Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan-downloader Among Others


  • This topic is locked This topic is locked
19 replies to this topic

#1 zy1125

zy1125

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 05 May 2008 - 11:26 AM

I am infected with several viruses. I run Avast! 4.8, but that didn't stop this evidently. I have tried several boot scans with Avast! but it has not eradicated them. Attached below are the text reports from DSS and Kaspersky.

I have also gotten a blue screen when I ran AdAware scan - but was not smart enough to write the error down. Let me know if you want that and I will try again. Any help would be appreciated.

Deckard's System Scanner v20071014.68
Run by Kevin on 2008-05-05 11:58:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
86: 2008-05-05 15:58:57 UTC - RP773 - Deckard's System Scanner Restore Point
85: 2008-05-05 14:50:19 UTC - RP772 - Software Distribution Service 3.0
84: 2008-05-05 11:32:06 UTC - RP771 - Installed Ad-Aware 2007
83: 2008-05-05 04:36:33 UTC - RP770 - System Checkpoint
82: 2008-05-04 03:20:36 UTC - RP769 - System Checkpoint


-- First Restore Point --
1: 2008-02-06 00:35:07 UTC - RP688 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Kevin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:12 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\DOCUME~1\Kevin\MYDOCU~1\CROSOF~1.NET\spoolsv.exe
C:\Program Files\Svconr\Svconr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\winself.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\personal\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kevin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Spcron\Spcron.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\efcbXono.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Kevin\cftmon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Kevin\MYDOCU~1\CROSOF~1.NET\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Uqjpz] "C:\Program Files\??sks\d?dplay.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Awola6] "C:\Documents and Settings\Kevin\Application Data\Awola6\Awola6.exe" /MIN
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Kevin\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: efcbxono - C:\WINDOWS\SYSTEM32\efcbXono.dll
O20 - Winlogon Notify: winnt32 - WinNt32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14412 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 glq05 - c:\windows\system32\drivers\glq05.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\winself.exe service
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-29 10:19:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 12:04:36 0 d-------- C:\Program Files\Trend Micro
2008-05-05 11:00:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 11:00:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 10:53:13 0 d-------- C:\WINDOWS\LastGood
2008-05-05 07:41:01 5120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-05 07:41:01 17920 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-05-05 07:36:12 0 d-------- C:\Program Files\Helper
2008-05-05 07:34:53 37376 --a------ C:\WINDOWS\system32\efcbXono.dll
2008-05-05 07:34:44 2 --a------ C:\-1603837367
2008-05-05 07:34:18 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-05 07:33:44 10 --a------ C:\WINDOWS\system32\kr_done1
2008-05-05 07:33:32 61440 --a------ C:\rssnel.exe
2008-05-05 07:32:50 5120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-05 07:32:50 17920 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-05-05 07:32:50 17920 --a------ C:\WINDOWS\system32\~.exe
2008-05-05 07:32:50 5120 --a------ C:\Documents and Settings\Kevin\ftp34.dll
2008-05-05 07:32:50 17920 --a------ C:\Documents and Settings\Kevin\cftmon.exe
2008-05-05 07:32:10 0 d-------- C:\Program Files\Lavasoft
2008-05-05 07:32:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 07:26:51 0 d-------- C:\Documents and Settings\Kevin\Application Data\Awola6
2008-05-05 07:16:41 0 d-------- C:\Program Files\Spcron
2008-05-05 07:11:35 0 d-------- C:\Program Files\Temporary
2008-05-05 07:11:35 0 d-------- C:\Program Files\Svconr
2008-05-04 23:06:46 27392 --a------ C:\WINDOWS\voiceip.dll
2008-05-04 23:06:46 22016 --a------ C:\WINDOWS\swin32.dll
2008-05-04 23:06:46 20480 --a------ C:\WINDOWS\stcloader.exe
2008-05-04 23:06:45 29184 --a------ C:\WINDOWS\mssvr.exe
2008-05-04 23:06:45 14592 --a------ C:\WINDOWS\mspphe.dll
2008-05-04 23:06:45 13312 --a------ C:\WINDOWS\cdsm32.dll
2008-05-04 23:06:45 10496 --a------ C:\WINDOWS\bokja.exe
2008-05-04 23:06:45 32000 --a------ C:\WINDOWS\bjam.dll
2008-05-04 23:06:44 12800 --a------ C:\WINDOWS\2020search2.dll
2008-05-04 23:06:44 27648 --a------ C:\WINDOWS\2020search.dll
2008-05-04 23:06:42 17408 --a------ C:\WINDOWS\saiemod.dll
2008-05-04 23:06:41 14592 --a------ C:\WINDOWS\msapasrc.dll
2008-05-04 23:06:41 20480 --a------ C:\WINDOWS\msa64chk.dll
2008-05-04 23:06:40 25344 --a------ C:\WINDOWS\shdocpl.dll
2008-05-04 23:06:39 20992 --a------ C:\WINDOWS\winsb.dll
2008-05-04 23:06:39 11264 --a------ C:\WINDOWS\shdocpe.dll
2008-05-04 23:06:39 29696 --a------ C:\WINDOWS\ntnut.exe
2008-05-04 23:06:38 26880 --a------ C:\WINDOWS\browserad.dll
2008-05-04 23:06:38 12544 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-04 23:06:38 12544 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-04 23:06:38 8960 --a------ C:\WINDOWS\avifile32.dll
2008-05-04 23:06:38 25856 --a------ C:\WINDOWS\autodisc32.dll
2008-05-04 23:06:38 14080 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-04 23:06:37 25088 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-04 23:06:37 30976 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-04 23:06:37 12544 --a------ C:\WINDOWS\athprxy32.dll
2008-05-04 23:06:37 8192 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-04 23:06:37 22528 --a------ C:\WINDOWS\asferror32.dll
2008-05-04 23:06:36 15104 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-04 23:06:36 28672 --a------ C:\WINDOWS\apphelp32.dll
2008-05-04 23:06:10 1695 --a------ C:\WINDOWS\system32\clbinit.dll
2008-05-04 23:03:13 35328 --a------ C:\WINDOWS\system32\clbdll.dll
2008-05-04 23:03:03 0 d-------- C:\Program Files\Outerinfo
2008-05-04 23:03:02 0 d-------- C:\Program Files\??sks
2008-05-04 23:02:23 37376 --a------ C:\WINDOWS\mrofinu72.exe
2008-05-04 23:02:16 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-04 23:01:20 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-04 23:01:19 87979 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-05-04 23:01:19 87979 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-04 23:01:13 20992 --a------ C:\WINDOWS\winself.exe
2008-05-03 12:48:00 270709 --a------ C:\WINDOWS\system32\000060.exe
2008-05-02 16:45:04 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-02 15:45:08 229518 --a------ C:\WINDOWS\system32\000090.exe
2008-05-01 08:40:16 68608 --a------ C:\WINDOWS\b155.exe
2008-04-25 12:45:53 0 d-------- C:\Documents and Settings\Marla\2008_04_25
2008-04-25 12:45:52 0 d-------- C:\Documents and Settings\Marla\2008_04_24
2008-04-24 17:44:20 73728 --a------ C:\WINDOWS\b156.exe
2008-04-23 15:23:39 0 d-------- C:\Documents and Settings\Marla\2008_04_22
2008-04-23 15:23:38 0 d-------- C:\Documents and Settings\Marla\2008_04_21
2008-04-23 15:23:31 0 d-------- C:\Documents and Settings\Marla\2008_04_20
2008-04-23 15:23:29 0 d-------- C:\Documents and Settings\Marla\2008_04_19
2008-04-23 15:23:26 0 d-------- C:\Documents and Settings\Marla\2008_04_18
2008-04-23 15:23:12 0 d-------- C:\Documents and Settings\Marla\2008_04_17
2008-04-23 15:23:07 0 d-------- C:\Documents and Settings\Marla\2008_04_15
2008-04-22 12:34:29 0 d-------- C:\Program Files\iPod
2008-04-22 12:32:21 0 d-------- C:\Program Files\QuickTime
2008-04-15 09:06:57 0 d-------- C:\Documents and Settings\Marla\2008_04_12
2008-04-15 09:06:56 0 d-------- C:\Documents and Settings\Marla\2008_04_11
2008-04-15 09:06:50 0 d-------- C:\Documents and Settings\Marla\2008_04_10
2008-04-15 09:06:46 0 d-------- C:\Documents and Settings\Marla\2008_04_09
2008-04-15 09:06:45 0 d-------- C:\Documents and Settings\Marla\2008_04_08
2008-04-15 09:06:40 0 d-------- C:\Documents and Settings\Marla\2008_04_06
2008-04-15 09:06:26 0 d-------- C:\Documents and Settings\Marla\2008_04_05
2008-04-15 09:06:24 0 d-------- C:\Documents and Settings\Marla\2008_04_04


-- Find3M Report ---------------------------------------------------------------

2008-05-05 07:30:52 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 07:28:01 33 --a------ C:\Documents and Settings\Kevin\Application Data\install.ini
2008-05-04 23:03:02 0 d-------- C:\Program Files\??sks
2008-05-04 23:02:16 0 d-------- C:\Program Files\Common Files
2008-04-22 12:34:41 0 d-------- C:\Program Files\iTunes
2008-04-22 12:22:49 0 d-------- C:\Program Files\Safari
2008-04-22 12:19:26 0 d-------- C:\Program Files\Apple Software Update
2008-04-14 09:14:44 0 d-------- C:\Documents and Settings\Kevin\Application Data\Intuit
2008-04-14 09:09:31 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-14 09:09:27 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-14 08:57:36 0 d-------- C:\Program Files\TurboTax
2008-03-29 00:01:55 0 d-------- C:\Program Files\Viewpoint
2008-03-29 00:01:08 0 d-------- C:\Program Files\AIM6
2008-03-27 14:49:12 0 d-------- C:\Program Files\TomTom HOME 2
2008-03-19 07:29:30 0 d-------- C:\Documents and Settings\Kevin\Application Data\Amazon
2008-03-19 07:28:39 0 d-------- C:\Program Files\Amazon
2008-03-18 15:55:26 74996 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-18 15:35:21 0 d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer
2008-03-07 21:02:57 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-07 21:00:49 0 d-------- C:\Documents and Settings\Kevin\Application Data\Ahead
2008-03-07 20:57:25 0 d-------- C:\Program Files\Nero
2008-03-07 20:53:32 0 d-------- C:\Documents and Settings\Kevin\Application Data\Canon


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
05/05/2008 07:16 AM 55808 --a------ C:\Program Files\Spcron\Spcron.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}]
05/05/2008 07:34 AM 37376 --a------ C:\WINDOWS\system32\efcbXono.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 09:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 02:03 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 03:05 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [01/27/2005 03:02 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [02/09/2006 12:38 PM]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [06/19/2000 09:51 AM]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [06/19/2000 09:56 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/20/2006 04:16 PM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 05:16 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 02:37 PM]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"runner1"="C:\WINDOWS\mrofinu72.exe" [05/04/2008 11:02 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [05/05/2008 07:32 AM]
"autoload"="C:\Documents and Settings\Kevin\cftmon.exe" [05/05/2008 07:32 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [10/31/2007 11:19 AM]
"Sen"="C:\DOCUME~1\Kevin\MYDOCU~1\CROSOF~1.NET\spoolsv.exe" [05/04/2008 11:02 PM]
"Uqjpz"="C:\Program Files\??sks\d?dplay.exe" [04/11/2008 01:52 PM]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [05/05/2008 07:11 AM]
"Awola6"="C:\Documents and Settings\Kevin\Application Data\Awola6\Awola6.exe" [05/05/2008 07:26 AM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [05/05/2008 07:32 AM]
"autoload"="C:\Documents and Settings\Kevin\cftmon.exe" [05/05/2008 07:32 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"NoIE4StubProcessing"=C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ntuser"=C:\WINDOWS\system32\drivers\spools.exe
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [7/19/2007 8:04:28 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/18/2006 11:43:29 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2/9/2006 12:28:56 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [9/4/1999 6:23:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= C:\WINDOWS\system32\efcbXono.dll [05/05/2008 07:34 AM 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbxono]
efcbXono.dll 05/05/2008 07:34 AM 37376 C:\WINDOWS\system32\efcbXono.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnt32]
WinNt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\glq05.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-05-05 12:07:08 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.53GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 1021.98 MiB / 539.62 MiB
Pagefile Memory (total/avail): 2464.78 MiB / 2055.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.09 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 145.87 GiB total, 82.1 GiB free.
D: is CDROM (No Media)
E: is Fixed (FAT32) - 37.27 GiB total, 3.39 GiB free.
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 6L160P0 - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 145.87 GiB - C:
\PARTITION2 - Unknown - 3.1 GiB

\\.\PHYSICALDRIVE1 - WDC WD400BB-71DGA0 - 37.28 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.28 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.8.1169 [VPS 080504-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aim6.exe:*:Enabled:AIM"
"E:\\Program Files\\SmartFTP\\SmartFTP.exe"="E:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP"
"E:\\Program Files\\WPM\\WebPageMaker.exe"="E:\\Program Files\\WPM\\WebPageMaker.exe:*:Enabled:Web Page Maker"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:Last.fm"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe:*:Enabled:PPMate"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Kevin\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OFFICE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Kevin
LOGONSERVER=\\OFFICE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Kevin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Kevin\LOCALS~1\Temp
USERDOMAIN=OFFICE
USERNAME=Kevin
USERPROFILE=C:\Documents and Settings\Kevin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Kevin (admin)
Marla (admin)
Visitors


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Elements --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements\Uninst.dll"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe SVG Viewer --> C:\WINDOWS\IsUninst.exe -f"C:\WINDOWS\System32\Adobe\SVG Viewer\Uninst.isu"
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Amazon MP3 Downloader 1.0.3 --> C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
CacheStats --> MsiExec.exe /I{ED112951-7491-4EB2-92B2-B6424B1FFB7F}
Canon Camera Access Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{901F8ED7-13E8-43EF-B738-2FE89B0588EB} /l1033
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A1D0D14A-B776-4907-BC00-5149F2298086} /l1033
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}
Canon Camera Window DSLR 5 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{0A146245-DB79-4197-BF5D-FE1A699A2CC7}
Canon Camera Window MC 6 for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4DBBF091-FACD-422C-B43C-786335BD5398}
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon PowerShot S45 WIA Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{25E671BE-87A0-40F1-ABE5-BCBC6E65B0F5}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}
Canon Utilities FileViewerUtility 1.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0627E8E9-6822-4A5E-9225-286741CDC3E4}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}
Canon Utilities RemoteCapture 2.6 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}
Canon ZoomBrowser EX (E) --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CPV --> cmd /C regsvr32 /u /s "C:\Program Files\Spcron\Spcron.dll" & reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spcron" /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v DelOldFile /d "cmd.exe /C del /Q \"C:\Program Files\Spcron\"" /f
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
DING! --> MsiExec.exe /X{84031A18-BA9A-4156-A74F-E05B52DDFCE2}
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
EasyGPS --> "C:\Program Files\EasyGPS\unins000.exe"
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
FlashGet 1.9.2.1028 --> C:\Program Files\FlashGet\uninst.exe
Flickr Uploadr 2.5.0.14 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
FreeRIP v3.00 --> "C:\Program Files\FreeRIP3\unins000.exe"
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
Google AFE --> regsvr32 /u /s "c:\Program Files\GoogleAFE\GoogleAE.dll"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
GSAK 6.5.2 Build 16 --> C:\WINDOWS\iun506.exe C:\Program Files\GSAK\irunin.ini
HAM --> C:\WINDOWS\HAM Uninstaller.exe
Hattrick Buddy --> C:\Program Files\Hattrick Buddy\uninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
ItsDeductible Express --> MsiExec.exe /X{36495C59-089C-49D1-BD15-9E5BD86DC9A1}
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Last.fm 1.4.2.58376 --> "C:\Program Files\Last.fm\unins000.exe"
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Excel 2000 SR-1 --> MsiExec.exe /I{00110409-78E1-11D2-B60F-006097C998E7}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2000 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Microsoft Works 2000 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2000\Setup\Launcher.exe D:\
mkw Audio Compression Toolkit --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Michael K. Weise\mkw Audio Compression Toolkit\Uninst.isu"
mkw Runtime Libraries --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Michael K. Weise\mkw Runtime Libraries\Uninst.isu"
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Move Networks Player for Firefox --> "C:\Program Files\Mozilla Firefox\plugins\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero 7 Essentials --> MsiExec.exe /I{3C814DE3-7174-4148-A3E2-43FFC4F21033}
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PPMate Network TV 2.0.0.40 --> C:\Program Files\PPMate\uninst.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP Client 2.0 Setup Files (remove only) --> "C:\Program Files\SmartFTP Client 2.0 Setup Files\uninst-sftp.exe"
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SopCast 2.0.4 --> C:\Program Files\SopCast\uninst.exe
Svconr --> "C:\Program Files\Svconr\Svconr.exe" -uninstall
TextBridge Pro 9.0 --> C:\Program Files\TextBridge Pro 9.0\Bin\Setup.exe -y -f"C:\Program Files\TextBridge Pro 9.0\Bin\Uninst.ins"
TomTom HOME --> C:\Program Files\TomTom HOME 2\Uninstall TomTom HOME.exe
TurboTax Deluxe 2004 --> C:\Program Files\TurboTax\Deluxe 2004\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2004\Uninstall.log" -NoGui
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
VC_MergeModuleToMSI --> MsiExec.exe /I{900A92BA-19EF-4A34-86CF-7B6C85BDD971}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Web Page Maker V2 --> "C:\Program Files\Web Page Maker V2\unins000.exe"
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Word in Works Suite add-in --> MsiExec.exe /I{0DB93918-2A77-11D3-805A-00C04FA329AA}
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type12023 / Error
Event Submitted/Written: 05/05/2008 00:05:33 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type12022 / Error
Event Submitted/Written: 05/05/2008 00:05:33 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type12021 / Error
Event Submitted/Written: 05/05/2008 00:00:23 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type12018 / Error
Event Submitted/Written: 05/05/2008 10:44:47 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Awola6.exe, version 6.2.2.3, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type12011 / Error
Event Submitted/Written: 05/05/2008 09:12:29 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Awola6.exe, version 6.2.2.3, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21456 / Warning
Event Submitted/Written: 05/05/2008 11:40:54 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type21455 / Warning
Event Submitted/Written: 05/05/2008 11:13:34 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type21450 / Warning
Event Submitted/Written: 05/05/2008 10:59:55 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type21420 / Error
Event Submitted/Written: 05/05/2008 10:44:36 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%1053

Event Record #/Type21419 / Error
Event Submitted/Written: 05/05/2008 10:44:36 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.



-- End of Deckard's System Scanner: finished at 2008-05-05 12:07:08 ------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 05, 2008 12:18:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/05/2008
Kaspersky Anti-Virus database records: 740943
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Kevin\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 16478
Number of viruses found: 16
Number of infected objects: 38
Number of suspicious objects: 0
Duration of the scan process: 00:12:43

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\b103.exe.bin/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\WINDOWS\b103.exe.bin ZIP: infected - 1 skipped
C:\WINDOWS\b155.exe Infected: Trojan.Win32.BHO.blh skipped
C:\WINDOWS\b156.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\WINDOWS\lfn.exe Infected: not-virus:Hoax.Win32.Renos.ccc skipped
C:\WINDOWS\mrofinu72.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{46D17424-517C-4903-A58F-4B2FBE04A222}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\000060.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\WINDOWS\system32\000060.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\WINDOWS\system32\000060.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\clbdll.dll Infected: Trojan.Win32.Agent.lkz skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\spools.exe Infected: Trojan-Downloader.Win32.Small.vfw skipped
C:\WINDOWS\system32\efcbXono.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\WINDOWS\system32\ftp34.dll Infected: Trojan-Downloader.Win32.Small.vem skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wmsdkns.exe Infected: not-virus:Hoax.Win32.Renos.ccc skipped
C:\WINDOWS\system32\~.exe Infected: Trojan-Downloader.Win32.Small.vfw skipped
C:\WINDOWS\Temp\Perflib_Perfdata_54c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt125.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.WinFixer.f skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt125.tmp/stream Infected: not-a-virus:FraudTool.Win32.WinFixer.f skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt125.tmp NSIS: infected - 2 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1A.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.WinFixer.f skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1A.tmp/stream Infected: not-a-virus:FraudTool.Win32.WinFixer.f skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1A.tmp NSIS: infected - 2 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1B.tmp/stream/data0010 Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1B.tmp/stream/data0012 Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1B.tmp/stream Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1B.tmp NSIS: infected - 3 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1C.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.WinFixer.f skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1C.tmp/stream Infected: not-a-virus:FraudTool.Win32.WinFixer.f skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\.tt1C.tmp NSIS: infected - 2 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\BLRBB.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\BLRBB.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\BLRBB.tmp NSIS: infected - 2 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\syswcc32.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\syswcc32.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\syswcc32.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\syswcc32.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\syswcc32.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\syswcc32.exe RarSFX: infected - 5 skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\~DF7A60.tmp Object is locked skipped
C:\DOCUME~1\Kevin\LOCALS~1\Temp\~DFF6BA.tmp Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 09 May 2008 - 09:59 PM

Hello zy1125,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 zy1125

zy1125
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 11 May 2008 - 10:48 PM

Thanks for taking the time to answer my post. I think I may still have an issue - something called Awola Anti-spyware still loads and tries to get me to click a bunch of stuff. I closed it... if that is going to cause a problem in you seeing what you need to see, let me know and I will reboot and rerun anything you need.

Here are my logs:

SDFix: Version 1.181
Run by Kevin on Sun 05/11/2008 at 11:08 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
bqzpas
MsSecurity1.209.4

Path :
\??\C:\WINDOWS\system32\bqzpas.sys
C:\WINDOWS\winself.exe service

bqzpas - Deleted
MsSecurity1.209.4 - Deleted

Killing PID 776 'wmsdkns.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\GFILKJ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JIHSNQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\LOJMDO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\MLGBEH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NIDCBIP.BMP - Deleted
C:\WINDOWS\SYSTEM32\PSBELON.BMP - Deleted
C:\WINDOWS\SYSTEM32\RMLOJQ~1.BMP - Deleted
C:\-16038~1 - Deleted
C:\Documents and Settings\Kevin\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Program Files\Helper\1210560333.dll - Deleted
C:\Program Files\Spcron\Spcron.dll - Deleted
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\b156.exe - Deleted
C:\WINDOWS\mrofinu72.exe - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\2020search.dll - Deleted
C:\WINDOWS\2020search2.dll - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\bjam.dll - Deleted
C:\WINDOWS\bokja.exe - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\cdsm32.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\mspphe.dll - Deleted
C:\WINDOWS\mssvr.exe - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\saiemod.dll - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\stcloader.exe - Deleted
C:\WINDOWS\swin32.dll - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\system32\wmsdkns.exe - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\voiceip.dll - Deleted
C:\WINDOWS\winsb.dll - Deleted
C:\WINDOWS\winself.exe - Deleted
C:\WINDOWS\system32\bqzpas.sys - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted



Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\Spcron - Removed
Folder C:\Program Files\Temporary - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 23:34:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wzghui]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\wzghui.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wzghui\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wzghui]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\wzghui.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wzghui\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aim6.exe:*:Enabled:AIM"
"E:\\Program Files\\SmartFTP\\SmartFTP.exe"="E:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP"
"E:\\Program Files\\WPM\\WebPageMaker.exe"="E:\\Program Files\\WPM\\WebPageMaker.exe:*:Enabled:Web Page Maker"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:Last.fm"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\PPMate\\ppmnet.exe"="C:\\Program Files\\PPMate\\ppmnet.exe:*:Enabled:PPMate"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 13 Feb 2006 56 A.SHR --- "C:\i386\807BEDCFDF.sys"
Mon 13 Feb 2006 3,350 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Fri 11 Apr 2008 230,400 ..SHR --- "C:\Program Files\??sks\d?dplay.exe"
Mon 21 Aug 2006 56 ..SHR --- "C:\WINDOWS\system32\807BEDCFDF.sys"
Fri 3 Mar 2006 56 ..SHR --- "C:\WINDOWS\system32\AF5619626A.sys"
Sun 19 Feb 2006 56 ..SHR --- "C:\WINDOWS\system32\F408EAA230.sys"
Thu 27 Sep 2007 7,362 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 11 Dec 2006 25,600 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL0046.tmp"
Wed 13 Feb 2008 21,504 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL0142.tmp"
Mon 4 Dec 2006 26,624 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL0349.tmp"
Wed 13 Feb 2008 19,456 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL1688.tmp"
Sat 2 Dec 2006 25,600 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL1842.tmp"
Mon 11 Dec 2006 28,160 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL1883.tmp"
Wed 6 Dec 2006 26,112 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL2849.tmp"
Sat 2 Dec 2006 25,600 ...H. --- "C:\Documents and Settings\Marla\My Documents\~WRL3652.tmp"
Sun 13 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 4 May 2008 89,088 ..SHR --- "C:\Documents and Settings\Kevin\My Documents\??crosoft.NET\spoolsv.exe"
Mon 14 Nov 2005 36,864 A..H. --- "C:\Documents and Settings\Marla\My Documents\recipes\~WRL0699.tmp"
Mon 24 Jun 2002 20,992 A..H. --- "C:\Documents and Settings\Marla\My Documents\vacation\~WRL2328.tmp"
Mon 5 May 2008 8,868,392 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e95d5610f544f57ebae909543761cef2\BIT64.tmp"
Mon 6 Aug 2007 36,864 ...H. --- "C:\Documents and Settings\Marla\Application Data\Microsoft\Word\~WRL1884.tmp"
Wed 30 Aug 2006 24,064 ...H. --- "C:\Documents and Settings\Marla\Application Data\Microsoft\Word\~WRL3066.tmp"
Sun 16 Dec 2001 122,368 A..H. --- "C:\Documents and Settings\Marla\My Documents\School Stuff2\AP Tests\~WRL2476.tmp"
Mon 10 Dec 2001 38,400 A..H. --- "C:\Documents and Settings\Marla\My Documents\School Stuff2\USH Tests\~WRL0146.tmp"
Sun 16 Dec 2001 122,368 A..H. --- "C:\Documents and Settings\Marla\My Documents\School Stuff\AP Tests\~WRL2476.tmp"
Mon 10 Dec 2001 38,400 A..H. --- "C:\Documents and Settings\Marla\My Documents\School Stuff\USH Tests\~WRL0146.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:41 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\DOCUME~1\Kevin\MYDOCU~1\CROSOF~1.NET\spoolsv.exe
C:\Program Files\??sks\d?dplay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Kevin\MYDOCU~1\CROSOF~1.NET\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Uqjpz] "C:\Program Files\??sks\d?dplay.exe"
O4 - HKCU\..\Run: [Awola6] "C:\Documents and Settings\Kevin\Application Data\Awola6\Awola6.exe" /MIN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10796 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 11 May 2008 - 11:44 PM

Hi zy1125,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVAST Antivirus before running ComboFix, as it will prevent it from running.

To disable avast antivirus:  
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT  It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 11 May 2008 - 11:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 zy1125

zy1125
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 12 May 2008 - 06:31 PM

Thanks for such a quick response.

I have installed the recovery console. I started ComboFix and got the following blue screen of death:


A problem has been detected and Windows nas been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is identified in the Stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer. press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:

***STOP: 0x0000008E (0xc0000005,0x805640D6,0xED71FC30,0x00000000)

Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 12 May 2008 - 11:22 PM

Hi zy1125,

Did you disable AVAST before running ComboFix?

AVAST will cause BSOD unless you disable it like this:
Posted Image


After disabling AVAST, try running it again.


Also, see if there is a log file located at C:\combofix.txt

If so, then attach the log here.

Edited by SifuMike, 13 May 2008 - 12:53 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 zy1125

zy1125
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 May 2008 - 08:44 AM

dup post.

Edited by zy1125, 13 May 2008 - 09:34 AM.


#8 zy1125

zy1125
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 May 2008 - 09:14 AM

Thanks once again for your quick response... I really appreciate it.

There was no combofix.txt file after the first run.

I did not disable Avast via the settings panel initially - I followed the instructions you posted originally about right clicking on the task bar. I disabled it both ways now, and started the scan again.

While it was running, avast! still popped up a message about a rootkit, but I did not touch it while ComboFix continued to run in the background and delete some files and folders.

I saw the message with the 41 stages, and then my machine rebooted due to a dll that was said to be missing. It popped up and disappeared to quickly for me to capture the name of the dll.

Once the machine restarted, I logged back in and Awola Anti-Spyware 6.0 (which again, I never installed... so I think it is part of the infection I have) started back up. Combofix also restarted and deleted three files (it deleted a lot more the first time it ran):
c:\Program Files\sks~1d?dplay.exe
c:\WINDOWS\pskt.ini
c:\Program Files\sks~1

and then ran the 41 stages again. It then deleted a bunch of dlls as well as the Awola6 application, which seems like a good thing.

Then it logged me off again. When I logged back in, ComboFix was running the window about Preparing Log Report from ComboFix. While that was running, avast! gave me a warning about a rootkit once again (C:\WINDOWS\system32\wzghui.sys), which I ignored.

Here is the ComboFix Log that ended up at the end:

ComboFix 08-05-11.1 - Kevin 2008-05-13 9:43:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.666 [GMT -4:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Uninstall.lnk
C:\Documents and Settings\Kevin\Application Data\Awola6
C:\Documents and Settings\Kevin\Application Data\Awola6\Awola6.exe
C:\Documents and Settings\Kevin\Application Data\Awola6\settings.ini
C:\Documents and Settings\Kevin\Application Data\YSTEM3~1
C:\Documents and Settings\Kevin\My Documents\CROSOF~1.NET
C:\Documents and Settings\Kevin\My Documents\CROSOF~1.NET\??crosoft.NET\
C:\Documents and Settings\Kevin\My Documents\CROSOF~1.NET\spoolsv.exe
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\sks~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awTLDWon.dll
C:\WINDOWS\system32\dfmhpvoc.dll
C:\WINDOWS\system32\fraqvgvv.ini
C:\WINDOWS\system32\gcbfotyt.dll
C:\WINDOWS\system32\IPqpWaHk.ini
C:\WINDOWS\system32\IPqpWaHk.ini2
C:\WINDOWS\system32\kHaWpqPI.dll
C:\WINDOWS\system32\sxubrvcl.dll
C:\WINDOWS\system32\vvgvqarf.dll
C:\Program Files\sks~1\d?dplay.exe . . . . failed to delete
.
---- Previous Run -------
.
C:\Program Files\AntiVirusPro
C:\Program Files\AntiVirusPro\AntiVirusPro.exe
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.local
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.log
C:\Program Files\AntiVirusPro\Core.dll
C:\Program Files\AntiVirusPro\Localization.dll
C:\Program Files\AntiVirusPro\msvcp71.dll
C:\Program Files\AntiVirusPro\msvcr71.dll
C:\Program Files\AntiVirusPro\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\lfn.exe

Here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:29 AM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Kevin\MYDOCU~1\CROSOF~1.NET\spoolsv.exe" -vt yazb
O4 - HKCU\..\Run: [Uqjpz] "C:\Program Files\??sks\d?dplay.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: efcbxono - efcbXono.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11270 bytes

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 13 May 2008 - 09:52 AM

Here is the ComboFix Log that ended up at the end:

ComboFix 08-05-11.1 - Kevin 2008-05-13 9:43:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.666 [GMT -4:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe



You did not post the entire ComboFix log. :thumbsup: It is much longer than the one you posted.

Please do not post the Hijackthis log. I did not ask for that.

I need to see the entire ComboFix log from the first successful run of it in order to help you.
The log will be at C:\ComboFix.txt. If you run it mulitple times, the logs will be numbered with a time and date stamp.


Also, why did you run ComboFix four times? There was a problem with BSOD the first time, but what the reason for running it the other three times?
My instructions said to run ComboFix one time.

Edited by SifuMike, 13 May 2008 - 09:58 AM.
hilight and underline words.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 zy1125

zy1125
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 May 2008 - 10:44 AM

Sorry, trying to follow your instructions as best I can.

I believe I have only double-clicked ComboFix twice - the first time was when I got the BSOD. The other time was this morning. My machine rebooted twice, and ComboFix began running both times when the machine restarted. Perhaps this is what is happening, but I don't know. Again, I am really trying to get this right. Sorry if I am making it harder for you to help me....

I did a search of my harddrive for any file that starts with 'combo%'. There was only one combofix.txt file. Here is the contents of that file:



ComboFix 08-05-11.1 - Kevin 2008-05-13 9:43:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.666 [GMT -4:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Uninstall.lnk
C:\Documents and Settings\Kevin\Application Data\Awola6
C:\Documents and Settings\Kevin\Application Data\Awola6\Awola6.exe
C:\Documents and Settings\Kevin\Application Data\Awola6\settings.ini
C:\Documents and Settings\Kevin\Application Data\YSTEM3~1
C:\Documents and Settings\Kevin\My Documents\CROSOF~1.NET
C:\Documents and Settings\Kevin\My Documents\CROSOF~1.NET\??crosoft.NET\
C:\Documents and Settings\Kevin\My Documents\CROSOF~1.NET\spoolsv.exe
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Kevin\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\sks~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awTLDWon.dll
C:\WINDOWS\system32\dfmhpvoc.dll
C:\WINDOWS\system32\fraqvgvv.ini
C:\WINDOWS\system32\gcbfotyt.dll
C:\WINDOWS\system32\IPqpWaHk.ini
C:\WINDOWS\system32\IPqpWaHk.ini2
C:\WINDOWS\system32\kHaWpqPI.dll
C:\WINDOWS\system32\sxubrvcl.dll
C:\WINDOWS\system32\vvgvqarf.dll
C:\Program Files\sks~1\d?dplay.exe . . . . failed to delete
.
---- Previous Run -------
.
C:\Program Files\AntiVirusPro
C:\Program Files\AntiVirusPro\AntiVirusPro.exe
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.local
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.log
C:\Program Files\AntiVirusPro\Core.dll
C:\Program Files\AntiVirusPro\Localization.dll
C:\Program Files\AntiVirusPro\msvcp71.dll
C:\Program Files\AntiVirusPro\msvcr71.dll
C:\Program Files\AntiVirusPro\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 09:17 . 2008-05-13 09:17 269,334 --a------ C:\WINDOWS\system32\kfmlsbih.bmp
2008-05-12 19:20 . 2008-05-12 19:20 269,334 --a------ C:\WINDOWS\system32\mhknmtsn.bmp
2008-05-12 18:54 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-12 18:54 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-12 18:54 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-12 18:54 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-12 18:54 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-12 18:54 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-12 18:54 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-12 18:54 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-12 18:54 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 18:51 . 2008-05-12 18:51 2,112 --a------ C:\WINDOWS\system32\hskpdbrw.exe
2008-05-12 18:46 . 2008-05-12 18:46 269,334 --a------ C:\WINDOWS\system32\pcnedojal.bmp
2008-05-12 14:45 . 2008-05-12 14:45 0 --a------ C:\Documents and Settings\Marla\AntiVirusPro.exe.log
2008-05-12 14:44 . 2008-05-12 14:44 269,334 --a------ C:\WINDOWS\system32\psnap.bmp
2008-05-12 14:44 . 2008-05-12 14:44 109,803 --a------ C:\WINDOWS\BMa354517a.xml
2008-05-11 23:40 . 2008-05-11 23:40 269,334 --a------ C:\WINDOWS\system32\adkjatgritobap.bmp
2008-05-11 23:40 . 2008-05-13 09:17 0 --a------ C:\Documents and Settings\Kevin\AntiVirusPro.exe.log
2008-05-11 22:49 . 2008-05-11 22:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-11 22:44 . 2008-05-11 23:39 <DIR> d-------- C:\SDFix
2008-05-11 22:38 . 2008-05-11 22:38 14,848 --a------ C:\unsfp.exe
2008-05-11 22:37 . 2008-05-13 09:55 58,288 --a------ C:\WINDOWS\system32\wzghui.sys
2008-05-05 12:04 . 2008-05-05 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 11:58 . 2008-05-05 11:58 <DIR> d-------- C:\Deckard
2008-05-05 11:00 . 2008-05-05 11:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 11:00 . 2008-05-05 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 07:43 . 2008-05-05 07:43 20,266 --a------ C:\WINDOWS\b103.exe.bin
2008-05-05 07:41 . 2008-05-11 22:35 5,120 --a------ C:\Documents and Settings\LocalService\ftp34.dll
2008-05-05 07:34 . 2008-05-05 10:44 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-05 07:33 . 2008-05-11 22:36 61,952 --a------ C:\rssnel.exe
2008-05-05 07:32 . 2008-05-05 07:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-05 07:32 . 2008-05-05 07:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 07:32 . 2008-05-11 22:48 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-05 07:32 . 2008-05-11 22:48 5,120 --a------ C:\Documents and Settings\Kevin\ftp34.dll
2008-05-05 07:11 . 2008-05-05 07:11 <DIR> d-------- C:\Program Files\Svconr
2008-05-04 23:03 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-25 12:45 . 2008-04-25 12:47 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_25
2008-04-25 12:45 . 2008-05-03 15:24 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_24
2008-04-23 15:23 . 2008-04-23 15:28 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_22
2008-04-23 15:23 . 2008-05-03 15:24 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_21
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_20
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_19
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_18
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_17
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_15
2008-04-22 12:35 . 2008-05-13 09:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-22 12:35 . 2008-04-22 12:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 12:34 . 2008-04-22 12:34 <DIR> d-------- C:\Program Files\iPod
2008-04-22 12:32 . 2008-04-22 12:33 <DIR> d-------- C:\Program Files\QuickTime
2008-04-15 09:06 . 2008-05-03 15:29 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_12
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_11
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_10
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_09
2008-04-15 09:06 . 2008-04-15 09:08 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_08
2008-04-15 09:06 . 2008-05-03 15:34 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_06
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_05
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_04

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 11:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 16:34 --------- d-----w C:\Program Files\iTunes
2008-04-22 16:22 --------- d-----w C:\Program Files\Safari
2008-04-22 16:19 --------- d-----w C:\Program Files\Apple Software Update
2008-04-21 22:52 --------- d-----w C:\Documents and Settings\Marla\Application Data\Canon
2008-04-14 13:23 --------- d-----w C:\Documents and Settings\Marla\Application Data\Intuit
2008-04-14 13:14 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Intuit
2008-04-14 13:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 13:09 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-14 12:57 --------- d-----w C:\Program Files\TurboTax
2008-03-29 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-03-29 04:01 --------- d-----w C:\Program Files\Viewpoint
2008-03-29 04:01 --------- d-----w C:\Program Files\AIM6
2008-03-29 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-29 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-29 03:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-27 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-27 18:49 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-19 11:29 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Amazon
2008-03-19 11:28 --------- d-----w C:\Program Files\Amazon
2008-03-18 19:35 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Apple Computer
2006-08-21 15:00 56 --sh--r C:\WINDOWS\system32\807BEDCFDF.sys
2006-03-03 19:14 56 --sh--r C:\WINDOWS\system32\AF5619626A.sys
2006-02-19 16:43 56 --sh--r C:\WINDOWS\system32\F408EAA230.sys
2007-09-27 21:28 7,362 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 11:19 378784]
"Sen"="C:\DOCUME~1\Kevin\MYDOCU~1\CROSOF~1.NET\spoolsv.exe" [ ]
"Uqjpz"="C:\Program Files\??sks\d?dplay.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 03:02 86016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-09 12:38 168448]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [2000-06-19 09:51 31744]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 09:56 22528]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-20 16:16 185896]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 14:37 79224]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AntiVirusPro"="C:\Program Files\AntiVirusPro\AntiVirusPro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 09:56 22528]

C:\Documents and Settings\Marla\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-19 20:04:28 106496]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-19 20:04:28 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-18 11:43:29 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-02-09 12:28:56 156784]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 18:23:00 53317]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbxono]
efcbXono.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\glq05.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aim6.exe"=
"E:\\Program Files\\WPM\\WebPageMaker.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 glq05;glq05;C:\WINDOWS\system32\Drivers\Glq05.sys []
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 15:05]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 15:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 14:19:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 09:54:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\PROGRA~1\TEXTBR~1.0\Bin\TBMHOOK.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-13 10:01:11 - machine was rebooted [Kevin]
ComboFix-quarantined-files.txt 2008-05-13 14:01:05

Pre-Run: 91,375,161,344 bytes free
Post-Run: 91,350,585,344 bytes free

270 --- E O F --- 2008-05-13 13:26:02

#11 zy1125

zy1125
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 May 2008 - 11:09 AM

Also, wanted to apologize for not following the instructions completely, but I was sure that I was told to post the HijackThis log, so I re-read all your posts and links. I think I was thrown off by this entry in the 'A guide and tutorial on using ComboFix':

"You should now register an account at one of the forums listed below and copy and paste the above log file along with a HijackThis log into a new topic."

I am guessing that a lot of your initial instructions to me come from cut-and-paste, and if that is the case you may want to update the content for Post #4 to explicitly let the person you are helping know you don't need the HijackThis log it if it is creating unnecessary noise. Hopefully this post helps and is not ADDITIONAL noise...

Thanks again for your help. I have shut my machine down and await any further steps.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 13 May 2008 - 01:56 PM

Hi zy1125,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\kfmlsbih.bmp

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\mhknmtsn.bmp
C:\WINDOWS\system32\pcnedojal.bmp
C:\WINDOWS\system32\psnap.bmp
C:\WINDOWS\system32\adkjatgritobap.bmp
C:\WINDOWS\BMa354517a.xml


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.



Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\system32\wzghui.sys
C:\Documents and Settings\Marla\AntiVirusPro.exe.log
C:\WINDOWS\BMa354517a.xml
C:\WINDOWS\b103.exe.bin
C:\Documents and Settings\LocalService\ftp34.dll
C:\rssnel.exe
C:\WINDOWS\system32\ftp34.dll
C:\Documents and Settings\Kevin\ftp34.dll
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\hskpdbrw.exe

Registry:: 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sen"=-   
"Uqjpz"=-	 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiVirusPro"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbxono]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\glq05.sys]
  
Driver:: 
glq05


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 13 May 2008 - 02:04 PM

Also, wanted to apologize for not following the instructions completely, but I was sure that I was told to post the HijackThis log, so I re-read all your posts and links. I think I was thrown off by this entry in the 'A guide and tutorial on using ComboFix':

"You should now register an account at one of the forums listed below and copy and paste the above log file along with a HijackThis log into a new topic."


I will contact Grinler, the author of the tutorial, know the about the hijackthis log request and see if he will fix it. :thumbsup:

I am guessing that a lot of your initial instructions to me come from cut-and-paste, and if that is the case you may want to update the content for Post #4 to explicitly let the person you are helping know you don't need the HijackThis log it if it is creating unnecessary noise. Hopefully this post helps and is not ADDITIONAL noise...


I did not ask for a Hijackthis log in my instructions, as it is not necessary at this stage. Grinler can update the tutorial which will solve the problem.

Edited by SifuMike, 13 May 2008 - 03:47 PM.
spelling

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 zy1125

zy1125
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 May 2008 - 08:56 PM

OK... here is the results of the file scans at VirusTotal:

File kfmlsbih.bmp received on 05.14.2008 03:08:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/32 (9.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.13 -
AntiVir 7.8.0.17 2008.05.13 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.13 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.13 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.13 -
eTrust-Vet 31.4.5786 2008.05.14 -
Ewido 4.0 2008.05.13 Downloader.FakeAlert.bu
F-Prot 4.4.2.54 2008.05.13 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5294 2008.05.13 -
Microsoft 1.3520 2008.05.14 -
NOD32v2 3096 2008.05.13 Win32/TrojanDownloader.FakeAlert.BU
Norman 5.80.02 2008.05.13 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 Malicious Software
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.13 -
Webwasher-Gateway 6.6.2 2008.05.13 -
Additional information
File size: 269334 bytes
MD5...: 048d36722cdedb58886c9ea795b05684
SHA1..: 22e25a21e3f4f4dc2f92dc02bed8714cfd1f947c
SHA256: 0b2a16c4c2c1b1b7af67dfe0ba211864f590d3fc65daefeb7dcd3b5b55472f7f
SHA512: 4cb2985f835875701dcfbd319f2720d43900a25a242b6f7114e48660a425c395
af83de11bbe82040bc7cc031fa83bf1732365a2b0067531ebc5e42e4660b2019
PEiD..: -
PEInfo: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...6BBAA008B1237A0

File mhknmtsn.bmp received on 05.14.2008 03:11:40 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/32 (9.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.13 -
AntiVir 7.8.0.17 2008.05.13 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.13 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.13 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.13 -
eTrust-Vet 31.4.5786 2008.05.14 -
Ewido 4.0 2008.05.13 Downloader.FakeAlert.bu
F-Prot 4.4.2.54 2008.05.13 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5294 2008.05.13 -
Microsoft 1.3520 2008.05.14 -
NOD32v2 3096 2008.05.13 Win32/TrojanDownloader.FakeAlert.BU
Norman 5.80.02 2008.05.13 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 Malicious Software
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.13 -
Webwasher-Gateway 6.6.2 2008.05.13 -
Additional information
File size: 269334 bytes
MD5...: 048d36722cdedb58886c9ea795b05684
SHA1..: 22e25a21e3f4f4dc2f92dc02bed8714cfd1f947c
SHA256: 0b2a16c4c2c1b1b7af67dfe0ba211864f590d3fc65daefeb7dcd3b5b55472f7f
SHA512: 4cb2985f835875701dcfbd319f2720d43900a25a242b6f7114e48660a425c395
af83de11bbe82040bc7cc031fa83bf1732365a2b0067531ebc5e42e4660b2019
PEiD..: -
PEInfo: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...6BBAA008B1237A0

File pcnedojal.bmp received on 05.14.2008 03:15:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/32 (9.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.13 -
AntiVir 7.8.0.17 2008.05.13 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.13 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.13 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.13 -
eTrust-Vet 31.4.5786 2008.05.14 -
Ewido 4.0 2008.05.13 Downloader.FakeAlert.bu
F-Prot 4.4.2.54 2008.05.13 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5294 2008.05.13 -
Microsoft 1.3520 2008.05.14 -
NOD32v2 3096 2008.05.13 Win32/TrojanDownloader.FakeAlert.BU
Norman 5.80.02 2008.05.13 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 Malicious Software
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.13 -
Webwasher-Gateway 6.6.2 2008.05.13 -
Additional information
File size: 269334 bytes
MD5...: 048d36722cdedb58886c9ea795b05684
SHA1..: 22e25a21e3f4f4dc2f92dc02bed8714cfd1f947c
SHA256: 0b2a16c4c2c1b1b7af67dfe0ba211864f590d3fc65daefeb7dcd3b5b55472f7f
SHA512: 4cb2985f835875701dcfbd319f2720d43900a25a242b6f7114e48660a425c395
af83de11bbe82040bc7cc031fa83bf1732365a2b0067531ebc5e42e4660b2019
PEiD..: -
PEInfo: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...6BBAA008B1237A0

File psnap.bmp received on 05.14.2008 03:17:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/32 (9.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.13 -
AntiVir 7.8.0.17 2008.05.13 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.13 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.13 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.13 -
eTrust-Vet 31.4.5786 2008.05.14 -
Ewido 4.0 2008.05.13 Downloader.FakeAlert.bu
F-Prot 4.4.2.54 2008.05.13 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5294 2008.05.13 -
Microsoft 1.3520 2008.05.14 -
NOD32v2 3096 2008.05.13 Win32/TrojanDownloader.FakeAlert.BU
Norman 5.80.02 2008.05.13 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 Malicious Software
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.13 -
Webwasher-Gateway 6.6.2 2008.05.13 -
Additional information
File size: 269334 bytes
MD5...: 048d36722cdedb58886c9ea795b05684
SHA1..: 22e25a21e3f4f4dc2f92dc02bed8714cfd1f947c
SHA256: 0b2a16c4c2c1b1b7af67dfe0ba211864f590d3fc65daefeb7dcd3b5b55472f7f
SHA512: 4cb2985f835875701dcfbd319f2720d43900a25a242b6f7114e48660a425c395
af83de11bbe82040bc7cc031fa83bf1732365a2b0067531ebc5e42e4660b2019
PEiD..: -
PEInfo: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...6BBAA008B1237A0

File adkjatgritobap.bmp received on 05.14.2008 03:19:22 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 3/32 (9.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.13 -
AntiVir 7.8.0.17 2008.05.13 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.13 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.13 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.13 -
eTrust-Vet 31.4.5786 2008.05.14 -
Ewido 4.0 2008.05.13 Downloader.FakeAlert.bu
F-Prot 4.4.2.54 2008.05.13 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5294 2008.05.13 -
Microsoft 1.3520 2008.05.14 -
NOD32v2 3096 2008.05.13 Win32/TrojanDownloader.FakeAlert.BU
Norman 5.80.02 2008.05.13 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 Malicious Software
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.13 -
Webwasher-Gateway 6.6.2 2008.05.13 -
Additional information
File size: 269334 bytes
MD5...: 048d36722cdedb58886c9ea795b05684
SHA1..: 22e25a21e3f4f4dc2f92dc02bed8714cfd1f947c
SHA256: 0b2a16c4c2c1b1b7af67dfe0ba211864f590d3fc65daefeb7dcd3b5b55472f7f
SHA512: 4cb2985f835875701dcfbd319f2720d43900a25a242b6f7114e48660a425c395
af83de11bbe82040bc7cc031fa83bf1732365a2b0067531ebc5e42e4660b2019
PEiD..: -
PEInfo: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...6BBAA008B1237A0

File BMa354517a.xml received on 05.14.2008 03:21:42 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.10.0 2008.05.13 -
AntiVir 7.8.0.17 2008.05.13 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.13 -
AVG 7.5.0.516 2008.05.13 -
BitDefender 7.2 2008.05.08 -
CAT-QuickHeal 9.50 2008.05.13 -
ClamAV 0.92.1 2008.05.13 -
DrWeb 4.44.0.09170 2008.05.13 -
eSafe 7.0.15.0 2008.05.13 -
eTrust-Vet 31.4.5786 2008.05.14 -
Ewido 4.0 2008.05.13 -
F-Prot 4.4.2.54 2008.05.13 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5294 2008.05.13 -
Microsoft 1.3520 2008.05.14 -
NOD32v2 3096 2008.05.13 -
Norman 5.80.02 2008.05.13 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 -
Rising 20.44.12.00 2008.05.13 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.13 -
VirusBuster 4.3.26:9 2008.05.13 -
Webwasher-Gateway 6.6.2 2008.05.13 -
Additional information
File size: 109803 bytes
MD5...: b3a00236c2be56ef78ca4eb349d75fbf
SHA1..: aa501851fc8b2d2abb4e07d2bc792191129bc269
SHA256: 5f7452d141d5127acf1c8ba44f3888141f73337dfe574ef9bac4541ba06689ad
SHA512: c5de471d6ff88e72343f4ec838b822b21f5a347115e998efed301acb65e938cd
a9fdef9a54cdeb88ea9bff193dae4607be9514ad2c289e5feb99fa3a6bbcd579
PEiD..: -
PEInfo: -


Here is the ComboFix log:

ComboFix 08-05-11.1 - Kevin 2008-05-13 21:29:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.731 [GMT -4:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Kevin\ftp34.dll
C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\Marla\AntiVirusPro.exe.log
C:\rssnel.exe
C:\WINDOWS\b103.exe.bin
C:\WINDOWS\BMa354517a.xml
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\hskpdbrw.exe
C:\WINDOWS\system32\wzghui.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kevin\ftp34.dll
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\LocalService\ftp34.dll
C:\Documents and Settings\Marla\AntiVirusPro.exe.log
C:\rssnel.exe
C:\WINDOWS\b103.exe.bin
C:\WINDOWS\BMa354517a.xml
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\ftp34.dll
C:\WINDOWS\system32\hskpdbrw.exe
C:\WINDOWS\system32\wzghui.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_glq05
-------\Service_wzghui


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-13 09:17 . 2008-05-13 09:17 269,334 --a------ C:\WINDOWS\system32\kfmlsbih.bmp
2008-05-12 19:20 . 2008-05-12 19:20 269,334 --a------ C:\WINDOWS\system32\mhknmtsn.bmp
2008-05-12 18:54 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-12 18:54 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-12 18:54 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-12 18:54 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-12 18:54 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-12 18:54 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-12 18:54 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-12 18:54 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-12 18:54 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-12 18:46 . 2008-05-12 18:46 269,334 --a------ C:\WINDOWS\system32\pcnedojal.bmp
2008-05-12 14:44 . 2008-05-12 14:44 269,334 --a------ C:\WINDOWS\system32\psnap.bmp
2008-05-11 23:40 . 2008-05-11 23:40 269,334 --a------ C:\WINDOWS\system32\adkjatgritobap.bmp
2008-05-11 23:40 . 2008-05-13 09:17 0 --a------ C:\Documents and Settings\Kevin\AntiVirusPro.exe.log
2008-05-11 22:49 . 2008-05-11 22:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-11 22:44 . 2008-05-11 23:39 <DIR> d-------- C:\SDFix
2008-05-11 22:38 . 2008-05-11 22:38 14,848 --a------ C:\unsfp.exe
2008-05-05 12:04 . 2008-05-05 12:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-05 11:58 . 2008-05-05 11:58 <DIR> d-------- C:\Deckard
2008-05-05 11:00 . 2008-05-05 11:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 11:00 . 2008-05-05 11:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 07:32 . 2008-05-05 07:32 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-05 07:32 . 2008-05-05 07:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 07:11 . 2008-05-05 07:11 <DIR> d-------- C:\Program Files\Svconr
2008-05-04 23:03 . 2004-08-04 07:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-04-25 12:45 . 2008-04-25 12:47 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_25
2008-04-25 12:45 . 2008-05-03 15:24 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_24
2008-04-23 15:23 . 2008-04-23 15:28 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_22
2008-04-23 15:23 . 2008-05-03 15:24 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_21
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_20
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_19
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_18
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_17
2008-04-23 15:23 . 2008-05-03 15:25 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_15
2008-04-22 12:35 . 2008-05-13 21:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-22 12:35 . 2008-04-22 12:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 12:34 . 2008-04-22 12:34 <DIR> d-------- C:\Program Files\iPod
2008-04-22 12:32 . 2008-04-22 12:33 <DIR> d-------- C:\Program Files\QuickTime
2008-04-15 09:06 . 2008-05-03 15:29 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_12
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_11
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_10
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_09
2008-04-15 09:06 . 2008-04-15 09:08 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_08
2008-04-15 09:06 . 2008-05-03 15:34 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_06
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_05
2008-04-15 09:06 . 2008-04-15 09:11 <DIR> d-------- C:\Documents and Settings\Marla\2008_04_04

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 11:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 16:34 --------- d-----w C:\Program Files\iTunes
2008-04-22 16:22 --------- d-----w C:\Program Files\Safari
2008-04-22 16:19 --------- d-----w C:\Program Files\Apple Software Update
2008-04-21 22:52 --------- d-----w C:\Documents and Settings\Marla\Application Data\Canon
2008-04-14 13:23 --------- d-----w C:\Documents and Settings\Marla\Application Data\Intuit
2008-04-14 13:14 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Intuit
2008-04-14 13:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 13:09 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-14 12:57 --------- d-----w C:\Program Files\TurboTax
2008-03-29 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-03-29 04:01 --------- d-----w C:\Program Files\Viewpoint
2008-03-29 04:01 --------- d-----w C:\Program Files\AIM6
2008-03-29 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-29 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-29 03:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-27 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-27 18:49 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-19 11:29 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Amazon
2008-03-19 11:28 --------- d-----w C:\Program Files\Amazon
2008-03-18 19:35 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Apple Computer
2006-08-21 15:00 56 --sh--r C:\WINDOWS\system32\807BEDCFDF.sys
2006-03-03 19:14 56 --sh--r C:\WINDOWS\system32\AF5619626A.sys
2006-02-19 16:43 56 --sh--r C:\WINDOWS\system32\F408EAA230.sys
2007-09-27 21:28 7,362 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_10.00.47.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 13:53:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 01:34:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-08-04 11:00:00 5,120 ----a-w C:\WINDOWS\system32\dllcache\sfc.dll
+ 2008-05-14 01:34:39 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-10-31 11:19 378784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05 127035]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 03:02 86016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-09 12:38 168448]
"InstantAccess"="C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [2000-06-19 09:51 31744]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 09:56 22528]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-20 16:16 185896]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 14:37 79224]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 09:56 22528]

C:\Documents and Settings\Marla\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 14:15:48 462848]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-19 20:04:28 106496]

C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-19 20:04:28 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-18 11:43:29 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-02-09 12:28:56 156784]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 18:23:00 53317]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1140377350\\ee\\aim6.exe"=
"E:\\Program Files\\WPM\\WebPageMaker.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 15:05]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 15:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 14:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 21:35:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\PROGRA~1\TEXTBR~1.0\Bin\TBMHOOK.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-13 21:41:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 01:41:13
ComboFix2.txt 2008-05-13 14:01:12

Pre-Run: 91,687,854,080 bytes free
Post-Run: 91,676,160,000 bytes free

234 --- E O F --- 2008-05-13 13:26:02


Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:21 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10805 bytes


One last item - not sure if it matters, but in the c:\WINDOWS\System32 folder there was a .txt file that has the same name as the xml file that you had me check. There are also some oddly named .log files. Let me know if those are of any interest.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 13 May 2008 - 09:59 PM

Hi zy1125,

One last item - not sure if it matters, but in the c:\WINDOWS\System32 folder there was a .txt file that has the same name as the xml file that you had me check. There are also some oddly named .log files. Let me know if those are of any interest.


See what is in the Txt file and log files and report back.

************************

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

************************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\system32\kfmlsbih.bmp
C:\WINDOWS\system32\mhknmtsn.bmp
C:\WINDOWS\system32\pcnedojal.bmp
C:\WINDOWS\system32\psnap.bmp
C:\WINDOWS\system32\adkjatgritobap.bmp
C:\Documents and Settings\Kevin\AntiVirusPro.exe.log


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users