Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde I Think


  • This topic is locked This topic is locked
6 replies to this topic

#1 simplyaini

simplyaini

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 05 May 2008 - 04:07 PM

I'm a lil' computer illiterate, so i hope you can help me..
Here are the logs..

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 4:32:38 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/05/2008
Kaspersky Anti-Virus database records: 741235
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52014
Number of viruses found: 8
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:09:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\Qurratu'aini\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Qurratu'aini\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Qurratu'aini\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP82\A0017472.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP84\A0019632.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpb skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP84\A0019656.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP86\A0019703.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP87\A0019893.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP87\A0019910.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP87\A0019911.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP87\A0019912.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP89\A0021060.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP92\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6400DE97-6AA5-4BCA-B7C3-E846472DD102}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ayllyckb.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcbbbxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qph skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ivireg.ivr Object is locked skipped
C:\WINDOWS\system32\oaphmxch.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{F0652FF3-5DAC-4525-97A0-284A09AF3AF5}\RP92\change.log Object is locked skipped

Scan process completed.

Main.txt

Deckard's System Scanner v20071014.68
Run by Qurratu'aini on 2008-05-06 04:42:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
80: 2008-05-05 20:42:42 UTC - RP93 - Deckard's System Scanner Restore Point
79: 2008-05-03 07:24:48 UTC - RP92 - System Checkpoint
78: 2008-05-02 06:49:28 UTC - RP91 - System Checkpoint
77: 2008-04-30 11:48:40 UTC - RP90 - System Checkpoint
76: 2008-04-29 04:59:03 UTC - RP89 - Installed AVG 7.5


-- First Restore Point --
1: 2008-04-15 14:55:54 UTC - RP14 - Installed pfingoTALK


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-06 04:47:36
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe
C:\Program Files\Quick Launch Button\QLButton.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\PenMount Universal Driver\PMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Qurratu'aini\Desktop\dss.exe
C:\WINDOWS\system32\ZoneLabs\updclient.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\iifeddcd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9EC43A72-9E9F-4B8F-9597-1A99883C18A0} - C:\WINDOWS\system32\ddcbbbxw.dll
O2 - BHO: (no name) - {CC760658-C91E-4D8F-A0E2-8A4250AD11E3} - C:\WINDOWS\system32\urqppnnn.dll (file missing)
O2 - BHO: (no name) - {F7EB611B-6C04-4F79-9B08-2E9A79787909} - C:\WINDOWS\system32\gebbcywv.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HotKey] C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe
O4 - HKLM\..\Run: [QLButton] C:\Program Files\Quick Launch Button\QLButton.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Qurratu'aini\lsass.exe
O4 - HKLM\..\Run: [60177ed5] rundll32.exe "C:\WINDOWS\system32\ayllyckb.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM63244d49] Rundll32.exe "C:\WINDOWS\system32\oaphmxch.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PenMount Monitor.lnk = C:\Program Files\PenMount Universal Driver\PMonitor.exe
O4 - Global Startup: pfingoTALK.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://spring1.ura.gov.sg/mapguide6/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199555252328
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://mocca.com/MediaCorp/ImageUploader4.cab
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: iifeddcd - C:\WINDOWS\system32\iifeddcd.dll
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 9599 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 mchInjDrv (madCodeHook DLL injection driver) - c:\windows\system32\drivers\mchinjdrv.sys

S3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-23 07:26:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-06 and 2008-05-06 -----------------------------

2008-05-06 02:55:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 02:55:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 01:29:34 0 d-------- C:\VundoFix Backups
2008-05-01 13:31:53 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-01 01:35:13 0 d-------- C:\Program Files\Spyware Doctor
2008-05-01 01:35:13 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\PC Tools
2008-04-30 22:13:13 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-30 16:10:10 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-29 15:19:48 8 --a------ C:\WINDOWS\system32\60176c5b
2008-04-29 13:32:36 512 --a------ C:\ScanSectorLog.dat
2008-04-29 13:26:19 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\MailFrontier
2008-04-29 13:17:55 2231072 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-29 13:07:13 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-29 13:07:01 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-29 13:06:39 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-29 13:05:32 0 d-------- C:\WINDOWS\Internet Logs
2008-04-29 12:59:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-22 04:17:18 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Talkback
2008-04-22 04:17:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-22 04:16:46 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Mozilla
2008-04-21 18:57:22 183815 --ahs---- C:\WINDOWS\system32\wxbbbcdd.ini2
2008-04-21 18:57:16 271872 --a------ C:\WINDOWS\system32\ddcbbbxw.dll
2008-04-21 12:01:07 0 dr-h----- C:\$VAULT$.AVG
2008-04-21 10:11:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-21 10:05:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-19 16:40:19 193293 --ahs---- C:\WINDOWS\system32\vwycbbeg.ini2
2008-04-19 04:25:50 11463 --a------ C:\WINDOWS\system32\awtutqnk.dll
2008-04-19 03:53:09 1524 --a------ C:\WINDOWS\system32\opnkkjjk.dll
2008-04-19 02:53:08 1524 --a------ C:\WINDOWS\system32\vtutqnmk.dll
2008-04-18 20:24:32 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\AVGTOOLBAR
2008-04-15 22:55:44 167536 --ahs---- C:\WINDOWS\system32\nnnppqru.ini2
2008-04-15 22:50:22 30720 --a------ C:\WINDOWS\system32\iifeddcd.dll
2008-04-15 22:50:12 10240 --a------ C:\Documents and Settings\Qurratu'aini\services.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-18 14:39:02 0 d-------- C:\Program Files\Common Files
2008-03-27 12:54:46 0 d-------- C:\Program Files\Java
2008-03-23 00:23:24 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Azureus
2008-03-16 15:02:57 0 d-------- C:\Program Files\pfingoTALK
2008-03-14 00:57:30 0 d-------- C:\Program Files\Canon
2008-03-09 14:49:35 0 d-------- C:\Program Files\QuickTime
2008-03-07 03:46:31 0 d-------- C:\Program Files\Software Catalogue


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DC2D282-D414-435E-8A26-FF3C23AC36EF}]
04/15/2008 10:50 PM 30720 --a------ C:\WINDOWS\system32\iifeddcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EC43A72-9E9F-4B8F-9597-1A99883C18A0}]
04/21/2008 06:57 PM 271872 --a------ C:\WINDOWS\system32\ddcbbbxw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC760658-C91E-4D8F-A0E2-8A4250AD11E3}]
C:\WINDOWS\system32\urqppnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7EB611B-6C04-4F79-9B08-2E9A79787909}]
C:\WINDOWS\system32\gebbcywv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [06/27/2007 03:38 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [06/27/2007 03:38 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [06/27/2007 03:38 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 03:08 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\Alcmtr.exe]
"HotKey"="C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe" [08/23/2007 05:30 AM]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [01/07/2005 05:53 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [08/02/2007 04:31 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [10/26/2005 05:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [01/14/2004 09:10 AM]
"LSA Shellu"="C:\Documents and Settings\Qurratu'aini\lsass.exe" []
"60177ed5"="C:\WINDOWS\system32\ayllyckb.dll" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"BM63244d49"="C:\WINDOWS\system32\oaphmxch.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [6/7/2007 7:50:42 AM]
PenMount Monitor.lnk - C:\Program Files\PenMount Universal Driver\PMonitor.exe [3/16/2007 11:36:40 AM]
pfingoTALK.lnk - C:\WINDOWS\Installer\{BBA55A18-8923-4EAE-B943-DFDEC5AF192B}\_4A17C5455E82E4D623415B.exe [3/16/2008 3:02:03 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DC2D282-D414-435E-8A26-FF3C23AC36EF}"= C:\WINDOWS\system32\iifeddcd.dll [04/15/2008 10:50 PM 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeddcd]
iifeddcd.dll 04/15/2008 10:50 PM 30720 C:\WINDOWS\system32\iifeddcd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcbbbxw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66e86ba1-ba20-11dc-82a9-000df041baa8}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df36a2f-0b12-11dd-83be-000df04b8b47}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d975b1b7-bf4b-11dc-82c2-000df041baa8}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe




-- End of Deckard's System Scanner: finished at 2008-05-06 04:50:23 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® processor 800MHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 2038.05 MiB / 1504.19 MiB
Pagefile Memory (total/avail): 3412.61 MiB / 2945.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.2 MiB

C: is Fixed (NTFS) - 54.1 GiB total, 42.69 GiB free.
D: is Fixed (NTFS) - 54.1 GiB total, 52.15 GiB free.

\\.\PHYSICALDRIVE0 - Hitachi HTS541612J9AT00 - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 54.1 GiB - C:
\PARTITION1 - Installable File System - 54.1 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: ZoneAlarm Security Suite Firewall v7.0.337.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.337.000 (Check Point, LTD.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\pfingoTALK.exe"="D:\\pfingoTALK.exe:*:Enabled:pfingoTALK"
"D:\\Program Files\\Azureus\\Azureus.exe"="D:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\pfingoTALK\\pfingoTALK.exe"="C:\\Program Files\\pfingoTALK\\pfingoTALK.exe:*:Enabled:pfingoTALK"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Qurratu'aini\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KJS-9A231D5CF49
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Qurratu'aini
LOGONSERVER=\\KJS-9A231D5CF49
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem\;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\QURRAT~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\QURRAT~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=KJS-9A231D5CF49
USERNAME=Qurratu'aini
USERPROFILE=C:\Documents and Settings\Qurratu'aini
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Qurratu'aini (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Azureus Vuze --> D:\Program Files\Azureus\uninstall.exe
Bluesoleil2.6.0.9 Release 070606 --> MsiExec.exe /X{846AC73B-9394-48B9-B941-8F7F472F0047}
Canon PhotoRecord --> MsiExec.exe /X{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}
Canon PIXMA iP3000 --> C:\WINDOWS\system32\CNMCP61.exe "-PRINTERNAMECanon PIXMA iP3000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmi0409.dll"
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\WINDOWS\BJPSUNST.EXE
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HotKey Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E9A24338-30F5-4E0F-955F-593D6F814FD6}\setup.exe" -l0x9
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
InterVideo WinDVD for Kohjinsha --> C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\setup.exe -runfromtemp -l0x0409
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Media Player Codec Pack 2.2.0 --> C:\WINDOWS\system32\C2MP\Uninst.exe
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Standard 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall STANDARDR /dll OSETUP.DLL
Microsoft Office Standard 2007 --> MsiExec.exe /X{91120000-0012-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PenMount Universal Driver 1.0 --> C:\Program Files\PenMount Universal Driver\uninst.exe
pfingoTALK --> MsiExec.exe /I{BBA55A18-8923-4EAE-B943-DFDEC5AF192B}
QLButton --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Quick Launch Button\QLButton.isu" -c"C:\Program Files\Quick Launch Button\QLBUnInst.dll"
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Software Catalogue Client 1.2 --> "C:\Program Files\Software Catalogue\unins000.exe"
Sony Ericsson PC Suite --> MsiExec.exe /I{52809086-618D-4F0B-8BF1-B75A5BB817A4}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{BE1826A9-7EEE-492A-B3BC-DEF3DFAE37EE}\setup.exe -runfromtemp -l0x0409
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb949037) --> msiexec /package {91120000-0012-0000-0000-0000000FF1CE} /uninstall {B4F188C6-6DBF-42A5-A8A3-3086D1A384F2}
Webcam Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4B21827-7810-4A26-8BC8-C9520CC836A0}\setup.exe" -l0x9
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3622 / Error
Event Submitted/Written: 05/06/2008 02:51:44 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3618 / Warning
Event Submitted/Written: 05/03/2008 05:04:14 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3611 / Warning
Event Submitted/Written: 05/01/2008 11:51:04 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type3610 / Error
Event Submitted/Written: 05/01/2008 10:10:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application zlclient.exe, version 7.0.470.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3604 / Error
Event Submitted/Written: 05/01/2008 01:46:46 PM
Event ID/Source: 0 / pctsSvc.exe
Event Description:
The service process could not connect to the service controller



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type419 / Warning
Event Submitted/Written: 05/06/2008 04:34:48 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00A0D1C34B22. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type411 / Error
Event Submitted/Written: 05/06/2008 01:16:58 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Event Record #/Type392 / Error
Event Submitted/Written: 05/03/2008 02:42:08 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {7D8C9B6E-B0A6-433A-90D7-D44D080013D8} did not register with DCOM within the required timeout.

Event Record #/Type390 / Error
Event Submitted/Written: 05/03/2008 02:38:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Event Record #/Type389 / Error
Event Submitted/Written: 05/03/2008 02:37:48 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.



-- End of Deckard's System Scanner: finished at 2008-05-06 04:50:23 ------------

Thx.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:17 AM

Posted 07 May 2008 - 02:10 PM

Hello simplyaini,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 simplyaini

simplyaini
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 08 May 2008 - 02:46 AM

combofix:

ComboFix 08-05-01.3 - Qurratu'aini 2008-05-08 15:20:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1541 [GMT 8:00]
Running from: C:\Documents and Settings\Qurratu'aini\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtutqnk.dll
C:\WINDOWS\system32\bkcyllya.ini
C:\WINDOWS\system32\ddcbbbxw.dll
C:\WINDOWS\system32\dklloxbo.ini
C:\WINDOWS\system32\ebfgwlba.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnppqru.ini
C:\WINDOWS\system32\nnnppqru.ini2
C:\WINDOWS\system32\qybqiyhb.ini
C:\WINDOWS\system32\vvabuweb.ini
C:\WINDOWS\system32\vwycbbeg.ini
C:\WINDOWS\system32\vwycbbeg.ini2
C:\WINDOWS\system32\wxbbbcdd.ini
C:\WINDOWS\system32\wxbbbcdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-08 15:28 . 2008-05-08 15:28 268 --ah----- C:\sqmdata07.sqm
2008-05-08 15:28 . 2008-05-08 15:28 244 --ah----- C:\sqmnoopt07.sqm
2008-05-06 05:11 . 2008-05-06 05:11 268 --ah----- C:\sqmdata06.sqm
2008-05-06 05:11 . 2008-05-06 05:11 244 --ah----- C:\sqmnoopt06.sqm
2008-05-06 04:42 . 2008-05-06 04:42 <DIR> d-------- C:\Deckard
2008-05-06 04:33 . 2008-05-06 04:33 268 --ah----- C:\sqmdata05.sqm
2008-05-06 04:33 . 2008-05-06 04:33 244 --ah----- C:\sqmnoopt05.sqm
2008-05-06 03:28 . 2008-05-06 04:38 104,000 --a------ C:\WINDOWS\system32\oaphmxch.dll.vzr
2008-05-06 02:55 . 2008-05-06 02:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 02:55 . 2008-05-06 02:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 01:29 . 2008-05-06 01:29 <DIR> d-------- C:\VundoFix Backups
2008-05-02 23:25 . 2008-05-02 23:25 268 --ah----- C:\sqmdata04.sqm
2008-05-02 23:25 . 2008-05-02 23:25 244 --ah----- C:\sqmnoopt04.sqm
2008-05-01 23:35 . 2008-05-01 23:35 268 --ah----- C:\sqmdata03.sqm
2008-05-01 23:35 . 2008-05-01 23:35 244 --ah----- C:\sqmnoopt03.sqm
2008-05-01 13:31 . 2008-05-06 04:36 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-01 01:37 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-01 01:37 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-01 01:37 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-01 01:37 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-01 01:35 . 2008-05-03 15:36 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-01 01:35 . 2008-05-01 01:35 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\PC Tools
2008-04-30 22:13 . 2008-05-06 04:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-30 16:10 . 2008-04-30 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-29 15:19 . 2008-04-29 15:19 8 --a------ C:\WINDOWS\system32\60176c5b
2008-04-29 13:54 . 2008-05-06 04:47 4,488 --a------ C:\rollback.ini
2008-04-29 13:32 . 2008-04-29 18:11 512 --a------ C:\ScanSectorLog.dat
2008-04-29 13:26 . 2008-04-30 16:16 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\MailFrontier
2008-04-29 13:17 . 2008-05-08 15:33 2,283,040 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-29 13:17 . 2008-05-08 15:28 33,692 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-29 13:07 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-29 13:07 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-29 13:07 . 2008-05-01 20:55 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-29 13:06 . 2008-05-08 15:09 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-29 13:06 . 2008-04-29 13:06 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-29 13:06 . 2008-03-13 23:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-29 13:06 . 2008-05-08 15:30 355,090 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-29 13:05 . 2008-05-08 15:29 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-29 12:59 . 2008-04-29 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-27 03:26 . 2008-04-27 03:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 03:26 . 2008-04-27 03:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 04:17 . 2008-04-22 04:17 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Talkback
2008-04-22 04:17 . 2008-04-22 04:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-21 12:01 . 2008-04-29 12:54 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-21 10:11 . 2008-04-29 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-21 10:05 . 2008-04-21 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-19 03:53 . 2008-04-19 03:53 1,524 --a------ C:\WINDOWS\system32\opnkkjjk.dll
2008-04-19 02:53 . 2008-04-19 02:53 1,524 --a------ C:\WINDOWS\system32\vtutqnmk.dll
2008-04-18 20:24 . 2008-04-19 00:18 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\AVGTOOLBAR
2008-04-17 16:50 . 2008-05-06 03:29 109,734 --a------ C:\WINDOWS\BM63244d49.xml
2008-04-15 22:50 . 2008-04-15 22:50 30,720 --a------ C:\WINDOWS\system32\iifeddcd.dll
2008-04-15 22:50 . 2008-04-15 22:50 10,240 --a------ C:\Documents and Settings\Qurratu'aini\services.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 07:29 1,296,835 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-03 09:05 489,472 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-03 09:05 2,168,832 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-02 15:28 2,168,320 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-02 15:28 1,623,040 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-01 15:51 832,512 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-01 15:51 2,167,296 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-01 11:10 729,088 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-01 06:50 332,288 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-01 06:50 2,167,296 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-04-30 18:47 515,584 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-30 18:47 2,168,320 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-04-30 16:11 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-30 15:34 1,433,600 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-30 06:50 2,015,232 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-29 09:16 1,996,800 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-29 08:06 222,720 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-29 07:40 145,408 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-29 07:15 187,392 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-18 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-18 06:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-09 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-27 04:54 --------- d-----w C:\Program Files\Java
2008-03-22 16:23 --------- d-----w C:\Documents and Settings\Qurratu'aini\Application Data\Azureus
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 07:02 --------- d-----w C:\Program Files\pfingoTALK
2008-03-13 16:57 --------- d-----w C:\Program Files\Canon
2008-03-09 06:49 --------- d-----w C:\Program Files\QuickTime
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DC2D282-D414-435E-8A26-FF3C23AC36EF}]
2008-04-15 22:50 30720 --a------ C:\WINDOWS\system32\iifeddcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC760658-C91E-4D8F-A0E2-8A4250AD11E3}]
C:\WINDOWS\system32\urqppnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7EB611B-6C04-4F79-9B08-2E9A79787909}]
C:\WINDOWS\system32\gebbcywv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-27 15:38 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-27 15:38 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-27 15:38 137752]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 15:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"HotKey"="C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe" [2007-08-23 05:30 4304896]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [2005-01-07 05:53 106496]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-02 16:31 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 09:10 409600]
"60177ed5"="C:\WINDOWS\system32\ayllyckb.dll" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"BM63244d49"="C:\WINDOWS\system32\oaphmxch.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-06-07 07:50:42 657168]
PenMount Monitor.lnk - C:\Program Files\PenMount Universal Driver\PMonitor.exe [2007-03-16 11:36:40 637440]
pfingoTALK.lnk - C:\WINDOWS\Installer\{BBA55A18-8923-4EAE-B943-DFDEC5AF192B}\_4A17C5455E82E4D623415B.exe [2008-03-16 15:02:03 13094]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6DC2D282-D414-435E-8A26-FF3C23AC36EF}"= C:\WINDOWS\system32\iifeddcd.dll [2008-04-15 22:50 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeddcd]
iifeddcd.dll 2008-04-15 22:50 30720 C:\WINDOWS\system32\iifeddcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\pfingoTALK\\pfingoTALK.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-05-06 04:36]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-18 12:09]
R3 acpi_contactor;acpi_contactor Driver;C:\WINDOWS\system32\DRIVERS\acpi_contactor_xp.sys [2007-07-28 07:26]
R3 pmufiltr;PenMount USB Mouse Filter;C:\WINDOWS\system32\DRIVERS\pmufiltr.sys [2007-02-15 11:23]
R3 pmusb6k;pmusb6k;C:\WINDOWS\system32\DRIVERS\pmusb6k.sys [2007-02-15 11:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66e86ba1-ba20-11dc-82a9-000df041baa8}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df36a2f-0b12-11dd-83be-000df04b8b47}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d975b1b7-bf4b-11dc-82c2-000df041baa8}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 23:26:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 15:32:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 93

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iifeddcd.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-05-08 15:35:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-08 07:35:45

Pre-Run: 45,778,706,432 bytes free
Post-Run: 45,710,012,416 bytes free

228 --- E O F --- 2008-04-19 08:57:53

main.txt

Deckard's System Scanner v20071014.68
Run by Qurratu'aini on 2008-05-08 15:37:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-08 15:37:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe
C:\Program Files\Quick Launch Button\QLButton.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\PenMount Universal Driver\PMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Qurratu'aini\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {6DC2D282-D414-435E-8A26-FF3C23AC36EF} - C:\WINDOWS\system32\iifeddcd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CC760658-C91E-4D8F-A0E2-8A4250AD11E3} - C:\WINDOWS\system32\urqppnnn.dll (file missing)
O2 - BHO: (no name) - {F7EB611B-6C04-4F79-9B08-2E9A79787909} - C:\WINDOWS\system32\gebbcywv.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HotKey] C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe
O4 - HKLM\..\Run: [QLButton] C:\Program Files\Quick Launch Button\QLButton.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [60177ed5] rundll32.exe "C:\WINDOWS\system32\ayllyckb.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM63244d49] Rundll32.exe "C:\WINDOWS\system32\oaphmxch.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PenMount Monitor.lnk = C:\Program Files\PenMount Universal Driver\PMonitor.exe
O4 - Global Startup: pfingoTALK.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://spring1.ura.gov.sg/mapguide6/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199555252328
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://mocca.com/MediaCorp/ImageUploader4.cab
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: iifeddcd - C:\WINDOWS\system32\iifeddcd.dll
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 8753 bytes

-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-08 15:18:25 68096 --a------ C:\WINDOWS\zip.exe
2008-05-08 15:18:25 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-08 15:18:25 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-08 15:18:25 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-08 15:18:25 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-08 15:18:25 98816 --a------ C:\WINDOWS\sed.exe
2008-05-08 15:18:25 80412 --a------ C:\WINDOWS\grep.exe
2008-05-08 15:18:25 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 02:55:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 02:55:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 01:29:34 0 d-------- C:\VundoFix Backups
2008-05-01 13:31:53 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-01 01:35:13 0 d-------- C:\Program Files\Spyware Doctor
2008-05-01 01:35:13 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\PC Tools
2008-04-30 22:13:13 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-30 16:10:10 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-29 15:19:48 8 --a------ C:\WINDOWS\system32\60176c5b
2008-04-29 13:32:36 512 --a------ C:\ScanSectorLog.dat
2008-04-29 13:26:19 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\MailFrontier
2008-04-29 13:17:55 2290208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-29 13:07:13 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-29 13:07:01 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-29 13:06:39 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-29 13:05:32 0 d-------- C:\WINDOWS\Internet Logs
2008-04-29 12:59:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-22 04:17:18 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Talkback
2008-04-22 04:17:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-22 04:16:46 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Mozilla
2008-04-21 12:01:07 0 dr-h----- C:\$VAULT$.AVG
2008-04-21 10:11:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-21 10:05:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-19 03:53:09 1524 --a------ C:\WINDOWS\system32\opnkkjjk.dll
2008-04-19 02:53:08 1524 --a------ C:\WINDOWS\system32\vtutqnmk.dll
2008-04-18 20:24:32 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\AVGTOOLBAR
2008-04-15 22:50:22 30720 --a------ C:\WINDOWS\system32\iifeddcd.dll
2008-04-15 22:50:12 10240 --a------ C:\Documents and Settings\Qurratu'aini\services.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-18 14:39:02 0 d-------- C:\Program Files\Common Files
2008-03-27 12:54:46 0 d-------- C:\Program Files\Java
2008-03-23 00:23:24 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Azureus
2008-03-16 15:02:57 0 d-------- C:\Program Files\pfingoTALK
2008-03-14 00:57:30 0 d-------- C:\Program Files\Canon
2008-03-09 14:49:35 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DC2D282-D414-435E-8A26-FF3C23AC36EF}]
04/15/2008 10:50 PM 30720 --a------ C:\WINDOWS\system32\iifeddcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC760658-C91E-4D8F-A0E2-8A4250AD11E3}]
C:\WINDOWS\system32\urqppnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7EB611B-6C04-4F79-9B08-2E9A79787909}]
C:\WINDOWS\system32\gebbcywv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [06/27/2007 03:38 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [06/27/2007 03:38 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [06/27/2007 03:38 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 03:08 PM C:\WINDOWS\RTHDCPL.exe]
"HotKey"="C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe" [08/23/2007 05:30 AM]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [01/07/2005 05:53 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [08/02/2007 04:31 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [10/26/2005 05:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [01/14/2004 09:10 AM]
"60177ed5"="C:\WINDOWS\system32\ayllyckb.dll" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"BM63244d49"="C:\WINDOWS\system32\oaphmxch.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [6/7/2007 7:50:42 AM]
PenMount Monitor.lnk - C:\Program Files\PenMount Universal Driver\PMonitor.exe [3/16/2007 11:36:40 AM]
pfingoTALK.lnk - C:\WINDOWS\Installer\{BBA55A18-8923-4EAE-B943-DFDEC5AF192B}\_4A17C5455E82E4D623415B.exe [3/16/2008 3:02:03 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DC2D282-D414-435E-8A26-FF3C23AC36EF}"= C:\WINDOWS\system32\iifeddcd.dll [04/15/2008 10:50 PM 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeddcd]
iifeddcd.dll 04/15/2008 10:50 PM 30720 C:\WINDOWS\system32\iifeddcd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66e86ba1-ba20-11dc-82a9-000df041baa8}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df36a2f-0b12-11dd-83be-000df04b8b47}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d975b1b7-bf4b-11dc-82c2-000df041baa8}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe




-- End of Deckard's System Scanner: finished at 2008-05-08 15:39:12 ------------


Thank you.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:17 AM

Posted 08 May 2008 - 10:13 AM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\iifeddcd.dll
C:\WINDOWS\system32\urqppnnn.dll
C:\WINDOWS\system32\gebbcywv.dll
C:\WINDOWS\system32\iifeddcd.dll
C:\WINDOWS\system32\60176c5b
C:\WINDOWS\system32\opnkkjjk.dll
C:\WINDOWS\system32\vtutqnmk.dll
C:\WINDOWS\system32\ayllyckb.dll
C:\WINDOWS\system32\oaphmxch.dll
C:\WINDOWS\BM63244d49.xml

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DC2D282-D414-435E-8A26-FF3C23AC36EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC760658-C91E-4D8F-A0E2-8A4250AD11E3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7EB611B-6C04-4F79-9B08-2E9A79787909}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeddcd]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 simplyaini

simplyaini
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 09 May 2008 - 04:22 AM

Hi,
Now there's no more adwares that pop up anymore. However on start up, 2 rundll windows pop up. They read:

Error loading C:\WINDOWS\system32\oaphmxch.dll
The specified module coud not be found.

and

Error loading C:\WINDOWS\system32\ayllyckb.dll
The specified module coud not be found.

Otherwise everything seems fine.

Anw here are the logs:

ComboFix

ComboFix 08-05-01.3 - Qurratu'aini 2008-05-09 15:19:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1571 [GMT 8:00]
Running from: C:\Documents and Settings\Qurratu'aini\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Qurratu'aini\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM63244d49.xml
C:\WINDOWS\system32\60176c5b
C:\WINDOWS\system32\ayllyckb.dll
C:\WINDOWS\system32\gebbcywv.dll
C:\WINDOWS\system32\iifeddcd.dll
C:\WINDOWS\system32\oaphmxch.dll
C:\WINDOWS\system32\opnkkjjk.dll
C:\WINDOWS\system32\urqppnnn.dll
C:\WINDOWS\system32\vtutqnmk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\BM63244d49.xml
C:\WINDOWS\system32\60176c5b
C:\WINDOWS\system32\iifeddcd.dll
C:\WINDOWS\system32\opnkkjjk.dll
C:\WINDOWS\system32\vtutqnmk.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 16:08 . 2008-05-09 16:08 268 --ah----- C:\sqmdata09.sqm
2008-05-09 16:08 . 2008-05-09 16:08 244 --ah----- C:\sqmnoopt09.sqm
2008-05-08 16:42 . 2008-05-08 16:42 268 --ah----- C:\sqmdata08.sqm
2008-05-08 16:42 . 2008-05-08 16:42 244 --ah----- C:\sqmnoopt08.sqm
2008-05-08 15:28 . 2008-05-08 15:28 268 --ah----- C:\sqmdata07.sqm
2008-05-08 15:28 . 2008-05-08 15:28 244 --ah----- C:\sqmnoopt07.sqm
2008-05-06 05:11 . 2008-05-06 05:11 268 --ah----- C:\sqmdata06.sqm
2008-05-06 05:11 . 2008-05-06 05:11 244 --ah----- C:\sqmnoopt06.sqm
2008-05-06 04:42 . 2008-05-06 04:42 <DIR> d-------- C:\Deckard
2008-05-06 04:33 . 2008-05-06 04:33 268 --ah----- C:\sqmdata05.sqm
2008-05-06 04:33 . 2008-05-06 04:33 244 --ah----- C:\sqmnoopt05.sqm
2008-05-06 03:28 . 2008-05-06 04:38 104,000 --a------ C:\WINDOWS\system32\oaphmxch.dll.vzr
2008-05-06 02:55 . 2008-05-06 02:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-06 02:55 . 2008-05-06 02:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 23:25 . 2008-05-02 23:25 268 --ah----- C:\sqmdata04.sqm
2008-05-02 23:25 . 2008-05-02 23:25 244 --ah----- C:\sqmnoopt04.sqm
2008-05-01 23:35 . 2008-05-01 23:35 268 --ah----- C:\sqmdata03.sqm
2008-05-01 23:35 . 2008-05-01 23:35 244 --ah----- C:\sqmnoopt03.sqm
2008-05-01 13:31 . 2008-05-06 04:36 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-01 01:37 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-01 01:37 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-01 01:37 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-01 01:37 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-01 01:35 . 2008-05-03 15:36 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-01 01:35 . 2008-05-01 01:35 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\PC Tools
2008-04-30 22:13 . 2008-05-06 04:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-30 16:10 . 2008-04-30 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-29 13:54 . 2008-05-06 04:47 4,488 --a------ C:\rollback.ini
2008-04-29 13:32 . 2008-04-29 18:11 512 --a------ C:\ScanSectorLog.dat
2008-04-29 13:26 . 2008-04-30 16:16 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\MailFrontier
2008-04-29 13:17 . 2008-05-09 16:13 2,313,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-29 13:17 . 2008-05-09 16:09 34,100 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-29 13:07 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-29 13:07 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-29 13:07 . 2008-05-01 20:55 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-29 13:06 . 2008-05-08 15:09 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-29 13:06 . 2008-04-29 13:06 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-29 13:06 . 2008-03-13 23:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-29 13:06 . 2008-05-09 16:11 355,090 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-29 13:05 . 2008-05-09 16:10 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-29 12:59 . 2008-04-29 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-27 03:26 . 2008-04-27 03:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 03:26 . 2008-04-27 03:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 04:17 . 2008-04-22 04:17 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Talkback
2008-04-22 04:17 . 2008-04-22 04:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-21 12:01 . 2008-04-29 12:54 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-21 10:11 . 2008-04-29 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-21 10:05 . 2008-04-21 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-18 20:24 . 2008-04-19 00:18 <DIR> d-------- C:\Documents and Settings\Qurratu'aini\Application Data\AVGTOOLBAR
2008-04-15 22:50 . 2008-04-15 22:50 10,240 --a------ C:\Documents and Settings\Qurratu'aini\services.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 08:09 598,016 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-08 07:29 1,296,835 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-03 09:05 489,472 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-03 09:05 2,168,832 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-02 15:28 2,168,320 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-02 15:28 1,623,040 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-01 15:51 832,512 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-05-01 15:51 2,167,296 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-01 11:10 729,088 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-01 06:50 332,288 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-05-01 06:50 2,167,296 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-04-30 18:47 515,584 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-04-30 18:47 2,168,320 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-04-30 16:11 167,424 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-04-30 15:34 1,433,600 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-04-30 06:50 2,015,232 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-04-29 09:16 1,996,800 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-04-29 08:06 222,720 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-04-29 07:40 145,408 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-04-29 07:15 187,392 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-04-18 06:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-18 06:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-09 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-27 04:54 --------- d-----w C:\Program Files\Java
2008-03-22 16:23 --------- d-----w C:\Documents and Settings\Qurratu'aini\Application Data\Azureus
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 07:02 --------- d-----w C:\Program Files\pfingoTALK
2008-03-13 16:57 --------- d-----w C:\Program Files\Canon
2008-03-09 06:49 --------- d-----w C:\Program Files\QuickTime
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-08_15.34.45.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-08 07:29:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 08:10:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-08 07:30:01 269,084 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-05-09 08:10:54 269,280 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-05-08 07:20:50 950,784 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-05-09 07:19:14 950,784 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-27 15:38 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-27 15:38 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-27 15:38 137752]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 15:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"HotKey"="C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe" [2007-08-23 05:30 4304896]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [2005-01-07 05:53 106496]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-02 16:31 204800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 09:10 409600]
"60177ed5"="C:\WINDOWS\system32\ayllyckb.dll" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"BM63244d49"="C:\WINDOWS\system32\oaphmxch.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-06-07 07:50:42 657168]
PenMount Monitor.lnk - C:\Program Files\PenMount Universal Driver\PMonitor.exe [2007-03-16 11:36:40 637440]
pfingoTALK.lnk - C:\WINDOWS\Installer\{BBA55A18-8923-4EAE-B943-DFDEC5AF192B}\_4A17C5455E82E4D623415B.exe [2008-03-16 15:02:03 13094]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\pfingoTALK\\pfingoTALK.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-05-06 04:36]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-18 12:09]
R3 acpi_contactor;acpi_contactor Driver;C:\WINDOWS\system32\DRIVERS\acpi_contactor_xp.sys [2007-07-28 07:26]
R3 pmufiltr;PenMount USB Mouse Filter;C:\WINDOWS\system32\DRIVERS\pmufiltr.sys [2007-02-15 11:23]
R3 pmusb6k;pmusb6k;C:\WINDOWS\system32\DRIVERS\pmusb6k.sys [2007-02-15 11:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66e86ba1-ba20-11dc-82a9-000df041baa8}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df36a2f-0b12-11dd-83be-000df04b8b47}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d975b1b7-bf4b-11dc-82c2-000df041baa8}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 23:26:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 16:12:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 93

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-05-09 16:16:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 08:16:23

Pre-Run: 45,690,109,952 bytes free
Post-Run: 45,652,582,400 bytes free

225 --- E O F --- 2008-04-19 08:57:53

main.txt

Deckard's System Scanner v20071014.68
Run by Qurratu'aini on 2008-05-09 17:10:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-09 17:10:42
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe
C:\Program Files\Quick Launch Button\QLButton.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\PenMount Universal Driver\PMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Qurratu'aini\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HotKey] C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe
O4 - HKLM\..\Run: [QLButton] C:\Program Files\Quick Launch Button\QLButton.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [60177ed5] rundll32.exe "C:\WINDOWS\system32\ayllyckb.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM63244d49] Rundll32.exe "C:\WINDOWS\system32\oaphmxch.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: PenMount Monitor.lnk = C:\Program Files\PenMount Universal Driver\PMonitor.exe
O4 - Global Startup: pfingoTALK.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://spring1.ura.gov.sg/mapguide6/mgaxctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199555252328
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://mocca.com/MediaCorp/ImageUploader4.cab
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 8438 bytes

-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-08 15:18:25 68096 --a------ C:\WINDOWS\zip.exe
2008-05-08 15:18:25 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-08 15:18:25 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-08 15:18:25 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-08 15:18:25 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-08 15:18:25 98816 --a------ C:\WINDOWS\sed.exe
2008-05-08 15:18:25 80412 --a------ C:\WINDOWS\grep.exe
2008-05-08 15:18:25 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 02:55:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 02:55:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-01 13:31:53 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-05-01 01:35:13 0 d-------- C:\Program Files\Spyware Doctor
2008-05-01 01:35:13 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\PC Tools
2008-04-30 22:13:13 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-30 16:10:10 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-29 13:32:36 512 --a------ C:\ScanSectorLog.dat
2008-04-29 13:26:19 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\MailFrontier
2008-04-29 13:17:55 2349344 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-29 13:07:13 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-04-29 13:07:01 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-29 13:06:39 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-29 13:05:32 0 d-------- C:\WINDOWS\Internet Logs
2008-04-29 12:59:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-22 04:17:18 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Talkback
2008-04-22 04:17:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-22 04:16:46 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Mozilla
2008-04-21 12:01:07 0 dr-h----- C:\$VAULT$.AVG
2008-04-21 10:11:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-21 10:05:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-04-18 20:24:32 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\AVGTOOLBAR
2008-04-15 22:50:12 10240 --a------ C:\Documents and Settings\Qurratu'aini\services.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-18 14:39:02 0 d-------- C:\Program Files\Common Files
2008-03-27 12:54:46 0 d-------- C:\Program Files\Java
2008-03-23 00:23:24 0 d-------- C:\Documents and Settings\Qurratu'aini\Application Data\Azureus
2008-03-16 15:02:57 0 d-------- C:\Program Files\pfingoTALK
2008-03-14 00:57:30 0 d-------- C:\Program Files\Canon
2008-03-09 14:49:35 0 d-------- C:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [06/27/2007 03:38 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [06/27/2007 03:38 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [06/27/2007 03:38 PM]
"RTHDCPL"="RTHDCPL.EXE" [07/05/2007 03:08 PM C:\WINDOWS\RTHDCPL.exe]
"HotKey"="C:\Program Files\INVENTEC\HotKey Utility\HotKey.exe" [08/23/2007 05:30 AM]
"QLButton"="C:\Program Files\Quick Launch Button\QLButton.exe" [01/07/2005 05:53 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [08/02/2007 04:31 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [10/26/2005 05:17 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [01/14/2004 09:10 AM]
"60177ed5"="C:\WINDOWS\system32\ayllyckb.dll" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"BM63244d49"="C:\WINDOWS\system32\oaphmxch.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [6/7/2007 7:50:42 AM]
PenMount Monitor.lnk - C:\Program Files\PenMount Universal Driver\PMonitor.exe [3/16/2007 11:36:40 AM]
pfingoTALK.lnk - C:\WINDOWS\Installer\{BBA55A18-8923-4EAE-B943-DFDEC5AF192B}\_4A17C5455E82E4D623415B.exe [3/16/2008 3:02:03 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66e86ba1-ba20-11dc-82a9-000df041baa8}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6df36a2f-0b12-11dd-83be-000df04b8b47}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d975b1b7-bf4b-11dc-82c2-000df041baa8}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe




-- End of Deckard's System Scanner: finished at 2008-05-09 17:11:54 ------------

Thank you.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:17 AM

Posted 09 May 2008 - 10:04 AM

Hello,

You're welcome. :thumbsup:

Those are actually GOOD error messages you're getting! :thumbsup: That means the bad files are not being found, so they cannot run. We'll fix that right now:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [60177ed5] rundll32.exe "C:\WINDOWS\system32\ayllyckb.dll",b
O4 - HKLM\..\Run: [BM63244d49] Rundll32.exe "C:\WINDOWS\system32\oaphmxch.dll",s


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following files (if they exist):

C:\WINDOWS\system32\oaphmxch.dll
C:\WINDOWS\system32\ayllyckb.dll

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Please let me know if that fixed the problem and if it's still running well. We're just about done! :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:17 AM

Posted 19 May 2008 - 11:50 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users