt] C:\WINDOWS\W?nSxS\?ti2evxx.exe
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [vfdwsqaq] C:\WINDOWS\system32\babctwjw.exe
O4 - HKCU\..\Run: [InetChk] C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\ms1208646428.exe work
O4 - HKCU\..\Run: [Brio] "C:\Documents and Settings\MARIA FRIAS\My Documents\??pPatch\??anregw.exe"
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [jtchhalb] C:\WINDOWS\system32\luzclmxa.exe
O4 - HKCU\..\Run: [nkzobryo] C:\WINDOWS\system32\ybitkpez.exe
O4 - HKLM\..\Policies\Explorer\Run: [aSGD5LU9Qr] C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe
O4 - HKCU\..\Policies\Explorer\Run: [aSGD5LU9Qr] C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209742902.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209742902.exe work (User 'Default user')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{543E9157-5000-4E60-AEDE-13CBD9CD0386}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{73BFC08E-FFCF-450D-86D0-185EF0DE5A86}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C96E404F-38DF-4765-9DCD-9A43781C424D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: mljkhgg - mljkhgg.dll (file missing)
O21 - SSODL: CheckWeb - {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\system32\cryper.dll
O21 - SSODL: UqkioEp - {705D90B2-DAF7-3A18-722E-160481C4CB2B} - C:\WINDOWS\system32\bwsra.dll
O21 - SSODL: zip - {9226c9da-aa23-4cc4-b54e-87fcd90e2f0e} - C:\WINDOWS\Installer\{9226c9da-aa23-4cc4-b54e-87fcd90e2f0e}\zip.dll (file missing)
O22 - SharedTaskScheduler: frowardness - {b0fdc513-46b9-46fc-8e70-d575ee546dae} - C:\WINDOWS\system32\zfaiqwr.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Media Center Receiver Service ehRecvrSQLAgent$MICROSOFTSMLBIZ (ehRecvrSQLAgent$MICROSOFTSMLBIZ) - Unknown owner - C:\WINDOWS\system32\3com_dmix.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 12496 bytes

-- Files created between 2008-04-02 and 2008-05-02 -----------------------------

2008-05-02 12:45:58 114688 --a------ C:\WINDOWS\system32\HlpSet.dll
2008-05-02 12:45:58 114688 --a------ C:\Documents and Settings\All Users\Application Data\bwfifsfw.dll
2008-05-02 12:45:53 98304 --a------ C:\WINDOWS\system32\ybitkpez.exe
2008-05-02 11:35:40 0 d-------- C:\WINDOWS\ERUNT
2008-05-02 09:58:35 60928 --a------ C:\WINDOWS\system32\muirjpm.dll
2008-05-02 09:58:11 122880 --a------ C:\Documents and Settings\All Users\Application Data\lozwdurq.dll
2008-05-02 09:58:08 122880 --a------ C:\WINDOWS\system32\strdsc.dll
2008-05-02 09:58:02 114688 --a------ C:\WINDOWS\system32\luzclmxa.exe
2008-05-02 09:00:16 518524 --ahs---- C:\WINDOWS\system32\stutv.ini2
2008-05-02 08:45:28 321 --ahs---- C:\WINDOWS\system32\nqtss.ini2
2008-05-02 07:57:18 514792 --ahs---- C:\WINDOWS\system32\oqtss.ini2
2008-05-01 03:24:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-01 03:24:15 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-01 03:24:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 13:14:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 13:14:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 13:14:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-25 13:10:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-25 13:08:40 0 d--hs---- C:\WINDOWS\CSC
2008-04-25 13:05:55 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 12:59:47 4096 --a------ C:\atpjpfl.exe
2008-04-25 12:59:45 10000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-04-25 12:59:32 118784 --a------ C:\WINDOWS\system32\apisrvmnt.dll
2008-04-25 12:59:32 0 d-------- C:\Documents and Settings\All Users\Application Data\zszszezk
2008-04-25 12:59:32 118784 --a------ C:\Documents and Settings\All Users\Application Data\ivmzcrqh.dll
2008-04-25 12:06:56 0 dr-h----- C:\$VAULT$.AVG
2008-04-25 11:38:29 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\AVG7
2008-04-25 11:38:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-25 11:37:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-19 20:07:15 0 d-------- C:\WINDOWS\privacy_danger(2)
2008-04-19 18:47:43 4194304 --a------ C:\Documents and Settings\MARIA FRIAS\NTUSER.DAT
2008-04-19 18:47:37 262144 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-04-19 18:47:10 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-19 18:46:26 425456 --ahs---- C:\WINDOWS\system32\svCIRqss.ini2
2008-04-19 10:12:16 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\TmpRecentIcons
2008-04-18 23:29:44 0 d-------- C:\iSecurity
2008-04-18 22:56:47 0 d-------- C:\Documents and Settings\All Users\Application Data\hirixsla
2008-04-18 22:56:46 110592 --a------ C:\WINDOWS\system32\babctwjw.exe
2008-04-18 22:56:46 79360 --a------ C:\lilsesn.exe
2008-04-18 22:56:43 9216 --a------ C:\gjtxc.exe
2008-04-18 19:39:37 53760 --a------ C:\WINDOWS\system32\gpld2.exe
2008-04-18 19:39:19 79360 --a------ C:\vqvtx.exe
2008-04-18 19:39:18 13824 --a------ C:\dssic.exe
2008-04-17 16:33:03 20480 --ahs---- C:\WINDOWS\system32\000090y.dll
2008-04-17 16:32:53 22016 --ahs---- C:\WINDOWS\system32\acluid.dll
2008-04-17 16:31:41 207 --a-s---- C:\WINDOWS\system32\2399076128.dat
2008-04-17 16:31:31 41984 -rahs---- C:\WINDOWS\system32\3com_dmix.exe
2008-04-16 21:01:46 261632 --a------ C:\WINDOWS\system32\cryper.dll
2008-04-15 21:02:22 60928 --a------ C:\Documents and Settings\All Users\Application Data\ulufkdmf.dll
2008-04-15 21:02:21 60928 --a------ C:\WINDOWS\qfopqdih.dll
2008-04-15 21:01:52 7680 --a------ C:\hqsS.exe
2008-04-15 18:32:01 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\s?curity
2008-04-14 15:38:53 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\Mozilla
2008-04-14 15:34:40 0 d-------- C:\Program Files\RcvSystem
2008-04-14 15:32:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 22:57:54 0 d-------- C:\Program Files\??mantec
2008-04-13 13:24:14 0 d-------- C:\Program Files\AntiVirusPro
2008-04-13 13:01:36 0 d-------- C:\Program Files\Inet_Get_2
2008-04-12 18:15:19 6656 --a------ C:\WINDOWS\ons.dll
2008-04-12 07:07:53 0 d-------- C:\Program Files\iPod
2008-04-12 07:05:20 0 d-------- C:\Program Files\Bonjour
2008-04-12 07:02:07 0 d-------- C:\Program Files\Apple Software Update
2008-04-12 07:01:51 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-12 07:01:26 0 d-------- C:\Program Files\Common Files\Apple
2008-04-12 07:01:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-12 02:23:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-12 02:21:24 0 d-------- C:\Program Files\Outerinfo
2008-04-12 02:21:21 0 d-------- C:\WINDOWS\W?nSxS
2008-04-12 02:20:58 0 d-------- C:\WINDOWS\system32\??stem32
2008-04-12 02:20:46 0 d-------- C:\Program Files\webHancer
2008-04-12 02:20:43 0 d-------- C:\Program Files\Bat
2008-04-12 02:20:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-12 02:20:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-04-12 02:20:35 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-12 02:20:34 87979 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-04-11 23:14:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-07 14:20:46 4876 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-04-30 22:37:55 0 d-------- C:\Program Files\Common Files
2008-04-25 12:10:58 0 d-------- C:\Program Files\Trend Micro
2008-04-25 11:33:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 22:55:59 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 20:20:29 0 d-------- C:\Program Files\World of Warcraft
2008-04-15 18:32:01 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\s?curity
2008-04-14 20:35:22 0 d-------- C:\Program Files\BearShare Applications
2008-04-14 18:01:13 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\Adobe
2008-04-14 03:29:24 0 d-------- C:\Program Files\iTunes
2008-04-13 22:57:54 0 d-------- C:\Program Files\??mantec
2008-04-12 07:05:01 0 d-------- C:\Program Files\QuickTime
2008-04-10 23:18:45 0 d-------- C:\Program Files\Warcraft III
2008-03-31 16:23:26 82210 --a------ C:\WINDOWS\War3Unin.dat
2008-03-31 16:11:25 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-31 16:11:25 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-03-22 08:19:00 0 d-------- C:\Program Files\Dl_cats
2008-03-06 00:48:54 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00376d83-a433-d393-b6a8-07e61f05074f}]
04/25/2008 12:59 PM 118784 --a------ C:\WINDOWS\system32\apisrvmnt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2871c785-3cf5-f931-30cd-08b21fb17f67}]
05/02/2008 09:58 AM 122880 --a------ C:\WINDOWS\system32\strdsc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e006df2-4579-42a6-817d-2ca19e4f45b5}]
C:\WINDOWS\system32\ssqRICvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{346c6e2f-cb48-49d9-a789-11d74484ca15}]
C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66CC32CC-B688-848B-8C97-08B7B7F36734}]
05/02/2008 12:45 PM 114688 --a------ C:\WINDOWS\system32\HlpSet.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3}]
C:\WINDOWS\system32\jkkLDTlj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}]
C:\WINDOWS\system32\mljkhgg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABD8615E-F38F-482D-86AE-736823F5EBAC}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4c26798-1dd1-11b2-bde1-ad5ae0b31ca6}]
04/15/2008 09:02 PM 60928 --a------ C:\WINDOWS\qfopqdih.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e88d66a4-a739-a496-40e7-a68f73572996}]
04/11/2008 10:51 AM 60928 --a------ C:\WINDOWS\system32\muirjpm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 01:12 AM]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [03/29/2005 12:41 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"BM736ea382"="C:\WINDOWS\system32\iaeyvgfa.dll" []
"lozwdurq"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\lozwdurq.dll" []
"bwfifsfw"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\bwfifsfw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 03:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/09/2007 08:49 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [11/13/2007 02:46 PM]
"Uaol"="C:\WINDOWS\system32\STEM32~1\cmd.exe" [04/12/2008 02:20 AM]
"Microsoft Windows Installer"="C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\ie.exe" [04/12/2008 02:21 AM]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" []
"Fyuqt"="C:\WINDOWS\W?nSxS\?ti2evxx.exe" []
"QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" []
"vfdwsqaq"="C:\WINDOWS\system32\babctwjw.exe" [04/18/2008 10:56 PM]
"InetChk"="C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\ms1208646428.exe" []
"Brio"="C:\Documents and Settings\MARIA FRIAS\My Documents\??pPatch\??anregw.exe" [04/11/2008 10:52 AM]
"Jnskdfmf9eldfd"="C:\DOCUME~1\MARIAF~1\LOCALS~1\Temp\csrssc.exe" [04/25/2008 12:59 PM]
"jtchhalb"="C:\WINDOWS\system32\luzclmxa.exe" [05/02/2008 09:58 AM]
"nkzobryo"="C:\WINDOWS\system32\ybitkpez.exe" [05/02/2008 12:45 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"InetChk"=C:\WINDOWS\TEMP\ms1209742902.exe work

C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [4/12/2008 2:20:41 AM]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2/8/2008 2:32:57 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"aSGD5LU9Qr"=C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"aSGD5LU9Qr"=C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b0fdc513-46b9-46fc-8e70-d575ee546dae}"= C:\WINDOWS\system32\zfaiqwr.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6A6EAE1B-4AD6-4035-974D-504D6DBAA9C3}"= C:\WINDOWS\system32\jkkLDTlj.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CheckWeb"= {C111CF13-545F-6FF1-51AC-F623D452C63D} - C:\WINDOWS\system32\cryper.dll [04/16/2008 09:01 PM 261632]
"UqkioEp"= {705D90B2-DAF7-3A18-722E-160481C4CB2B} - C:\WINDOWS\system32\bwsra.dll [04/16/2007 08:52 AM 32768]
"zip"= {9226c9da-aa23-4cc4-b54e-87fcd90e2f0e} - C:\WINDOWS\Installer\{9226c9da-aa23-4cc4-b54e-87fcd90e2f0e}\zip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkhgg]
mljkhgg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nxx85.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-05-02 12:49:59 ------------

*********************************************************************


SDFix: Version 1.177
Run by Administrator on Fri 05/02/2008 at 12:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
ICF
service.sys
widuxngq
NXX85
ICF
service.sys
widuxngq
BLV23

Path :

ICF - Deleted
service.sys - Deleted
widuxngq - Deleted
NXX85 - Deleted
ICF - Deleted
service.sys - Deleted
widuxngq - Deleted
BLV23 - Deleted

Killing PID 852 'sbwltbxa.exe'
Killing PID 844 'wmsdkns.exe'
Killing PID 852 'sbwltbxa.exe'
Killing PID 844 'wmsdkns.exe'
Killing PID 860 'sbwltbxa.exe'
Killing PID 848 'wmsdkns.exe'
Killing PID 852 'sbwltbxa.exe'
Killing PID 844 'wmsdkns.exe'
Killing PID 860 'sbwltbxa.exe'
Killing PID 848 'wmsdkns.exe'
Killing PID 940 'sbwltbxa.exe'
Killing PID 920 'wmsdkns.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper
Restoring Default Desktop Wallpaper
Restoring Default Schedule Service Path
Resetting AppInit_DLLs value


Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Resources\DrvDrv.dll - Deleted
C:\WINDOWS\Resources\MonPrx.dll - Deleted
C:\WINDOWS\Resources\CheckCD.dll - Deleted
C:\WINDOWS\Resources\DriveKernel.dll - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\Resources\DrvDrv.dll - Deleted
C:\WINDOWS\Resources\MonPrx.dll - Deleted
C:\WINDOWS\Resources\CheckCD.dll - Deleted
C:\WINDOWS\Resources\DriveKernel.dll - Deleted
C:\WINDOWS\Resources\DrvDrv.dll - Deleted
C:\WINDOWS\Resources\MonPrx.dll - Deleted
C:\WINDOWS\Resources\CheckCD.dll - Deleted
C:\WINDOWS\Resources\DriveKernel.dll - Deleted
C:\WINDOWS\Resources\DrvDrv.dll - Deleted
C:\WINDOWS\Resources\MonPrx.dll - Deleted
C:\WINDOWS\Resources\CheckCD.dll - Deleted
C:\WINDOWS\Resources\DriveKernel.dll - Deleted
C:\WINDOWS\Resources\DrvDrv.dll - Deleted
C:\WINDOWS\Resources\MonPrx.dll - Deleted
C:\WINDOWS\Resources\CheckCD.dll - Deleted
C:\WINDOWS\Resources\DriveKernel.dll - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\system32\kdmuw.exe - Deleted
C:\188518~1 - Deleted
C:\Documents and Settings\Administrator\cftmon.exe - Deleted
C:\Documents and Settings\MARIA FRIAS\cftmon.exe - Deleted
C:\WINDOWS\Resources\DrvDrv.dll - Deleted
C:\WINDOWS\Resources\MonPrx.dll - Deleted
C:\WINDOWS\Resources\CheckCD.dll - Deleted
C:\WINDOWS\Resources\DriveKernel.dll - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\AHOJQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BILKNQH.BMP - Deleted
C:\WINDOWS\SYSTEM32\CNQPKJMT.BMP - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGFMTS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ELONQPGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FQTGFQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\GNMLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBIT.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCBITS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JEPKRQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIPSFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NQLCJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\QLKFADKR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SNETCB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGBAHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TSBQDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\SYSTEM32\PMNNFGDW.DLL - Deleted
C:\WINDOWS\system32\kdmuw.exe - Deleted
C:\188518~1 - Deleted
C:\188518~1 - Deleted
C:\Documents and Settings\Administrator\cftmon.exe - Deleted
C:\Documents and Settings\MARIA FRIAS\cftmon.exe - Deleted
C:\Program Files\tmp1.exe - Deleted
C:\Program Files\tmp2.exe - Deleted
C:\Program Files\tmp3.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url - Deleted
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url - Deleted
C:\Documents and Settings\MARIA FRIAS\Desktop\Privacy Protector.url - Deleted
C:\Program Files\cjb\cjb8.exe - Deleted
C:\Program Files\CPV\CPV8.dll - Deleted
C:\Program Files\iSecurity\iSecurity.dat - Deleted
C:\Program Files\iSecurity\ucleaner.bmp - Deleted
C:\Program Files\iSecurity\ucleaneri.bmp - Deleted
C:\Program Files\iSecurity\udefender.bmp - Deleted
C:\Program Files\iSecurity\udefenderi.bmp - Deleted
C:\Program Files\iSecurity\winifixer.bmp - Deleted
C:\Program Files\iSecurity\winifixeri.bmp - Deleted
C:\Program Files\iSecurity\v5\iSecurity.cpl - Deleted
C:\Program Files\iSecurity\{32FF2108-1EF0-4ae8-8C23-17C92EAA5DEF}\install.exe - Deleted
C:\Program Files\ISM\ism.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\QdrDrive\QdrDrive15.dll - Deleted
C:\Program Files\QdrDrive\qdrloader.exe - Deleted
C:\Program Files\QdrPack\dicts.gz - Deleted
C:\Program Files\QdrPack\QdrPack15.exe - Deleted
C:\Program Files\QdrPack\trgts.gz - Deleted
C:\Program Files\QdrModule\dicy.gz - Deleted
C:\Program Files\QdrModule\kwdy.gz - Deleted
C:\Program Files\QdrModule\pckr.dat - Deleted
C:\Program Files\QdrModule\QdrModule15.exe - Deleted
C:\Program Files\VirusHeat 4.3\vpp.ini - Deleted
C:\Program Files\VirusIsolator\vscan.tsi - Deleted
C:\d.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b138.exe - Deleted
C:\WINDOWS\gndarmblsnv.dll - Deleted
C:\WINDOWS\qnmargoldpq.dll - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\smp.bat - Deleted
C:\tempdel.bat - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\2020search.dll - Deleted
C:\WINDOWS\2020search2.dll - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\bjam.dll - Deleted
C:\WINDOWS\bokja.exe - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\cdsm32.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\mspphe.dll - Deleted
C:\WINDOWS\mssvr.exe - Deleted
C:\WINDOWS\npqtsrak.exe - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\olgdqarf.exe - Deleted
C:\WINDOWS\pmsoarbf.dll - Deleted
C:\WINDOWS\qadovnel.dll - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\rtqmekwg.exe - Deleted
C:\WINDOWS\saiemod.dll - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\spwoqbmv.exe - Deleted
C:\WINDOWS\stcloader.exe - Deleted
C:\WINDOWS\swin32.dll - Deleted
C:\WINDOWS\system32\382077\382077.dll - Deleted
C:\WINDOWS\system32\717305\717305.dll - Deleted
C:\WINDOWS\system32\iSecurity.cpl - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\system32\sbwltbxa.exe - Deleted
C:\WINDOWS\system32\service.exe - Deleted
C:\WINDOWS\system32\wind32.exe - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\system32\wmsdkns.exe - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\Temp\svchost.exe - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\vadokmxt.dll - Deleted
C:\WINDOWS\voiceip.dll - Deleted
C:\WINDOWS\winsb.dll - Deleted
C:\WINDOWS\winself.exe - Deleted
C:\WINDOWS\wxvgsdbq.exe - Deleted
C:\WINDOWS\xbaqktfv.exe - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\system32\service.sys - Deleted
C:\WINDOWS\widuxngq.sys - Deleted
C:\WINDOWS\system32\drivers\NXX85.sys - Deleted
C:\WINDOWS\system32\drivers\BLV23.sys - Deleted



Folder C:\Documents and Settings\MARIA FRIAS\Application Data\WinTouch - Removed
Folder C:\Program Files\cjb - Removed
Folder C:\Program Files\CPV - Removed
Folder C:\Program Files\iSecurity - Removed
Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\QdrModule - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\VirusHeat 4.3 - Removed
Folder C:\Program Files\VirusIsolator - Removed
Folder C:\WINDOWS\system32\382077 - Removed
Folder C:\WINDOWS\system32\717305 - Removed


Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 28160 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 12:42:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\services\MRxDAV\EncryptedDirectories]
@=""

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"c:\\windows\\system32\\gpld2.exe"="c:\\windows\\system32\\gpld2.exe:*:Enabled:gpld2"
"C:\\WINDOWS\\system32\\service.exe"="C:\\WINDOWS\\system32\\service.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Fri 22 Feb 2008 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 17 Apr 2008 20,480 A.SH. --- "C:\WINDOWS\system32\000090y.dll"
Thu 17 Apr 2008 41,984 A.SHR --- "C:\WINDOWS\system32\3com_dmix.exe"
Mon 25 Jun 2007 88 ..SHR --- "C:\WINDOWS\system32\780E16FE96.sys"
Thu 17 Apr 2008 22,016 A.SH. --- "C:\WINDOWS\system32\acluid.dll"
Mon 25 Jun 2007 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 12 Apr 2008 89,088 ..SHR --- "C:\WINDOWS\system32\??stem32\cmd.exe"
Fri 25 Apr 2008 15,505 ...H. --- "C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\csrssc.exe"
Fri 11 Apr 2008 230,400 ..SHR --- "C:\Documents and Settings\MARIA FRIAS\My Documents\à?pPatch\??anregw.exe"
Fri 22 Feb 2008 8,868,392 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\785aa2dbc510bd1f51262ba8ca3b1964\BIT9B.tmp"
Tue 25 Mar 2008 6,104,632 A..H. --- "C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT1.tmp"
Thu 19 Apr 2007 11,115 A.SH. --- "C:\Documents and Settings\MARIA FRIAS\My Documents\My Music\License Backup\drmv2key.bak"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\MARIA FRIAS\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\MARIA FRIAS\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\MARIA FRIAS\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\MARIA FRIAS\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

******************************************************************

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 02 May 2008 - 06:22 PM

Hi Chuck,

Please do not put my reply in a quote box, as that just makes the thread very long and hard to read. You should be using the Add Reply button to reply to these threads.

You need to realize that you are missing one important program on that computer: An antivirus. What happened to your AVG antivirus? I dont see it in your log. :thumbsup:

This is somewhat suicidal in today's digital world!

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

************************

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply, a fresh Deckards System Scanner log, and the Antivirus log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

Edited by SifuMike, 02 May 2008 - 06:28 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Chuck S

Chuck S
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 03 May 2008 - 11:56 AM

I installed AVG, updated and scanned, however, it did not provide me with a log.
I installed and MBAM and ran. Here is the log it created.
After running both of these, I am no longer able to boot normally. It comes up with the Blue Screen of Death. I have to boot in safe mode to get it to load Windows.

Malwarebytes' Anti-Malware 1.11
Database version: 711

Scan type: Quick Scan
Objects scanned: 52154
Time elapsed: 29 minute(s), 50 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 1
Registry Keys Infected: 47
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 14
Files Infected: 55

Memory Processes Infected:
c:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Unloaded process successfully.
c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Unloaded process successfully.
C:\WINDOWS\system32\babctwjw.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\ie.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\webhancer\Programs\webhdll.dll (Adware.WebHancer) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c111cf13-545f-6ff1-51ac-f623d452c63d} (Spyware.Delf) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eff4851a-2e0c-4d2f-b916-862955b8e721} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f94bab71-2806-45f1-bb49-3c2a128085f7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc1e1ac3-3303-4bc5-913c-735d8b393fad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d95c697f-d985-4ab1-92b5-40df04bbe322} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b0fdc513-46b9-46fc-8e70-d575ee546dae} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{83b0cadc-ea64-4ac6-822a-3ece95f44da6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e88d66a4-a739-a496-40e7-a68f73572996} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e88d66a4-a739-a496-40e7-a68f73572996} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\icasServ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSysInterv1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfdwsqaq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtchhalb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nkzobryo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnznafob (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CheckWeb (Spyware.Delf) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b0fdc513-46b9-46fc-8e70-d575ee546dae} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6a6eae1b-4ad6-4035-974d-504d6dbaa9c3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM736ea382 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Installer\{9226c9da-aa23-4cc4-b54e-87fcd90e2f0e} (Trojan.Alphabet) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Inet_Get_2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\webHancer (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Delete on reboot.
C:\Program Files\AntiVirusPro (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\AntiVirusPro\Quarantine (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\iSecurity (Rogue.ISecurity) -> Quarantined and deleted successfully.
C:\iSecurity\v5 (Rogue.ISecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\VirusHeat 4.3 (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\webhancer\Programs\webhdll.dll (Adware.WebHancer) -> Delete on reboot.
c:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\babctwjw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\luzclmxa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ybitkpez.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kzupovyd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cryper.dll (Spyware.Delf) -> Delete on reboot.
C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ETM345QF\Setup[1].exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\W5IBWPUF\loader[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\csrss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\muirjpm.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\WINDOWS\b155.exe_old (Trojan.Agent) -> Quarantined and deleted successfully.
C:\atpjpfl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\dssic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\gjtxc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\gpqdiib.exe.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\lilsesn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\codec.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\dllsvr32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\emotnljk.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\EXPLOR~1.EXE.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\gold.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\iframestat.exe (Worm.Zhelatin) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\NDR2E.tmp (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\rsyncini.exe (Trojan.Shutdowner) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\zfe1.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QXECG6RL\setup[1].exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPO3S7OR\PLAY_MP3[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Outerinfo\OiUninstaller.exe (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\VirusHeat 4.3\Uninstall VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3 Website.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\ie.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oqtss.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Local Settings\Temp\ismtpa15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Start Menu\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\MARIA FRIAS\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.

***********************************************************Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-03 09:55:20
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:27 AM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {00376d83-a433-d393-b6a8-07e61f05074f} - C:\WINDOWS\system32\apisrvmnt.dll
O2 - BHO: (no name) - {2871c785-3cf5-f931-30cd-08b21fb17f67} - C:\WINDOWS\system32\strdsc.dll
O2 - BHO: (no name) - {2e006df2-4579-42a6-817d-2ca19e4f45b5} - C:\WINDOWS\system32\ssqRICvs.dll (file missing)
O2 - BHO: (no name) - {346c6e2f-cb48-49d9-a789-11d74484ca15} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: (no name) - {38BAF435-0AF4-64E2-7B68-098F69D0451B} - C:\WINDOWS\system32\DscCmdUi.dll
O2 - BHO: (no name) - {66CC32CC-B688-848B-8C97-08B7B7F36734} - C:\WINDOWS\system32\HlpSet.dll
O2 - BHO: (no name) - {ABD8615E-F38F-482D-86AE-736823F5EBAC} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {d4c26798-1dd1-11b2-bde1-ad5ae0b31ca6} - C:\WINDOWS\qfopqdih.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lozwdurq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lozwdurq.dll"
O4 - HKLM\..\Run: [bwfifsfw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bwfifsfw.dll"
O4 - HKLM\..\Run: [xivsncdw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xivsncdw.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingB1576] command /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9650] cmd /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5222] command /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3236] cmd /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8231] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2880] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKCU\..\RunOnce: [SpybotDeletingB526] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6458] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5890] command /c del "C:\WINDOWS\system32smp\msrc.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9568] cmd /c del "C:\WINDOWS\system32smp\msrc.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7113] command /c del "C:\WINDOWS\system32\zfaiqwr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8524] cmd /c del "C:\WINDOWS\system32\zfaiqwr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2497] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD176] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8094] command /c del "C:\WINDOWS\system32\ssqRICvs.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6390] cmd /c del "C:\WINDOWS\system32\ssqRICvs.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4387] command /c del "C:\WINDOWS\wxdbpfvo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD940] cmd /c del "C:\WINDOWS\wxdbpfvo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8355] command /c del "C:\Program Files\NetProject\scit.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3263] cmd /c del "C:\Program Files\NetProject\scit.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6204] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3835] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4462] command /c del "C:\WINDOWS\system32\sstqo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2200] cmd /c del "C:\WINDOWS\system32\sstqo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2278] command /c del "C:\WINDOWS\system32\fygsxbpu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4741] cmd /c del "C:\WINDOWS\system32\fygsxbpu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7313] command /c del "C:\WINDOWS\system32\mxfyqjpo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5058] cmd /c del "C:\WINDOWS\system32\mxfyqjpo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9738] command /c del "C:\WINDOWS\system32\tfcohvxb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5712] cmd /c del "C:\WINDOWS\system32\tfcohvxb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7691] command /c del "C:\WINDOWS\system32\mljkhgg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9363] cmd /c del "C:\WINDOWS\system32\mljkhgg.dll"
O4 - HKLM\..\Policies\Explorer\Run: [aSGD5LU9Qr] C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [InetChk] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\ms1209830186.exe work (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209742902.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209742902.exe work (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{543E9157-5000-4E60-AEDE-13CBD9CD0386}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{73BFC08E-FFCF-450D-86D0-185EF0DE5A86}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{C96E404F-38DF-4765-9DCD-9A43781C424D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O21 - SSODL: UqkioEp - {705D90B2-DAF7-3A18-722E-160481C4CB2B} - C:\WINDOWS\system32\bwsra.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Media Center Receiver Service ehRecvrSQLAgent$MICROSOFTSMLBIZ (ehRecvrSQLAgent$MICROSOFTSMLBIZ) - Unknown owner - C:\WINDOWS\system32\3com_dmix.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 12330 bytes

-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-03 08:06:22 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\Malwarebytes
2008-05-03 07:58:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-02 16:27:04 98304 --a------ C:\Documents and Settings\All Users\Application Data\xivsncdw.dll
2008-05-02 16:27:03 98304 --a------ C:\WINDOWS\system32\DscCmdUi.dll
2008-05-02 12:45:58 114688 --a------ C:\WINDOWS\system32\HlpSet.dll
2008-05-02 12:45:58 114688 --a------ C:\Documents and Settings\All Users\Application Data\bwfifsfw.dll
2008-05-02 11:35:40 0 d-------- C:\WINDOWS\ERUNT
2008-05-02 09:58:11 122880 --a------ C:\Documents and Settings\All Users\Application Data\lozwdurq.dll
2008-05-02 09:58:08 122880 --a------ C:\WINDOWS\system32\strdsc.dll
2008-05-02 09:00:16 518524 --ahs---- C:\WINDOWS\system32\stutv.ini2
2008-05-02 08:45:28 321 --ahs---- C:\WINDOWS\system32\nqtss.ini2
2008-05-02 07:57:18 514792 --ahs---- C:\WINDOWS\system32\oqtss.ini2
2008-05-01 03:24:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-01 03:24:15 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-01 03:24:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 13:14:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 13:14:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 13:14:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-25 13:10:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-25 13:08:40 0 d--hs---- C:\WINDOWS\CSC
2008-04-25 13:05:55 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 12:59:32 118784 --a------ C:\WINDOWS\system32\apisrvmnt.dll
2008-04-25 12:59:32 0 d-------- C:\Documents and Settings\All Users\Application Data\zszszezk
2008-04-25 12:59:32 118784 --a------ C:\Documents and Settings\All Users\Application Data\ivmzcrqh.dll
2008-04-25 12:06:56 0 dr-h----- C:\$VAULT$.AVG
2008-04-25 11:38:29 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\AVG7
2008-04-25 11:38:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-25 11:37:43 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-19 20:07:15 0 d-------- C:\WINDOWS\privacy_danger(2)
2008-04-19 18:47:43 4194304 --a------ C:\Documents and Settings\MARIA FRIAS\NTUSER.DAT
2008-04-19 18:47:37 262144 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-04-19 18:46:26 425456 --ahs---- C:\WINDOWS\system32\svCIRqss.ini2
2008-04-19 10:12:16 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\TmpRecentIcons
2008-04-18 22:56:47 0 d-------- C:\Documents and Settings\All Users\Application Data\hirixsla
2008-04-17 16:33:03 20480 --ahs---- C:\WINDOWS\system32\000090y.dll
2008-04-17 16:32:53 22016 --ahs---- C:\WINDOWS\system32\acluid.dll
2008-04-17 16:31:41 195 --a-s---- C:\WINDOWS\system32\2399076128.dat
2008-04-17 16:31:31 41984 -rahs---- C:\WINDOWS\system32\3com_dmix.exe
2008-04-15 21:02:22 60928 --a------ C:\Documents and Settings\All Users\Application Data\ulufkdmf.dll
2008-04-15 21:02:21 60928 --a------ C:\WINDOWS\qfopqdih.dll
2008-04-15 18:32:01 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\s?curity
2008-04-14 15:38:53 0 d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\Mozilla
2008-04-14 15:34:40 0 d-------- C:\Program Files\RcvSystem
2008-04-14 15:32:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 22:57:54 0 d-------- C:\Program Files\??mantec
2008-04-12 18:15:19 6656 --a------ C:\WINDOWS\ons.dll
2008-04-12 07:07:53 0 d-------- C:\Program Files\iPod
2008-04-12 07:05:20 0 d-------- C:\Program Files\Bonjour
2008-04-12 07:02:07 0 d-------- C:\Program Files\Apple Software Update
2008-04-12 07:01:51 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-12 07:01:26 0 d-------- C:\Program Files\Common Files\Apple
2008-04-12 07:01:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-12 02:21:21 0 d-------- C:\WINDOWS\W?nSxS
2008-04-12 02:20:58 0 d-------- C:\WINDOWS\system32\??stem32
2008-04-12 02:20:46 0 d-------- C:\Program Files\webHancer
2008-04-12 02:20:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-12 02:20:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-04-12 02:20:35 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-11 23:14:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-07 14:20:46 4876 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Find3M Report ---------------------------------------------------------------

2008-04-30 22:37:55 0 d-------- C:\Program Files\Common Files
2008-04-25 12:10:58 0 d-------- C:\Program Files\Trend Micro
2008-04-25 11:33:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 22:55:59 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-18 20:20:29 0 d-------- C:\Program Files\World of Warcraft
2008-04-14 20:35:22 0 d-------- C:\Program Files\BearShare Applications
2008-04-14 03:29:24 0 d-------- C:\Program Files\iTunes
2008-04-13 22:57:54 0 d-------- C:\Program Files\??mantec
2008-04-12 07:05:01 0 d-------- C:\Program Files\QuickTime
2008-04-10 23:18:45 0 d-------- C:\Program Files\Warcraft III
2008-03-31 16:23:26 82210 --a------ C:\WINDOWS\War3Unin.dat
2008-03-31 16:11:25 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-03-31 16:11:25 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-03-22 08:19:00 0 d-------- C:\Program Files\Dl_cats
2008-03-06 00:48:54 0 d-------- C:\Program Files\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00376d83-a433-d393-b6a8-07e61f05074f}]
04/25/2008 12:59 PM 118784 --a------ C:\WINDOWS\system32\apisrvmnt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2871c785-3cf5-f931-30cd-08b21fb17f67}]
05/02/2008 09:58 AM 122880 --a------ C:\WINDOWS\system32\strdsc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e006df2-4579-42a6-817d-2ca19e4f45b5}]
C:\WINDOWS\system32\ssqRICvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{346c6e2f-cb48-49d9-a789-11d74484ca15}]
C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38BAF435-0AF4-64E2-7B68-098F69D0451B}]
05/02/2008 04:27 PM 98304 --a------ C:\WINDOWS\system32\DscCmdUi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66CC32CC-B688-848B-8C97-08B7B7F36734}]
05/02/2008 12:45 PM 114688 --a------ C:\WINDOWS\system32\HlpSet.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABD8615E-F38F-482D-86AE-736823F5EBAC}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4c26798-1dd1-11b2-bde1-ad5ae0b31ca6}]
04/15/2008 09:02 PM 60928 --a------ C:\WINDOWS\qfopqdih.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 01:12 AM]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [03/29/2005 12:41 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"lozwdurq"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\lozwdurq.dll" []
"bwfifsfw"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\bwfifsfw.dll" []
"xivsncdw"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\xivsncdw.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [05/03/2008 08:02 AM]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [04/07/2008 08:17 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB1576"=command /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Terms.lnk"
"SpybotDeletingD9650"=cmd /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Terms.lnk"
"SpybotDeletingB5222"=command /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Uninstall.lnk"
"SpybotDeletingD3236"=cmd /c del "C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Uninstall.lnk"
"SpybotDeletingB8231"=command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
"SpybotDeletingD2880"=cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
"SpybotDeletingB526"=command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
"SpybotDeletingD6458"=cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
"SpybotDeletingB5890"=command /c del "C:\WINDOWS\system32smp\msrc.exe"
"SpybotDeletingD9568"=cmd /c del "C:\WINDOWS\system32smp\msrc.exe"
"SpybotDeletingB7113"=command /c del "C:\WINDOWS\system32\zfaiqwr.dll_old"
"SpybotDeletingD8524"=cmd /c del "C:\WINDOWS\system32\zfaiqwr.dll_old"
"SpybotDeletingB2497"=command /c del "C:\WINDOWS\wt\webdriver.dll"
"SpybotDeletingD176"=cmd /c del "C:\WINDOWS\wt\webdriver.dll"
"SpybotDeletingB8094"=command /c del "C:\WINDOWS\system32\ssqRICvs.dll_old"
"SpybotDeletingD6390"=cmd /c del "C:\WINDOWS\system32\ssqRICvs.dll_old"
"SpybotDeletingB4387"=command /c del "C:\WINDOWS\wxdbpfvo.dll_old"
"SpybotDeletingD940"=cmd /c del "C:\WINDOWS\wxdbpfvo.dll_old"
"SpybotDeletingB8355"=command /c del "C:\Program Files\NetProject\scit.exe_old"
"SpybotDeletingD3263"=cmd /c del "C:\Program Files\NetProject\scit.exe_old"
"SpybotDeletingB6204"=command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingD3835"=cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
"SpybotDeletingB4462"=command /c del "C:\WINDOWS\system32\sstqo.dll_old"
"SpybotDeletingD2200"=cmd /c del "C:\WINDOWS\system32\sstqo.dll_old"
"SpybotDeletingB2278"=command /c del "C:\WINDOWS\system32\fygsxbpu.dll_old"
"SpybotDeletingD4741"=cmd /c del "C:\WINDOWS\system32\fygsxbpu.dll_old"
"SpybotDeletingB7313"=command /c del "C:\WINDOWS\system32\mxfyqjpo.dll_old"
"SpybotDeletingD5058"=cmd /c del "C:\WINDOWS\system32\mxfyqjpo.dll_old"
"SpybotDeletingB9738"=command /c del "C:\WINDOWS\system32\tfcohvxb.dll_old"
"SpybotDeletingD5712"=cmd /c del "C:\WINDOWS\system32\tfcohvxb.dll_old"
"SpybotDeletingB7691"=command /c del "C:\WINDOWS\system32\mljkhgg.dll"
"SpybotDeletingD9363"=cmd /c del "C:\WINDOWS\system32\mljkhgg.dll"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"InetChk"=C:\WINDOWS\TEMP\ms1209742902.exe work

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"aSGD5LU9Qr"=C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UqkioEp"= {705D90B2-DAF7-3A18-722E-160481C4CB2B} - C:\WINDOWS\system32\bwsra.dll [04/16/2007 08:52 AM 32768]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nxx85.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-05-03 09:55:44 ------------

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 03 May 2008 - 12:12 PM

Hi Chuck,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

I notice that you have Spybot's TeaTimer running.
While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I’ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


You can try running ComboFix with
SAFE MODE WITH NETWORKING
When you bootup to the safe mode menu screen, select from the following option:
Safe Mode with Networking
This option loads all these files and drivers and the services and drivers necessary to start networking.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 03 May 2008 - 12:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Chuck S

Chuck S
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 05 May 2008 - 10:58 PM

Hi SifuMike,
I was able to install and run ComboFix. Here is the resulting log.
****************************************************
ComboFix 08-05-01.3 - Administrator 2008-05-05 20:45:41.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.808 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\MARIA FRIAS\Application Data\SCURIT~1
C:\Documents and Settings\MARIA FRIAS\My Documents\ASEMBL~1
C:\Documents and Settings\MARIA FRIAS\My Documents\ASKS~1
C:\Documents and Settings\MARIA FRIAS\My Documents\PPATCH~1
C:\Documents and Settings\MARIA FRIAS\My Documents\PPATCH~1\??anregw.exe
C:\Program Files\mantec~1
C:\Program Files\webhancer
C:\WINDOWS\conf.inf
C:\WINDOWS\cookies.ini
C:\WINDOWS\ky.sxc
C:\WINDOWS\mscon.sio
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bxvhocft.ini
C:\WINDOWS\system32\hsuwalik.ini
C:\WINDOWS\system32\jxhaoxtf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\stem32~1\??stem32\
C:\WINDOWS\system32\stem32~1\cmd.exe
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\svCIRqss.ini
C:\WINDOWS\system32\svCIRqss.ini2
C:\WINDOWS\system32\texmtlhe.ini
C:\WINDOWS\wintst32.tmp
C:\WINDOWS\wnsxs~1

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-03 08:06 . 2008-05-03 08:06 <DIR> d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\Malwarebytes
2008-05-03 07:58 . 2008-05-03 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-02 16:27 . 2008-05-02 16:27 98,304 --a------ C:\WINDOWS\system32\DscCmdUi.dll
2008-05-02 16:27 . 2008-05-02 16:27 98,304 --a------ C:\Documents and Settings\All Users\Application Data\xivsncdw.dll
2008-05-02 12:45 . 2008-05-02 12:45 114,688 --a------ C:\WINDOWS\system32\HlpSet.dll
2008-05-02 12:45 . 2008-05-02 12:45 114,688 --a------ C:\Documents and Settings\All Users\Application Data\bwfifsfw.dll
2008-05-02 11:45 . 2008-05-02 12:44 <DIR> d-------- C:\SDFix
2008-05-02 11:35 . 2008-05-02 11:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-02 09:58 . 2008-05-02 09:58 122,880 --a------ C:\WINDOWS\system32\strdsc.dll
2008-05-02 09:58 . 2008-05-02 09:58 122,880 --a------ C:\Documents and Settings\All Users\Application Data\lozwdurq.dll
2008-05-02 07:58 . 2008-05-02 07:58 109,738 --a------ C:\WINDOWS\BM736ea382.xml
2008-05-01 03:24 . 2008-05-03 08:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-01 03:24 . 2008-05-01 03:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-01 03:24 . 2008-05-01 03:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-25 14:18 . 2008-04-25 14:18 <DIR> d-------- C:\Deckard
2008-04-25 13:14 . 2008-04-25 13:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 13:14 . 2008-04-25 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 13:14 . 2008-05-05 08:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-25 13:05 . 2008-05-01 02:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 12:59 . 2008-05-02 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\zszszezk
2008-04-25 12:59 . 2008-04-25 12:59 118,784 --a------ C:\WINDOWS\system32\apisrvmnt.dll
2008-04-25 12:59 . 2008-04-25 12:59 118,784 --a------ C:\Documents and Settings\All Users\Application Data\ivmzcrqh.dll
2008-04-25 12:06 . 2008-05-03 09:45 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-25 11:38 . 2008-05-03 08:03 <DIR> d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\AVG7
2008-04-25 11:38 . 2008-04-25 11:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-25 11:37 . 2008-05-03 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-25 10:49 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-19 20:07 . 2008-04-25 10:39 <DIR> d-------- C:\WINDOWS\privacy_danger(2)
2008-04-19 10:12 . 2008-04-25 20:30 <DIR> d-------- C:\Documents and Settings\MARIA FRIAS\Application Data\TmpRecentIcons
2008-04-18 22:56 . 2008-05-03 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hirixsla
2008-04-17 16:33 . 2008-04-17 16:33 20,480 --ahs---- C:\WINDOWS\system32\000090y.dll
2008-04-17 16:32 . 2008-04-17 16:32 22,016 --ahs---- C:\WINDOWS\system32\acluid.dll
2008-04-17 16:31 . 2008-04-17 16:31 41,984 -rahs---- C:\WINDOWS\system32\3com_dmix.exe
2008-04-17 16:31 . 2008-05-02 13:13 195 --a-s---- C:\WINDOWS\system32\2399076128.dat
2008-04-15 21:02 . 2008-04-15 21:02 60,928 --a------ C:\WINDOWS\qfopqdih.dll
2008-04-15 21:02 . 2008-04-15 21:02 60,928 --a------ C:\Documents and Settings\All Users\Application Data\ulufkdmf.dll
2008-04-14 15:34 . 2008-04-14 15:34 <DIR> d-------- C:\Program Files\RcvSystem
2008-04-14 15:32 . 2008-04-30 21:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 15:32 . 2008-05-03 10:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-12 18:15 . 2008-04-12 18:15 6,656 --a------ C:\WINDOWS\ons.dll
2008-04-12 07:27 . 2008-05-03 06:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 07:27 . 2008-04-12 07:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-12 07:07 . 2008-04-12 07:07 <DIR> d-------- C:\Program Files\iPod
2008-04-12 07:05 . 2008-04-12 07:05 <DIR> d-------- C:\Program Files\Bonjour
2008-04-12 07:02 . 2008-04-12 07:02 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-12 07:01 . 2008-04-12 07:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-12 07:01 . 2008-04-12 07:01 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-12 07:01 . 2008-04-12 07:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-12 06:58 . 2008-04-12 06:58 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-04-12 02:31 . 2008-05-03 07:08 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-07 14:23 . 2005-10-14 11:45 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-07 14:20 . 2008-04-07 14:20 4,876 --a------ C:\WINDOWS\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-25 19:10 --------- d-----w C:\Program Files\Trend Micro
2008-04-25 18:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-19 03:20 --------- d-----w C:\Program Files\World of Warcraft
2008-04-15 03:35 --------- d-----w C:\Program Files\BearShare Applications
2008-04-14 10:29 --------- d-----w C:\Program Files\iTunes
2008-04-12 14:05 --------- d-----w C:\Program Files\QuickTime
2008-04-11 06:18 --------- d-----w C:\Program Files\Warcraft III
2008-03-31 23:11 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-03-31 23:11 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-03-22 15:19 --------- d-----w C:\Program Files\Dl_cats
2008-03-06 07:48 --------- d-----w C:\Program Files\LimeWire
2007-02-05 04:39 438 ----a-w C:\Documents and Settings\MARIA FRIAS\Application Data\wklnhst.dat
2007-06-26 02:52 88 --sh--r C:\WINDOWS\system32\780E16FE96.sys
2007-06-26 02:52 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-04-20 05:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 09:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-10 03:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 04:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 10:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 10:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00376d83-a433-d393-b6a8-07e61f05074f}]
2008-04-25 12:59 118784 --a------ C:\WINDOWS\system32\apisrvmnt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2871c785-3cf5-f931-30cd-08b21fb17f67}]
2008-05-02 09:58 122880 --a------ C:\WINDOWS\system32\strdsc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e006df2-4579-42a6-817d-2ca19e4f45b5}]
C:\WINDOWS\system32\ssqRICvs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{346c6e2f-cb48-49d9-a789-11d74484ca15}]
C:\WINDOWS\system32\vtuts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38BAF435-0AF4-64E2-7B68-098F69D0451B}]
2008-05-02 16:27 98304 --a------ C:\WINDOWS\system32\DscCmdUi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66CC32CC-B688-848B-8C97-08B7B7F36734}]
2008-05-02 12:45 114688 --a------ C:\WINDOWS\system32\HlpSet.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABD8615E-F38F-482D-86AE-736823F5EBAC}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4c26798-1dd1-11b2-bde1-ad5ae0b31ca6}]
2008-04-15 21:02 60928 --a------ C:\WINDOWS\qfopqdih.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB1576"="command /c del C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Terms.lnk" [ ]
"SpybotDeletingD9650"="cmd /c del C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Terms.lnk" [ ]
"SpybotDeletingB5222"="command /c del C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Uninstall.lnk" [ ]
"SpybotDeletingD3236"="cmd /c del C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Outerinfo\Uninstall.lnk" [ ]
"SpybotDeletingB8231"="command /c del C:\Program Files\Outerinfo\FF\install.rdf" [ ]
"SpybotDeletingD2880"="cmd /c del C:\Program Files\Outerinfo\FF\install.rdf" [ ]
"SpybotDeletingB526"="command /c del C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt" [ ]
"SpybotDeletingD6458"="cmd /c del C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt" [ ]
"SpybotDeletingB5890"="command /c del C:\WINDOWS\system32smp\msrc.exe" [ ]
"SpybotDeletingD9568"="cmd /c del C:\WINDOWS\system32smp\msrc.exe" [ ]
"SpybotDeletingB7113"="command /c del C:\WINDOWS\system32\zfaiqwr.dll_old" [ ]
"SpybotDeletingD8524"="cmd /c del C:\WINDOWS\system32\zfaiqwr.dll_old" [ ]
"SpybotDeletingB2497"="command /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingD176"="cmd /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingB8094"="command /c del C:\WINDOWS\system32\ssqRICvs.dll_old" [ ]
"SpybotDeletingD6390"="cmd /c del C:\WINDOWS\system32\ssqRICvs.dll_old" [ ]
"SpybotDeletingB4387"="command /c del C:\WINDOWS\wxdbpfvo.dll_old" [ ]
"SpybotDeletingD940"="cmd /c del C:\WINDOWS\wxdbpfvo.dll_old" [ ]
"SpybotDeletingB8355"="command /c del C:\Program Files\NetProject\scit.exe_old" [ ]
"SpybotDeletingD3263"="cmd /c del C:\Program Files\NetProject\scit.exe_old" [ ]
"SpybotDeletingB6204"="command /c del C:\Program Files\NetProject\sbmntr.exe_old" [ ]
"SpybotDeletingD3835"="cmd /c del C:\Program Files\NetProject\sbmntr.exe_old" [ ]
"SpybotDeletingB4462"="command /c del C:\WINDOWS\system32\sstqo.dll_old" [ ]
"SpybotDeletingD2200"="cmd /c del C:\WINDOWS\system32\sstqo.dll_old" [ ]
"SpybotDeletingB2278"="command /c del C:\WINDOWS\system32\fygsxbpu.dll_old" [ ]
"SpybotDeletingD4741"="cmd /c del C:\WINDOWS\system32\fygsxbpu.dll_old" [ ]
"SpybotDeletingB7313"="command /c del C:\WINDOWS\system32\mxfyqjpo.dll_old" [ ]
"SpybotDeletingD5058"="cmd /c del C:\WINDOWS\system32\mxfyqjpo.dll_old" [ ]
"SpybotDeletingB9738"="command /c del C:\WINDOWS\system32\tfcohvxb.dll_old" [ ]
"SpybotDeletingD5712"="cmd /c del C:\WINDOWS\system32\tfcohvxb.dll_old" [ ]
"SpybotDeletingB7691"="command /c del C:\WINDOWS\system32\mljkhgg.dll" [ ]
"SpybotDeletingD9363"="cmd /c del C:\WINDOWS\system32\mljkhgg.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 01:12 94208]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-29 12:41 1245184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-03 08:02 579584]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InetChk"="C:\WINDOWS\TEMP\ms1210045509.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-05-03 07:59 219136]

C:\Documents and Settings\MARIA FRIAS\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 14:32:57 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"aSGD5LU9Qr"= C:\Documents and Settings\All Users\Application Data\zszszezk\datqdcbs.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UqkioEp"= {705D90B2-DAF7-3A18-722E-160481C4CB2B} - C:\WINDOWS\system32\bwsra.dll [2007-04-16 08:52 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nxx85.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S2 ehRecvrSQLAgent$MICROSOFTSMLBIZ;Media Center Receiver Service ehRecvrSQLAgent$MICROSOFTSMLBIZ;C:\WINDOWS\system32\3com_dmix.exe [2008-04-17 16:31]
S2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-14 19:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 14:02:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 20:50:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-05-05 20:54:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 03:54:00

Pre-Run: 133,619,007,488 bytes free
Post-Run: 134,051,889,152 bytes free

236 --- E O F --- 2008-05-01 03:25:40

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 05 May 2008 - 11:58 PM

Hi Chuck,

This computer is really a mess. :thumbsup: Were you running a P2P like LimeWire when you go infected?
P2P programs are an invation to malware.



You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\000090y.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\acluid.dll
C:\WINDOWS\system32\780E16FE96.sys
C:\WINDOWS\system32\KGyGaAvL.sys



Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 06 May 2008 - 12:06 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:26 AM

Posted 11 May 2008 - 01:24 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users