Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Troj_vundo.bmf


  • This topic is locked This topic is locked
35 replies to this topic

#1 jacobean

jacobean

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 11 May 2008 - 09:19 AM

Deckard's System Scanner v20071014.68
Run by Jen on 2008-05-11 09:14:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jen.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:40 AM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jen.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: {e4cf4061-c7b2-656b-4e34-bc68d977cc42} - {24cc779d-86cb-43e4-b656-2b7c1604fc4e} - C:\WINDOWS\system32\fqgmrbah.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O20 - Winlogon Notify: geBtTLdb - C:\WINDOWS\SYSTEM32\geBtTLdb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7824 bytes

-- Files created between 2008-04-11 and 2008-05-11 -----------------------------

2008-05-11 09:10:56 45568 --a------ C:\WINDOWS\system32\geBtTLdb.dll
2008-05-10 23:53:15 2112 --a------ C:\WINDOWS\system32\kqpmbjsm.exe
2008-05-10 23:37:07 0 d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24:36 0 d-------- C:\Program Files\Trend Micro
2008-05-10 21:24:19 102464 --a------ C:\WINDOWS\system32\fqgmrbah.dll
2008-05-10 21:22:13 2112 --a------ C:\WINDOWS\system32\parvjhch.exe
2008-05-10 21:22:01 100416 --a------ C:\WINDOWS\system32\hhxhjvki.dll
2008-05-10 21:15:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 21:15:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 20:02:55 2112 --a------ C:\WINDOWS\system32\uitebrro.exe
2008-05-10 19:59:56 102464 --a------ C:\WINDOWS\system32\wiknbmvg.dll
2008-05-10 19:38:10 0 d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 17:55:16 0 d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 17:45:04 0 d-------- C:\WINDOWS\CSC
2008-05-10 17:31:03 0 d-------- C:\VundoFix Backups
2008-05-10 00:13:59 0 d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:13:04 0 d-------- C:\WINDOWS\Sun
2008-05-10 00:13:04 0 d-------- C:\Documents and Settings\Jen\Application Data\Sun
2008-05-10 00:12:05 0 d-------- C:\Program Files\Java
2008-05-10 00:11:43 0 d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05:49 0 d-------- C:\Program Files\Lavasoft
2008-05-10 00:05:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 00:05:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 22:50:43 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-09 22:50:13 0 d-------- C:\Program Files\The Rosetta Stone
2008-05-09 21:45:01 102976 --a------ C:\WINDOWS\system32\mispiumi.dll
2008-05-09 21:44:59 2112 --a------ C:\WINDOWS\system32\rjrpspsy.exe
2008-05-09 21:43:34 93248 -----n--- C:\WINDOWS\system32\uffqupnc.dll
2008-05-08 18:10:26 0 d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19:48 0 d-------- C:\Program Files\WinWay Resume
2008-05-08 17:07:11 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04:20 0 d-------- C:\WINDOWS\ShellNew
2008-05-08 13:07:12 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07:00 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-05-08 13:07:00 0 d-------- C:\Program Files\MagicDisc
2008-05-08 13:00:57 676224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27:26 0 d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:25:21 0 d-------- C:\Program Files\Intel
2008-04-15 00:24:55 0 d-------- C:\Program Files\Boot Camp
2008-04-15 00:24:33 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-15 00:23:43 0 d-------- C:\b6e08edce99366c883379f40db2e1f
2008-04-15 00:23:38 0 d-------- C:\Program Files\Motorola
2008-04-15 00:23:33 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-04-15 00:23:15 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23:07 0 d-------- C:\Program Files\Realtek
2008-04-15 00:23:06 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-04-15 00:23:06 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-15 00:23:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22:53 0 d-------- C:\Program Files\SigmaTel
2008-04-15 00:22:35 0 d-------- C:\WINDOWS\nview
2008-04-15 00:22:24 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2008-04-15 00:22:24 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-04-15 00:22:24 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-04-15 00:22:24 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-15 00:22:23 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-04-15 00:22:23 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-04-15 00:22:23 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-04-15 00:22:22 1474560 --a------ C:\WINDOWS\system32\nview.dll
2008-04-15 00:22:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:22:04 0 d-------- C:\Intel
2008-04-15 00:21:33 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21:33 0 d-------- C:\Program Files\DIFX
2008-04-15 00:21:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 23:06:17 0 d-------- C:\Documents and Settings\Jen\Application Data\Identities
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Templates
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Start Menu
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\SendTo
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Recent
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\PrintHood
2008-04-14 23:06:07 1572864 --ah----- C:\Documents and Settings\Jen\NTUSER.DAT
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\NetHood
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\My Documents
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Local Settings
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Favorites
2008-04-14 23:06:07 0 d-------- C:\Documents and Settings\Jen\Desktop
2008-04-14 23:06:07 0 d--hs---- C:\Documents and Settings\Jen\Cookies
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Application Data
2008-04-14 23:05:08 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05:08 0 d-------- C:\WINDOWS\Prefetch
2008-04-14 23:05:06 237568 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 23:05:06 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-14 23:05:06 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-14 23:05:06 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-14 23:05:06 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-14 23:04:46 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-14 23:04:46 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-14 23:04:46 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-14 23:04:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-14 23:04:46 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-14 23:01:37 0 d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01:37 0 d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:01:27 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-14 23:01:14 0 -rahs---- C:\MSDOS.SYS
2008-04-14 23:01:14 0 -rahs---- C:\IO.SYS
2008-04-14 23:01:14 0 --a------ C:\CONFIG.SYS
2008-04-14 23:01:14 0 --a------ C:\AUTOEXEC.BAT
2008-04-14 23:00:13 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 22:59:53 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 22:59:32 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-14 22:58:57 0 d---s---- C:\WINDOWS\Tasks
2008-04-14 22:58:56 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-14 22:58:52 0 d-------- C:\WINDOWS\srchasst
2008-04-14 22:58:42 0 d-------- C:\Program Files\Movie Maker
2008-04-14 22:58:33 0 d-------- C:\WINDOWS\system32\Restore
2008-04-14 22:57:44 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-14 22:57:24 0 d-------- C:\WINDOWS\Registration
2008-04-14 22:57:15 0 d-------- C:\Program Files\Online Services
2008-04-14 22:57:07 0 d-------- C:\WINDOWS\Offline Web Pages
2008-04-14 22:57:07 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-14 22:56:56 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-14 22:56:53 0 d-------- C:\Program Files\Messenger
2008-04-14 22:56:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-14 22:56:11 0 d-------- C:\Program Files\Windows NT
2008-04-14 22:56:07 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-14 22:56:06 0 d-------- C:\WINDOWS\system32\Com
2008-04-14 01:01:21 0 d-------- C:\Program Files\Safari
2008-04-14 01:00:48 0 d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00:32 0 d-------- C:\Program Files\iPod
2008-04-14 01:00:27 0 d-------- C:\Program Files\iTunes
2008-04-14 00:59:44 0 d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57:51 0 d-------- C:\Program Files\QuickTime
2008-04-14 00:57:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55:39 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:54:29 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-04-14 00:52:26 0 d-------- C:\Program Files\McAfee.com
2008-04-14 00:52:22 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52:17 0 d-------- C:\Program Files\McAfee
2008-04-14 00:48:10 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:46:51 0 d-------- C:\Documents and Settings\Jen\Application Data\Macromedia
2008-04-14 00:45:32 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33:24 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-13 22:39:02 0 d--hs---- C:\WINDOWS\Installer
2008-04-13 22:39:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-13 22:38:58 0 dr------- C:\Program Files
2008-04-13 22:38:58 0 d-------- C:\Program Files\Common Files
2008-04-13 22:38:58 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-13 22:38:34 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-13 22:38:34 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-13 22:38:34 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-13 22:38:09 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-13 22:38:09 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-13 22:38:04 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-13 22:38:04 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-13 22:38:03 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-13 22:38:03 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-13 22:14:06 0 d--hs---- C:\System Volume Information
2008-04-13 22:14:06 0 d-------- C:\Documents and Settings
2008-04-13 22:05:53 0 d-------- C:\WINDOWS
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\WinSxS
2008-04-13 22:05:53 0 dr------- C:\WINDOWS\Web
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\twain_32
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\wins
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\wbem
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\usmt
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\spool
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\Setup
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ras
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\oobe
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\npp
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\mui
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\IME
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ias
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\export
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-13 22:05:53 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\config
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\3076
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\2052
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1054
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1042
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1041
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1037
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1033
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1031
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1028
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1025
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\security
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Resources
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\repair
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Provisioning
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\PeerNet
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\pchealth
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Network Diagnostic
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\mui
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\msapps
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\msagent
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Media
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\l2schemas
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\java
2008-04-13 22:05:53 0 d--h----- C:\WINDOWS\inf
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\ime
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Help
2008-04-13 22:05:53 0 dr--s---- C:\WINDOWS\Fonts
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\ehome
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Driver Cache
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Debug
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Cursors
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Config
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\AppPatch
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-04-13 22:38:34 62 --ahs---- C:\Documents and Settings\Jen\Application Data\desktop.ini
2008-03-19 04:40:27 1845888 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24cc779d-86cb-43e4-b656-2b7c1604fc4e}]
05/10/2008 09:24 PM 102464 --a------ C:\WINDOWS\system32\fqgmrbah.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/14/2007 10:06 AM]
"nwiz"="nwiz.exe" [12/14/2007 10:06 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/14/2007 10:06 AM]
"RTHDCPL"="RTHDCPL.EXE" [12/14/2007 10:07 AM C:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/03/2004 06:56 PM C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [12/14/2007 10:03 AM]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [12/14/2007 10:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 06:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [5/8/2008 1:07:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 7:01:04 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\geBtTLdb.dll [05/11/2008 09:10 AM 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtTLdb]
geBtTLdb.dll 05/11/2008 09:10 AM 45568 C:\WINDOWS\system32\geBtTLdb.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-05-11 09:15:51 ------------

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 11 May 2008 - 04:38 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jacobean

jacobean
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 11 May 2008 - 07:45 PM

Deckard's System Scanner v20071014.68
Run by Jen on 2008-05-11 19:40:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jen.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:50 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O20 - Winlogon Notify: wvUlihEX - C:\WINDOWS\SYSTEM32\wvUlihEX.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7553 bytes

-- Files created between 2008-04-11 and 2008-05-11 -----------------------------

2008-05-11 19:36:33 45568 --a------ C:\WINDOWS\system32\wvUlihEX.dll
2008-05-11 19:10:48 68096 --a------ C:\WINDOWS\zip.exe
2008-05-11 19:10:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-11 19:10:48 80412 --a------ C:\WINDOWS\grep.exe
2008-05-11 19:10:47 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-11 19:10:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-11 19:10:47 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-11 19:10:47 98816 --a------ C:\WINDOWS\sed.exe
2008-05-11 19:10:47 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-11 09:16:57 2112 --a------ C:\WINDOWS\system32\mxiciiju.exe
2008-05-10 23:53:15 2112 --a------ C:\WINDOWS\system32\kqpmbjsm.exe
2008-05-10 23:37:07 0 d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24:36 0 d-------- C:\Program Files\Trend Micro
2008-05-10 21:22:13 2112 --a------ C:\WINDOWS\system32\parvjhch.exe
2008-05-10 21:15:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 21:15:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 20:02:55 2112 --a------ C:\WINDOWS\system32\uitebrro.exe
2008-05-10 19:38:10 0 d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 17:55:16 0 d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 17:45:04 0 d-------- C:\WINDOWS\CSC
2008-05-10 17:31:03 0 d-------- C:\VundoFix Backups
2008-05-10 00:13:59 0 d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:13:04 0 d-------- C:\WINDOWS\Sun
2008-05-10 00:13:04 0 d-------- C:\Documents and Settings\Jen\Application Data\Sun
2008-05-10 00:12:05 0 d-------- C:\Program Files\Java
2008-05-10 00:11:43 0 d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05:49 0 d-------- C:\Program Files\Lavasoft
2008-05-10 00:05:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 00:05:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 22:50:43 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-09 22:50:13 0 d-------- C:\Program Files\The Rosetta Stone
2008-05-09 21:44:59 2112 --a------ C:\WINDOWS\system32\rjrpspsy.exe
2008-05-08 18:10:26 0 d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19:48 0 d-------- C:\Program Files\WinWay Resume
2008-05-08 17:07:11 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04:20 0 d-------- C:\WINDOWS\ShellNew
2008-05-08 13:07:12 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07:00 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-05-08 13:07:00 0 d-------- C:\Program Files\MagicDisc
2008-05-08 13:00:57 676224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27:26 0 d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:25:21 0 d-------- C:\Program Files\Intel
2008-04-15 00:24:55 0 d-------- C:\Program Files\Boot Camp
2008-04-15 00:24:33 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-15 00:23:43 0 d-------- C:\b6e08edce99366c883379f40db2e1f
2008-04-15 00:23:38 0 d-------- C:\Program Files\Motorola
2008-04-15 00:23:33 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-04-15 00:23:15 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23:07 0 d-------- C:\Program Files\Realtek
2008-04-15 00:23:06 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-04-15 00:23:06 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-15 00:23:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22:53 0 d-------- C:\Program Files\SigmaTel
2008-04-15 00:22:35 0 d-------- C:\WINDOWS\nview
2008-04-15 00:22:24 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2008-04-15 00:22:24 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-04-15 00:22:24 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-04-15 00:22:24 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-15 00:22:23 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-04-15 00:22:23 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-04-15 00:22:23 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-04-15 00:22:22 1474560 --a------ C:\WINDOWS\system32\nview.dll
2008-04-15 00:22:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:22:04 0 d-------- C:\Intel
2008-04-15 00:21:33 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21:33 0 d-------- C:\Program Files\DIFX
2008-04-15 00:21:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 23:06:17 0 d-------- C:\Documents and Settings\Jen\Application Data\Identities
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Templates
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Start Menu
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\SendTo
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Recent
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\PrintHood
2008-04-14 23:06:07 1572864 --ah----- C:\Documents and Settings\Jen\NTUSER.DAT
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\NetHood
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\My Documents
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Local Settings
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Favorites
2008-04-14 23:06:07 0 d-------- C:\Documents and Settings\Jen\Desktop
2008-04-14 23:06:07 0 d--hs---- C:\Documents and Settings\Jen\Cookies
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Application Data
2008-04-14 23:05:08 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05:08 0 d-------- C:\WINDOWS\Prefetch
2008-04-14 23:05:06 237568 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 23:05:06 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-14 23:05:06 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-14 23:05:06 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-14 23:05:06 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-14 23:04:46 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-14 23:04:46 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-14 23:04:46 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-14 23:04:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-14 23:04:46 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-14 23:01:37 0 d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01:37 0 d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:01:27 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-14 23:01:14 0 -rahs---- C:\MSDOS.SYS
2008-04-14 23:01:14 0 -rahs---- C:\IO.SYS
2008-04-14 23:01:14 0 --a------ C:\CONFIG.SYS
2008-04-14 23:01:14 0 --a------ C:\AUTOEXEC.BAT
2008-04-14 23:00:13 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 22:59:53 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 22:59:32 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-14 22:58:57 0 d---s---- C:\WINDOWS\Tasks
2008-04-14 22:58:56 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-14 22:58:52 0 d-------- C:\WINDOWS\srchasst
2008-04-14 22:58:42 0 d-------- C:\Program Files\Movie Maker
2008-04-14 22:58:33 0 d-------- C:\WINDOWS\system32\Restore
2008-04-14 22:57:44 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-14 22:57:24 0 d-------- C:\WINDOWS\Registration
2008-04-14 22:57:15 0 d-------- C:\Program Files\Online Services
2008-04-14 22:57:07 0 d-------- C:\WINDOWS\Offline Web Pages
2008-04-14 22:57:07 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-14 22:56:56 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-14 22:56:53 0 d-------- C:\Program Files\Messenger
2008-04-14 22:56:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-14 22:56:11 0 d-------- C:\Program Files\Windows NT
2008-04-14 22:56:07 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-14 22:56:06 0 d-------- C:\WINDOWS\system32\Com
2008-04-14 01:01:21 0 d-------- C:\Program Files\Safari
2008-04-14 01:00:48 0 d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00:32 0 d-------- C:\Program Files\iPod
2008-04-14 01:00:27 0 d-------- C:\Program Files\iTunes
2008-04-14 00:59:44 0 d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57:51 0 d-------- C:\Program Files\QuickTime
2008-04-14 00:57:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55:39 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:54:29 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-04-14 00:52:26 0 d-------- C:\Program Files\McAfee.com
2008-04-14 00:52:22 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52:17 0 d-------- C:\Program Files\McAfee
2008-04-14 00:48:10 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:46:51 0 d-------- C:\Documents and Settings\Jen\Application Data\Macromedia
2008-04-14 00:45:32 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33:24 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-13 22:39:02 0 d--hs---- C:\WINDOWS\Installer
2008-04-13 22:39:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-13 22:38:58 0 dr------- C:\Program Files
2008-04-13 22:38:58 0 d-------- C:\Program Files\Common Files
2008-04-13 22:38:58 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-13 22:38:34 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-13 22:38:34 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-13 22:38:34 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-13 22:38:09 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-13 22:38:09 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-13 22:38:04 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-13 22:38:04 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-13 22:38:03 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-13 22:38:03 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-13 22:14:06 0 d--hs---- C:\System Volume Information
2008-04-13 22:14:06 0 d-------- C:\Documents and Settings
2008-04-13 22:05:53 0 d-------- C:\WINDOWS
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\WinSxS
2008-04-13 22:05:53 0 dr------- C:\WINDOWS\Web
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\twain_32
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\wins
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\wbem
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\usmt
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\spool
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\Setup
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ras
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\oobe
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\npp
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\mui
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\IME
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ias
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\export
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-13 22:05:53 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\config
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\3076
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\2052
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1054
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1042
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1041
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1037
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1033
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1031
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1028
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1025
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\security
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Resources
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\repair
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Provisioning
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\PeerNet
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\pchealth
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Network Diagnostic
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\mui
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\msapps
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\msagent
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Media
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\l2schemas
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\java
2008-04-13 22:05:53 0 d--h----- C:\WINDOWS\inf
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\ime
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Help
2008-04-13 22:05:53 0 dr--s---- C:\WINDOWS\Fonts
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\ehome
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Driver Cache
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Debug
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Cursors
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Config
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\AppPatch
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-04-13 22:38:34 62 --ahs---- C:\Documents and Settings\Jen\Application Data\desktop.ini
2008-03-19 04:40:27 1845888 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/14/2007 10:06 AM]
"nwiz"="nwiz.exe" [12/14/2007 10:06 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/14/2007 10:06 AM]
"RTHDCPL"="RTHDCPL.EXE" [12/14/2007 10:07 AM C:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/03/2004 06:56 PM C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [12/14/2007 10:03 AM]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [12/14/2007 10:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 06:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [5/8/2008 1:07:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 7:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\wvUlihEX.dll [05/11/2008 07:36 PM 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlihEX]
wvUlihEX.dll 05/11/2008 07:36 PM 45568 C:\WINDOWS\system32\wvUlihEX.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-05-11 19:42:04 ------------



ComboFix 08-05-11.1 - Jen 2008-05-11 19:30:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1572 [GMT -5:00]
Running from: C:\Documents and Settings\Jen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jen\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ljJDWQhf.dll
C:\WINDOWS\system32\tuvVNHXr.dll
C:\WINDOWS\system32\vtUmJBUo.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-11 09:16 . 2008-05-11 09:16 2,112 --a------ C:\WINDOWS\system32\mxiciiju.exe
2008-05-10 23:53 . 2008-05-10 23:53 2,112 --a------ C:\WINDOWS\system32\kqpmbjsm.exe
2008-05-10 23:37 . 2008-05-10 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 22:16 . 2008-05-10 22:16 <DIR> d-------- C:\Deckard
2008-05-10 21:22 . 2008-05-10 21:22 2,112 --a------ C:\WINDOWS\system32\parvjhch.exe
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 20:02 . 2008-05-10 20:02 2,112 --a------ C:\WINDOWS\system32\uitebrro.exe
2008-05-10 19:38 . 2008-05-10 19:38 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-10 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 19:37 . 2008-05-10 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 19:37 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 18:01 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 17:55 . 2008-05-10 19:22 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 17:31 . 2008-05-10 17:31 <DIR> d-------- C:\VundoFix Backups
2008-05-10 00:13 . 2008-05-10 00:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-10 00:13 . 2008-05-10 17:43 <DIR> d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:12 . 2008-05-10 00:12 <DIR> d-------- C:\Program Files\Java
2008-05-10 00:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-10 00:11 . 2008-05-10 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 00:05 . 2008-05-10 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 22:50 . 2008-05-09 22:50 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-09 22:50 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-09 21:44 . 2008-05-09 21:44 2,112 --a------ C:\WINDOWS\system32\rjrpspsy.exe
2008-05-09 21:43 . 2008-05-10 22:43 109,812 --a------ C:\WINDOWS\BMc35c1f75.xml
2008-05-08 18:29 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-08 18:10 . 2008-05-08 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19 . 2008-05-08 17:19 <DIR> d-------- C:\Program Files\WinWay Resume
2008-05-08 17:18 . 2008-05-08 17:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-08 17:07 . 2008-05-08 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04 . 2008-05-08 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a--c--- C:\WINDOWS\system32\dllcache\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a--c--- C:\WINDOWS\system32\dllcache\secupd.dat
2008-05-08 13:07 . 2008-05-09 21:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07 . 2008-05-08 13:07 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-08 13:07 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-08 13:03 . 2008-05-08 13:03 45,568 --a------ C:\WINDOWS\system32\ljJCSlLE.dll.vir
2008-05-08 13:00 . 2008-03-31 21:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27 . 2008-04-15 00:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:27 . 2008-04-15 00:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-15 00:27 . 2008-04-15 00:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-15 00:25 . 2008-04-15 00:25 <DIR> d-------- C:\Program Files\Intel
2008-04-15 00:24 . 2008-04-15 00:24 <DIR> d-------- C:\Program Files\Boot Camp
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Motorola
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\WINDOWS\nview
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\SigmaTel
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:21 . 2008-04-15 00:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 00:21 . 2007-12-14 10:04 1,296,800 --a------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-04-15 00:21 . 2007-12-06 09:51 285,952 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2008-04-15 00:21 . 2007-12-14 10:03 8,064 --a------ C:\WINDOWS\system32\drivers\applebt.sys
2008-04-15 00:20 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-14 23:06 . 2008-05-10 09:58 <DIR> d-------- C:\Documents and Settings\Jen
2008-04-14 23:06 . 2008-05-11 19:35 110,592 --ah----- C:\Documents and Settings\Jen\ntuser.dat.LOG
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-04-14 23:05 . 2008-05-11 19:35 36,864 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
2008-04-14 23:04 . 2008-04-14 23:04 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-04-14 23:04 . 2008-05-11 19:35 28,672 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
2008-04-14 23:04 . 2008-04-14 23:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-04-14 23:02 . 2001-08-23 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:00 . 2008-04-14 23:00 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-14 01:01 . 2008-05-10 23:39 <DIR> d-------- C:\Program Files\Safari
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iPod
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00 . 2008-05-11 19:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:00 . 2008-04-14 01:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 00:59 . 2008-04-14 00:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57 . 2008-04-14 00:58 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 00:57 . 2008-04-14 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55 . 2008-04-14 00:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:55 . 2008-05-11 19:33 4,860 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-14 00:54 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-14 00:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-14 00:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-14 00:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-14 00:52 . 2008-04-14 00:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-14 00:52 . 2008-04-21 12:19 <DIR> d-------- C:\Program Files\McAfee
2008-04-14 00:52 . 2008-04-14 00:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-14 00:48 . 2008-04-14 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:45 . 2008-04-14 00:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33 . 2008-04-14 00:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32 . 2008-03-01 08:03 6,067,712 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 00:32 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 00:32 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 00:32 . 2008-03-01 08:03 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 00:32 . 2008-03-01 08:03 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 00:32 . 2008-03-01 08:03 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 00:32 . 2008-03-01 08:03 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 00:32 . 2008-03-01 08:03 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 00:32 . 2008-02-22 04:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 05:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 05:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-15 03:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 01:53 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
2008-04-01 01:53 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2008-04-01 01:52 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
2008-04-01 01:52 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
2008-04-01 01:44 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-11_19.22.06.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 00:19:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 00:35:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-14 10:06 8527872]
"nwiz"="nwiz.exe" [2007-12-14 10:06 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-14 10:06 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-14 10:07 16855552 C:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-12-14 10:03 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-12-14 10:27 419120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-08 13:07:00 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\wvUlihEX.dll [2008-05-11 19:36 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlihEX]
wvUlihEX.dll 2008-05-11 19:36 45568 C:\WINDOWS\system32\wvUlihEX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-12-14 10:26]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-12-14 10:26]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-12-14 10:03]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-12-14 10:03]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-12-14 10:03]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-12-14 10:03]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-12-14 10:03]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-12-14 10:03]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-12-14 10:03]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-12-14 10:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 04:37:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 05:52:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-14 05:52:40 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 19:35:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wvUlihEX.dll 45568 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\wvUlihEX.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-11 19:38:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 00:37:56
ComboFix2.txt 2008-05-12 00:22:47

Pre-Run: 22,988,189,696 bytes free
Post-Run: 22,977,830,912 bytes free

254 --- E O F --- 2008-05-08 22:24:04

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 12 May 2008 - 01:40 AM

Hi,

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

The first step required before you run Combofix is to install the Recovery Console, as I already asked in my previous post.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\wvUlihEX.dll
C:\WINDOWS\system32\mxiciiju.exe
C:\WINDOWS\system32\kqpmbjsm.exe
C:\WINDOWS\system32\parvjhch.exe
C:\WINDOWS\system32\uitebrro.exe
C:\WINDOWS\system32\rjrpspsy.exe
C:\WINDOWS\BMc35c1f75.xml
Folder::
C:\VundoFix Backups
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlihEX]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jacobean

jacobean
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 12 May 2008 - 02:32 AM

ComboFix 08-05-11.1 - Jen 2008-05-12 2:06:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535 [GMT -5:00]
Running from: C:\Documents and Settings\Jen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jen\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMc35c1f75.xml
C:\WINDOWS\system32\kqpmbjsm.exe
C:\WINDOWS\system32\mxiciiju.exe
C:\WINDOWS\system32\parvjhch.exe
C:\WINDOWS\system32\rjrpspsy.exe
C:\WINDOWS\system32\uitebrro.exe
C:\WINDOWS\system32\wvUlihEX.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\BMc35c1f75.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\iqdousba.dll
C:\WINDOWS\system32\khfGxwww.dll
C:\WINDOWS\system32\kqpmbjsm.exe
C:\WINDOWS\system32\leswsgnp.ini
C:\WINDOWS\system32\mxiciiju.exe
C:\WINDOWS\system32\parvjhch.exe
C:\WINDOWS\system32\pgdpogms.dll
C:\WINDOWS\system32\pngswsel.dll
C:\WINDOWS\system32\rjrpspsy.exe
C:\WINDOWS\system32\uitebrro.exe
C:\WINDOWS\system32\urqPjKde.dll
C:\WINDOWS\system32\wvUlihEX.dll
C:\WINDOWS\system32\wwwxGfhk.ini
C:\WINDOWS\system32\wwwxGfhk.ini2
C:\WINDOWS\system32\yayvSiJB.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 02:20 . 2008-05-12 02:20 276,992 --a------ C:\WINDOWS\system32\khfEUoME.dll
2008-05-12 02:20 . 2008-05-12 02:20 345 --ahs---- C:\WINDOWS\system32\EMoUEfhk.ini2
2008-05-12 02:20 . 2008-05-12 02:20 345 --ahs---- C:\WINDOWS\system32\EMoUEfhk.ini
2008-05-12 02:18 . 2008-05-12 02:18 45,568 --a------ C:\WINDOWS\system32\ssqNEwTL.dll
2008-05-12 01:54 . 2007-12-14 10:06 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-05-12 01:52 . 2007-12-14 10:06 157,663 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-11 19:44 . 2008-05-11 19:44 2,112 --a------ C:\WINDOWS\system32\pneejnlt.exe
2008-05-10 23:37 . 2008-05-10 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 22:16 . 2008-05-10 22:16 <DIR> d-------- C:\Deckard
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 19:38 . 2008-05-10 19:38 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-10 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 19:37 . 2008-05-10 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 19:37 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 18:01 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 17:55 . 2008-05-10 19:22 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 00:13 . 2008-05-10 00:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-10 00:13 . 2008-05-10 17:43 <DIR> d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:12 . 2008-05-10 00:12 <DIR> d-------- C:\Program Files\Java
2008-05-10 00:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-10 00:11 . 2008-05-10 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 00:05 . 2008-05-10 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 22:50 . 2008-05-09 22:50 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-09 22:50 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-08 18:29 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-08 18:10 . 2008-05-08 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19 . 2008-05-08 17:19 <DIR> d-------- C:\Program Files\WinWay Resume
2008-05-08 17:18 . 2008-05-08 17:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-08 17:07 . 2008-05-08 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04 . 2008-05-08 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a--c--- C:\WINDOWS\system32\dllcache\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a--c--- C:\WINDOWS\system32\dllcache\secupd.dat
2008-05-08 13:07 . 2008-05-09 21:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07 . 2008-05-08 13:07 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-08 13:07 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-08 13:03 . 2008-05-08 13:03 45,568 --a------ C:\WINDOWS\system32\ljJCSlLE.dll.vir
2008-05-08 13:00 . 2008-03-31 21:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27 . 2008-04-15 00:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:27 . 2008-04-15 00:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-15 00:27 . 2008-04-15 00:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-15 00:25 . 2008-04-15 00:25 <DIR> d-------- C:\Program Files\Intel
2008-04-15 00:24 . 2008-04-15 00:24 <DIR> d-------- C:\Program Files\Boot Camp
2008-04-15 00:23 . 2008-05-12 01:54 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Motorola
2008-04-15 00:23 . 2008-05-12 01:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22 . 2008-05-12 01:59 <DIR> d-------- C:\WINDOWS\nview
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\SigmaTel
2008-04-15 00:22 . 2008-05-12 01:50 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:21 . 2008-04-15 00:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 00:21 . 2007-12-14 10:04 1,296,800 --a------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-04-15 00:21 . 2007-12-06 09:51 285,952 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2008-04-15 00:21 . 2007-12-14 10:03 8,064 --a------ C:\WINDOWS\system32\drivers\applebt.sys
2008-04-15 00:20 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-14 23:06 . 2008-05-10 09:58 <DIR> d-------- C:\Documents and Settings\Jen
2008-04-14 23:06 . 2008-05-12 02:20 1,024 --ah----- C:\Documents and Settings\Jen\ntuser.dat.LOG
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-04-14 23:05 . 2008-05-12 02:19 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
2008-04-14 23:04 . 2008-04-14 23:04 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-04-14 23:04 . 2008-04-14 23:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-04-14 23:04 . 2008-05-12 02:19 1,024 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
2008-04-14 23:02 . 2001-08-23 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:00 . 2008-04-14 23:00 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-14 01:01 . 2008-05-10 23:39 <DIR> d-------- C:\Program Files\Safari
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iPod
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00 . 2008-05-12 02:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:00 . 2008-04-14 01:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 00:59 . 2008-04-14 00:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57 . 2008-04-14 00:58 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 00:57 . 2008-04-14 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55 . 2008-04-14 00:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:55 . 2008-05-12 02:15 5,178 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-14 00:54 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-14 00:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-14 00:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-14 00:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-14 00:52 . 2008-04-14 00:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-14 00:52 . 2008-04-21 12:19 <DIR> d-------- C:\Program Files\McAfee
2008-04-14 00:52 . 2008-04-14 00:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-14 00:48 . 2008-04-14 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:45 . 2008-04-14 00:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33 . 2008-04-14 00:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32 . 2008-03-01 08:03 6,067,712 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 00:32 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 00:32 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 00:32 . 2008-03-01 08:03 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 00:32 . 2008-03-01 08:03 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 00:32 . 2008-03-01 08:03 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 00:32 . 2008-03-01 08:03 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 00:32 . 2008-03-01 08:03 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 00:32 . 2008-02-22 04:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 05:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 05:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-15 03:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 01:53 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
2008-04-01 01:53 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2008-04-01 01:52 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
2008-04-01 01:52 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
2008-04-01 01:44 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-11_19.22.06.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 00:19:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 07:14:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2001-07-14 22:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2004-08-04 05:56:50 193,024 -c--a-w C:\WINDOWS\system32\dllcache\fsquirt.exe
- 2004-08-03 23:56:50 193,024 ----a-w C:\WINDOWS\system32\fsquirt.exe
+ 2004-08-04 05:56:50 193,024 ----a-w C:\WINDOWS\system32\fsquirt.exe
- 2007-09-20 04:33:18 36,864 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidclass.sys
+ 2006-10-31 17:26:12 36,864 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidclass.sys
- 2004-08-03 22:08:18 24,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidparse.sys
+ 2004-08-04 04:08:18 24,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidparse.sys
- 2001-08-23 12:00:00 9,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidusb.sys
+ 2001-08-17 19:02:20 9,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\hidusb.sys
+ 2007-12-14 15:03:25 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\KeyMagic.sys
+ 2007-12-14 15:03:55 1,419,232 ----a-w C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\WdfCoInstaller01005.dll
+ 2007-12-14 15:03:11 8,064 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\applebt.sys
+ 2004-08-04 04:10:38 274,304 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\bthport.sys
+ 2004-08-04 04:10:36 18,944 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\BTHUSB.SYS
+ 2004-08-03 23:56:50 193,024 ----a-w C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\fsquirt.exe
+ 2007-09-20 04:55:57 20,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\hid.dll
+ 2006-10-31 17:26:12 36,864 ----a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\hidclass.sys
+ 2004-08-04 04:08:18 24,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\hidparse.sys
+ 2001-08-17 19:02:20 9,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\hidusb.sys
+ 2007-12-14 15:03:25 20,480 ----a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\KeyMagic.sys
+ 2007-12-14 15:03:55 1,419,232 ----a-w C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\WdfCoInstaller01005.dll
+ 2007-12-14 15:03:55 35,072 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\aapltp.sys
+ 2007-09-20 04:55:57 20,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\hid.dll
+ 2006-10-31 17:26:12 36,864 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\hidclass.sys
+ 2004-08-04 04:08:18 24,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\hidparse.sys
+ 2001-08-17 19:02:20 9,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\hidusb.sys
+ 2007-12-14 15:03:55 1,419,232 ----a-w C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\WdfCoInstaller01005.dll
+ 2007-12-14 15:03:55 4,224 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\aapltctp.sys
+ 2004-08-04 03:58:34 23,040 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\mouclass.sys
+ 2001-08-17 18:48:00 12,160 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\mouhid.sys
+ 2007-12-14 15:04:04 1,296,800 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\ar5416.sys
+ 2007-12-14 15:06:32 5,770,752 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nv4_disp.dll
+ 2007-12-14 15:06:33 7,432,384 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nv4_mini.sys
+ 2007-12-14 15:06:33 389,120 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvapi.dll
+ 2007-12-14 15:06:33 35,328 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvcod.dll
+ 2007-12-14 15:06:34 8,527,872 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvcpl.dll
+ 2007-12-14 15:06:37 6,541,312 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvdisps.dll
+ 2007-12-14 15:06:37 5,611,520 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvdispsr.dll
+ 2007-12-14 15:06:39 3,407,872 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvgames.dll
+ 2007-12-14 15:06:39 3,330,048 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvgamesr.dll
+ 2007-12-14 15:06:39 229,376 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvmccs.dll
+ 2007-12-14 15:06:39 188,416 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvmccss.dll
+ 2007-12-14 15:06:39 458,752 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvmccssr.dll
+ 2007-12-14 15:06:39 81,920 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvmctray.dll
+ 2007-12-14 15:06:40 1,212,416 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvmobls.dll
+ 2007-12-14 15:06:40 2,854,912 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvmoblsr.dll
+ 2007-12-14 15:06:40 286,720 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvnt4cpl.dll
+ 2007-12-14 15:06:40 6,901,760 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvoglnt.dll
+ 2007-12-14 15:06:41 155,716 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvsvc32.exe
+ 2007-12-14 15:06:41 3,698,688 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvvitvs.dll
+ 2007-12-14 15:06:42 3,715,072 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvvitvsr.dll
+ 2007-12-14 15:06:43 81,920 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvwddi.dll
+ 2007-12-14 15:06:43 2,486,272 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvwss.dll
+ 2007-12-14 15:06:43 2,519,040 ----a-w C:\WINDOWS\system32\ReinstallBackups\0020\DriverFiles\nvwssr.dll
+ 2004-08-04 04:08:00 60,288 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\drmk.sys
+ 2004-08-04 04:15:22 140,928 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\ks.sys
+ 2004-08-04 05:56:44 4,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\ksuser.dll
+ 2006-07-12 20:50:00 146,048 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\portcls.sys
+ 2005-11-05 07:55:10 48,768 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\stream.sys
+ 2004-08-04 05:56:58 23,552 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\i386\wdmaud.drv
+ 2007-12-14 15:07:00 2,165,760 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\MicCal.exe
+ 2007-12-14 15:07:01 262,144 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\RTCOMDLL.dll
+ 2007-12-14 15:07:02 16,855,552 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\RTHDCPL.EXE
+ 2007-12-14 15:07:03 4,625,408 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\RtkHDAud.sys
+ 2007-12-14 15:07:04 131,072 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\RTLCPAPI.dll
+ 2007-12-14 15:07:05 1,191,936 ----a-w C:\WINDOWS\system32\ReinstallBackups\0021\DriverFiles\RtlUpd.exe
+ 2007-09-20 04:55:57 20,992 ----a-w C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\i386\hid.dll
+ 2006-10-31 17:26:12 36,864 ----a-w C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\i386\hidclass.sys
+ 2004-08-04 04:08:18 24,960 ----a-w C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\i386\hidparse.sys
+ 2001-08-17 19:02:20 9,600 ----a-w C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\i386\hidusb.sys
+ 2007-12-14 15:03:42 16,512 ----a-w C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\IRFilter.sys
+ 2007-12-14 15:03:42 147,456 ----a-w C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\IRW.exe
+ 2007-12-14 15:03:55 1,419,232 ----a-w C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\WdfCoInstaller01005.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54E0FEE9-D538-47BD-92D8-274C8F8CF720}]
C:\WINDOWS\system32\khfGxwww.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9660E15-7B91-448B-A980-D14765DC8183}]
2008-05-12 02:20 276992 --a------ C:\WINDOWS\system32\khfEUoME.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fa20d358-392d-4617-9e8d-dbab436ca808}]
C:\WINDOWS\system32\pgdpogms.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-14 10:06 8527872]
"nwiz"="nwiz.exe" [2007-12-14 10:06 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-12-14 10:03 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-12-14 10:27 419120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"c06f2ce9"="C:\WINDOWS\system32\pngswsel.dll" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-14 10:06 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-14 10:07 16855552 C:\WINDOWS\RTHDCPL.exe]
"combofix"="C:\WINDOWS\system32\CF1754.exe" [2004-08-03 18:56 388608]
"BMc35c1f75"="C:\WINDOWS\system32\yqbdmwpj.dll" [2008-05-12 02:21 98368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-08 13:07:00 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\ssqNEwTL.dll [2008-05-12 02:18 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNEwTL]
ssqNEwTL.dll 2008-05-12 02:18 45568 C:\WINDOWS\system32\ssqNEwTL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlihEX]
wvUlihEX.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\khfEUoME

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-12-14 10:26]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-12-14 10:26]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-12-14 10:03]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-12-14 10:03]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-12-14 10:03]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-12-14 10:03]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-12-14 10:03]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-12-14 10:03]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-12-14 10:03]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-12-14 10:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 04:37:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 05:52:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-14 05:52:40 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 02:19:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\EMoUEfhk.ini 345 bytes
C:\WINDOWS\system32\EMoUEfhk.ini2 345 bytes
C:\WINDOWS\system32\khfEUoME.dll 276992 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqNEwTL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-12 2:22:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 07:22:40
ComboFix2.txt 2008-05-12 00:38:07
ComboFix3.txt 2008-05-12 00:22:47

Pre-Run: 22,485,827,584 bytes free
Post-Run: 22,495,608,832 bytes free

370 --- E O F --- 2008-05-08 22:24:04




Deckard's System Scanner v20071014.68
Run by Jen on 2008-05-12 02:27:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jen.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:07 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {430E009A-5E13-4084-8A25-2B9A5BECCF19} - C:\WINDOWS\system32\khfEUoME.dll
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - C:\WINDOWS\system32\ssqNEwTL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [c06f2ce9] rundll32.exe "C:\WINDOWS\system32\iyrdabaq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O20 - Winlogon Notify: ssqNEwTL - C:\WINDOWS\SYSTEM32\ssqNEwTL.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7936 bytes

-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-12 02:27:37 45568 --a------ C:\WINDOWS\system32\opnNDSLD.dll
2008-05-12 02:27:27 91712 --a------ C:\WINDOWS\system32\iyrdabaq.dll
2008-05-12 02:21:12 98368 --a------ C:\WINDOWS\system32\yqbdmwpj.dll
2008-05-12 02:20:09 1035388 --ahs---- C:\WINDOWS\system32\EMoUEfhk.ini2
2008-05-12 02:20:00 276992 --a------ C:\WINDOWS\system32\khfEUoME.dll
2008-05-12 02:18:58 45568 --a------ C:\WINDOWS\system32\ssqNEwTL.dll
2008-05-12 01:56:51 0 dr-hs---- C:\cmdcons
2008-05-12 01:56:49 0 d-------- C:\WINDOWS\setup.pss
2008-05-12 01:56:37 0 d-------- C:\WINDOWS\setupupd
2008-05-11 19:44:27 2112 --a------ C:\WINDOWS\system32\pneejnlt.exe
2008-05-11 19:10:48 68096 --a------ C:\WINDOWS\zip.exe
2008-05-11 19:10:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-11 19:10:48 80412 --a------ C:\WINDOWS\grep.exe
2008-05-11 19:10:47 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-11 19:10:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-11 19:10:47 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-11 19:10:47 98816 --a------ C:\WINDOWS\sed.exe
2008-05-11 19:10:47 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-10 23:37:07 0 d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24:36 0 d-------- C:\Program Files\Trend Micro
2008-05-10 21:15:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 21:15:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 19:38:10 0 d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 17:55:16 0 d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 17:45:04 0 d-------- C:\WINDOWS\CSC
2008-05-10 00:13:59 0 d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:13:04 0 d-------- C:\WINDOWS\Sun
2008-05-10 00:13:04 0 d-------- C:\Documents and Settings\Jen\Application Data\Sun
2008-05-10 00:12:05 0 d-------- C:\Program Files\Java
2008-05-10 00:11:43 0 d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05:49 0 d-------- C:\Program Files\Lavasoft
2008-05-10 00:05:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 00:05:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 22:50:43 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-09 22:50:13 0 d-------- C:\Program Files\The Rosetta Stone
2008-05-08 18:10:26 0 d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19:48 0 d-------- C:\Program Files\WinWay Resume
2008-05-08 17:07:11 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04:20 0 d-------- C:\WINDOWS\ShellNew
2008-05-08 13:07:12 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07:00 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-05-08 13:07:00 0 d-------- C:\Program Files\MagicDisc
2008-05-08 13:00:57 676224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27:26 0 d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:25:21 0 d-------- C:\Program Files\Intel
2008-04-15 00:24:55 0 d-------- C:\Program Files\Boot Camp
2008-04-15 00:24:33 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-15 00:23:43 0 d-------- C:\b6e08edce99366c883379f40db2e1f
2008-04-15 00:23:38 0 d-------- C:\Program Files\Motorola
2008-04-15 00:23:33 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-04-15 00:23:15 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23:07 0 d-------- C:\Program Files\Realtek
2008-04-15 00:23:06 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-04-15 00:23:06 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-15 00:23:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22:53 0 d-------- C:\Program Files\SigmaTel
2008-04-15 00:22:35 0 d-------- C:\WINDOWS\nview
2008-04-15 00:22:24 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2008-04-15 00:22:24 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-04-15 00:22:24 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-04-15 00:22:24 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-15 00:22:23 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-04-15 00:22:23 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-04-15 00:22:23 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-04-15 00:22:22 1474560 --a------ C:\WINDOWS\system32\nview.dll
2008-04-15 00:22:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:22:04 0 d-------- C:\Intel
2008-04-15 00:21:33 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21:33 0 d-------- C:\Program Files\DIFX
2008-04-15 00:21:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 23:06:17 0 d-------- C:\Documents and Settings\Jen\Application Data\Identities
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Templates
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Start Menu
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\SendTo
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Recent
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\PrintHood
2008-04-14 23:06:07 1572864 --ah----- C:\Documents and Settings\Jen\NTUSER.DAT
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\NetHood
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\My Documents
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Local Settings
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Favorites
2008-04-14 23:06:07 0 d-------- C:\Documents and Settings\Jen\Desktop
2008-04-14 23:06:07 0 d--hs---- C:\Documents and Settings\Jen\Cookies
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Application Data
2008-04-14 23:05:08 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05:08 0 d-------- C:\WINDOWS\Prefetch
2008-04-14 23:05:06 237568 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 23:05:06 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-14 23:05:06 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-14 23:05:06 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-14 23:05:06 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-14 23:04:46 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-14 23:04:46 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-14 23:04:46 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-14 23:04:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-14 23:04:46 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-14 23:01:37 0 d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01:37 0 d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:01:27 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-14 23:01:14 0 -rahs---- C:\MSDOS.SYS
2008-04-14 23:01:14 0 -rahs---- C:\IO.SYS
2008-04-14 23:01:14 0 --a------ C:\CONFIG.SYS
2008-04-14 23:01:14 0 --a------ C:\AUTOEXEC.BAT
2008-04-14 23:00:13 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 22:59:53 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 22:59:32 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-14 22:58:57 0 d---s---- C:\WINDOWS\Tasks
2008-04-14 22:58:56 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-14 22:58:52 0 d-------- C:\WINDOWS\srchasst
2008-04-14 22:58:42 0 d-------- C:\Program Files\Movie Maker
2008-04-14 22:58:33 0 d-------- C:\WINDOWS\system32\Restore
2008-04-14 22:57:44 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-14 22:57:24 0 d-------- C:\WINDOWS\Registration
2008-04-14 22:57:15 0 d-------- C:\Program Files\Online Services
2008-04-14 22:57:07 0 d-------- C:\WINDOWS\Offline Web Pages
2008-04-14 22:57:07 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-14 22:56:56 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-14 22:56:53 0 d-------- C:\Program Files\Messenger
2008-04-14 22:56:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-14 22:56:11 0 d-------- C:\Program Files\Windows NT
2008-04-14 22:56:07 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-14 22:56:06 0 d-------- C:\WINDOWS\system32\Com
2008-04-14 01:01:21 0 d-------- C:\Program Files\Safari
2008-04-14 01:00:48 0 d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00:32 0 d-------- C:\Program Files\iPod
2008-04-14 01:00:27 0 d-------- C:\Program Files\iTunes
2008-04-14 00:59:44 0 d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57:51 0 d-------- C:\Program Files\QuickTime
2008-04-14 00:57:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55:39 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:54:29 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-04-14 00:52:26 0 d-------- C:\Program Files\McAfee.com
2008-04-14 00:52:22 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52:17 0 d-------- C:\Program Files\McAfee
2008-04-14 00:48:10 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:46:51 0 d-------- C:\Documents and Settings\Jen\Application Data\Macromedia
2008-04-14 00:45:32 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33:24 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-13 22:39:02 0 d--hs---- C:\WINDOWS\Installer
2008-04-13 22:39:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-13 22:38:58 0 dr------- C:\Program Files
2008-04-13 22:38:58 0 d-------- C:\Program Files\Common Files
2008-04-13 22:38:58 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-13 22:38:34 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-13 22:38:34 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-13 22:38:34 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-04-13 22:38:34 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-13 22:38:34 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-13 22:38:34 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-13 22:38:09 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-13 22:38:09 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-13 22:38:04 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-13 22:38:04 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-13 22:38:03 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-13 22:38:03 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-13 22:14:06 0 d--hs---- C:\System Volume Information
2008-04-13 22:14:06 0 d-------- C:\Documents and Settings
2008-04-13 22:05:53 0 d-------- C:\WINDOWS
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\WinSxS
2008-04-13 22:05:53 0 dr------- C:\WINDOWS\Web
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\twain_32
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\wins
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\wbem
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\usmt
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\spool
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\Setup
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ras
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\oobe
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\npp
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\mui
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\IME
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\ias
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\export
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-13 22:05:53 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\config
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\3076
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\2052
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1054
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1042
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1041
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1037
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1033
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1031
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1028
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system32\1025
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\system
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\security
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Resources
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\repair
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Provisioning
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\PeerNet
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\pchealth
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Network Diagnostic
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\mui
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\msapps
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\msagent
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Media
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\l2schemas
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\java
2008-04-13 22:05:53 0 d--h----- C:\WINDOWS\inf
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\ime
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Help
2008-04-13 22:05:53 0 dr--s---- C:\WINDOWS\Fonts
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\ehome
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Driver Cache
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Debug
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Cursors
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\Config
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\AppPatch
2008-04-13 22:05:53 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-04-13 22:38:34 62 --ahs---- C:\Documents and Settings\Jen\Application Data\desktop.ini
2008-03-19 04:40:27 1845888 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{430E009A-5E13-4084-8A25-2B9A5BECCF19}]
05/12/2008 02:20 AM 276992 --a------ C:\WINDOWS\system32\khfEUoME.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}]
05/12/2008 02:18 AM 45568 --a------ C:\WINDOWS\system32\ssqNEwTL.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/14/2007 10:06 AM]
"nwiz"="nwiz.exe" [12/14/2007 10:06 AM C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/03/2004 06:56 PM C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [12/14/2007 10:03 AM]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [12/14/2007 10:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/14/2007 10:06 AM]
"RTHDCPL"="RTHDCPL.EXE" [12/14/2007 10:07 AM C:\WINDOWS\RTHDCPL.exe]
"c06f2ce9"="C:\WINDOWS\system32\iyrdabaq.dll" [05/12/2008 02:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 06:56 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [5/8/2008 1:07:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 7:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\ssqNEwTL.dll [05/12/2008 02:18 AM 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNEwTL]
ssqNEwTL.dll 05/12/2008 02:18 AM 45568 C:\WINDOWS\system32\ssqNEwTL.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfEUoME

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-05-12 02:29:55 ------------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 12 May 2008 - 02:43 AM

Hi,

You still didn't install the Recovery Console. Any reason why? What will you do if the malware blocks your computer during removal attempt so you cannot boot anymore? That's why the Recovery Console is really needed.
So please install it first!! If you're having problems with it, please let me know.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\yqbdmwpj.dll
C:\WINDOWS\system32\khfEUoME.dll
C:\WINDOWS\system32\khfGxwww.dll
C:\WINDOWS\system32\ssqNEwTL.dll
C:\WINDOWS\system32\EMoUEfhk.ini2
C:\WINDOWS\system32\EMoUEfhk.ini
C:\WINDOWS\system32\pneejnlt.exe
C:\WINDOWS\system32\opnNDSLD.dll
C:\WINDOWS\system32\iyrdabaq.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54E0FEE9-D538-47BD-92D8-274C8F8CF720}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9660E15-7B91-448B-A980-D14765DC8183}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fa20d358-392d-4617-9e8d-dbab436ca808}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c06f2ce9"=-
"BMc35c1f75"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNEwTL]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlihEX]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 12 May 2008 - 02:46 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jacobean

jacobean
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 12 May 2008 - 10:43 AM

I did install recovery console but it's not showing up on my hijack this log. Don't know why, but it is installed. Gonna try the new script. Thank you so much for the help.
jacob


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:43 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [c06f2ce9] rundll32.exe "C:\WINDOWS\system32\gpvfycjl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7438 bytes


ComboFix 08-05-11.1 - Jen 2008-05-12 10:55:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1560 [GMT -5:00]
Running from: C:\Documents and Settings\Jen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jen\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\EMoUEfhk.ini
C:\WINDOWS\system32\EMoUEfhk.ini2
C:\WINDOWS\system32\iyrdabaq.dll
C:\WINDOWS\system32\khfEUoME.dll
C:\WINDOWS\system32\khfGxwww.dll
C:\WINDOWS\system32\opnNDSLD.dll
C:\WINDOWS\system32\pneejnlt.exe
C:\WINDOWS\system32\ssqNEwTL.dll
C:\WINDOWS\system32\yqbdmwpj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\btnstwdn.dll
C:\WINDOWS\system32\EMoUEfhk.ini
C:\WINDOWS\system32\EMoUEfhk.ini2
C:\WINDOWS\system32\iyrdabaq.dll
C:\WINDOWS\system32\khfEUoME.dll
C:\WINDOWS\system32\khfFYSKa.dll
C:\WINDOWS\system32\opnNDSLD.dll
C:\WINDOWS\system32\pneejnlt.exe
C:\WINDOWS\system32\qabadryi.ini
C:\WINDOWS\system32\ssqNEwTL.dll
C:\WINDOWS\system32\yqbdmwpj.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 11:08 . 2008-05-12 11:08 100,416 --a------ C:\WINDOWS\system32\maqeynwe.dll
2008-05-12 11:08 . 2008-05-12 11:08 22 --a------ C:\WINDOWS\pskt.ini
2008-05-12 11:07 . 2008-05-12 11:09 1,039,978 --ahs---- C:\WINDOWS\system32\lUxxyccf.ini
2008-05-12 11:07 . 2008-05-12 11:07 276,992 --a------ C:\WINDOWS\system32\fccyxxUl.dll
2008-05-12 11:07 . 2008-05-12 11:07 345 --ahs---- C:\WINDOWS\system32\lUxxyccf.ini2
2008-05-12 11:06 . 2008-05-12 11:06 45,568 --a------ C:\WINDOWS\system32\ljJCrRhi.dll
2008-05-12 02:30 . 2008-05-12 02:30 2,112 --a------ C:\WINDOWS\system32\yatpomiq.exe
2008-05-12 02:21 . 2008-05-12 11:08 109,803 --a------ C:\WINDOWS\BMc35c1f75.xml
2008-05-12 01:54 . 2007-12-14 10:06 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-05-12 01:52 . 2007-12-14 10:06 157,663 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-10 23:37 . 2008-05-10 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 22:16 . 2008-05-10 22:16 <DIR> d-------- C:\Deckard
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 19:38 . 2008-05-10 19:38 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-10 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 19:37 . 2008-05-10 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 19:37 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 18:01 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 17:55 . 2008-05-10 19:22 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 00:13 . 2008-05-10 00:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-10 00:13 . 2008-05-10 17:43 <DIR> d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:12 . 2008-05-10 00:12 <DIR> d-------- C:\Program Files\Java
2008-05-10 00:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-10 00:11 . 2008-05-10 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 00:05 . 2008-05-10 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 22:50 . 2008-05-09 22:50 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-09 22:50 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-08 18:29 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-08 18:10 . 2008-05-08 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19 . 2008-05-08 17:19 <DIR> d-------- C:\Program Files\WinWay Resume
2008-05-08 17:18 . 2008-05-08 17:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-08 17:07 . 2008-05-08 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04 . 2008-05-08 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a--c--- C:\WINDOWS\system32\dllcache\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a--c--- C:\WINDOWS\system32\dllcache\secupd.dat
2008-05-08 13:07 . 2008-05-09 21:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07 . 2008-05-08 13:07 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-08 13:07 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-08 13:03 . 2008-05-08 13:03 45,568 --a------ C:\WINDOWS\system32\ljJCSlLE.dll.vir
2008-05-08 13:00 . 2008-03-31 21:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27 . 2008-04-15 00:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:27 . 2008-04-15 00:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-15 00:27 . 2008-04-15 00:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-15 00:25 . 2008-04-15 00:25 <DIR> d-------- C:\Program Files\Intel
2008-04-15 00:24 . 2008-04-15 00:24 <DIR> d-------- C:\Program Files\Boot Camp
2008-04-15 00:23 . 2008-05-12 01:54 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Motorola
2008-04-15 00:23 . 2008-05-12 01:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22 . 2008-05-12 01:59 <DIR> d-------- C:\WINDOWS\nview
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\SigmaTel
2008-04-15 00:22 . 2008-05-12 01:50 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:21 . 2008-04-15 00:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 00:21 . 2007-12-14 10:04 1,296,800 --a------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-04-15 00:21 . 2007-12-06 09:51 285,952 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2008-04-15 00:21 . 2007-12-14 10:03 8,064 --a------ C:\WINDOWS\system32\drivers\applebt.sys
2008-04-15 00:20 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-14 23:06 . 2008-05-10 09:58 <DIR> d-------- C:\Documents and Settings\Jen
2008-04-14 23:06 . 2008-05-12 11:08 36,864 --ah----- C:\Documents and Settings\Jen\ntuser.dat.LOG
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-04-14 23:05 . 2008-05-12 11:07 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
2008-04-14 23:04 . 2008-04-14 23:04 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-04-14 23:04 . 2008-04-14 23:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-04-14 23:04 . 2008-05-12 11:07 1,024 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
2008-04-14 23:02 . 2001-08-23 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:00 . 2008-04-14 23:00 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-14 01:01 . 2008-05-10 23:39 <DIR> d-------- C:\Program Files\Safari
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iPod
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00 . 2008-05-12 11:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:00 . 2008-04-14 01:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 00:59 . 2008-04-14 00:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57 . 2008-04-14 00:58 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 00:57 . 2008-04-14 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55 . 2008-04-14 00:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:55 . 2008-05-12 11:04 5,178 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-14 00:54 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-14 00:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-14 00:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-14 00:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-14 00:52 . 2008-04-14 00:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-14 00:52 . 2008-04-21 12:19 <DIR> d-------- C:\Program Files\McAfee
2008-04-14 00:52 . 2008-04-14 00:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-14 00:48 . 2008-04-14 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:45 . 2008-04-14 00:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33 . 2008-04-14 00:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32 . 2008-03-01 08:03 6,067,712 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 00:32 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 00:32 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 00:32 . 2008-03-01 08:03 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 00:32 . 2008-03-01 08:03 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 00:32 . 2008-03-01 08:03 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 00:32 . 2008-03-01 08:03 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 00:32 . 2008-03-01 08:03 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 00:32 . 2008-02-22 04:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 05:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 05:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-15 03:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 01:53 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
2008-04-01 01:53 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2008-04-01 01:52 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
2008-04-01 01:52 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
2008-04-01 01:44 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-12_ 2.21.44.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 07:14:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 16:03:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 16:07:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_eb4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327D2B40-5399-48DC-A8EA-918111DF58BE}]
C:\WINDOWS\system32\khfEUoME.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69052A43-2BA7-4570-92EC-755E06D4E85B}]
2008-05-12 11:07 276992 --a------ C:\WINDOWS\system32\fccyxxUl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b60b1aca-14d5-4757-9b49-cdfd5fc4e8c8}]
C:\WINDOWS\system32\btnstwdn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-14 10:06 8527872]
"nwiz"="nwiz.exe" [2007-12-14 10:06 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-12-14 10:03 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-12-14 10:27 419120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-14 10:06 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-14 10:07 16855552 C:\WINDOWS\RTHDCPL.exe]
"c06f2ce9"="C:\WINDOWS\system32\iyrdabaq.dll" [ ]
"combofix"="C:\WINDOWS\system32\CF7015.exe" [2004-08-03 18:56 388608]
"BMc35c1f75"="C:\WINDOWS\system32\maqeynwe.dll" [2008-05-12 11:08 100416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-08 13:07:00 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\ljJCrRhi.dll [2008-05-12 11:06 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCrRhi]
ljJCrRhi.dll 2008-05-12 11:06 45568 C:\WINDOWS\system32\ljJCrRhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNEwTL]
ssqNEwTL.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\fccyxxUl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-12-14 10:26]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-12-14 10:26]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-12-14 10:03]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-12-14 10:03]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-12-14 10:03]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-12-14 10:03]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-12-14 10:03]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-12-14 10:03]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-12-14 10:03]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-12-14 10:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 04:37:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 05:52:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-14 05:52:40 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 11:08:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\maqeynwe.dll 100416 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljJCrRhi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-12 11:11:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 16:11:10
ComboFix2.txt 2008-05-12 07:22:51
ComboFix3.txt 2008-05-12 00:38:07
ComboFix4.txt 2008-05-12 00:22:47

Pre-Run: 22,478,413,824 bytes free
Post-Run: 22,477,684,736 bytes free

294 --- E O F --- 2008-05-08 22:24:04

Edited by jacobean, 12 May 2008 - 11:23 AM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 12 May 2008 - 01:36 PM

Hi,

It looks like we are running around in circles here - and I guess something is interfering with Combofix as well, most probably McAfee..

So let's try this from Windows safe mode..

But first..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\maqeynwe.dll
C:\WINDOWS\system32\ljJCrRhi.dll
C:\WINDOWS\system32\fccyxxUl.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lUxxyccf.ini
C:\WINDOWS\system32\lUxxyccf.ini2
C:\WINDOWS\system32\ljJCrRhi.dll
C:\WINDOWS\system32\yatpomiq.exe
C:\WINDOWS\BMc35c1f75.xml
C:\WINDOWS\system32\ljJCSlLE.dll.vir
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{327D2B40-5399-48DC-A8EA-918111DF58BE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69052A43-2BA7-4570-92EC-755E06D4E85B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b60b1aca-14d5-4757-9b49-cdfd5fc4e8c8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c06f2ce9"=-
"BMc35c1f75"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCrRhi]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNEwTL]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"=-


Save this as txtfile CFScript

Then, * Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Once in Safe mode...

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jacobean

jacobean
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 12 May 2008 - 02:00 PM

ComboFix 08-05-11.1 - Jen 2008-05-12 13:49:38.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1769 [GMT -5:00]
Running from: C:\Documents and Settings\Jen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jen\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMc35c1f75.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fccyxxUl.dll
C:\WINDOWS\system32\ljJCrRhi.dll
C:\WINDOWS\system32\ljJCSlLE.dll.vir
C:\WINDOWS\system32\lUxxyccf.ini
C:\WINDOWS\system32\lUxxyccf.ini2
C:\WINDOWS\system32\maqeynwe.dll
C:\WINDOWS\system32\yatpomiq.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMc35c1f75.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\adsfidfm.dll
C:\WINDOWS\system32\bsjosqwj.dll
C:\WINDOWS\system32\fccyxxUl.dll
C:\WINDOWS\system32\gpvfycjl.dll
C:\WINDOWS\system32\ljcyfvpg.ini
C:\WINDOWS\system32\ljJCrRhi.dll
C:\WINDOWS\system32\ljJCSlLE.dll.vir
C:\WINDOWS\system32\lUxxyccf.ini
C:\WINDOWS\system32\lUxxyccf.ini2
C:\WINDOWS\system32\maqeynwe.dll
C:\WINDOWS\system32\oywtvhts.dll
C:\WINDOWS\system32\rqRHYpOg.dll
C:\WINDOWS\system32\xxyvWPfG.dll
C:\WINDOWS\system32\yatpomiq.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 13:55 . 2008-05-12 13:55 45,568 --a------ C:\WINDOWS\system32\cbXOFuTJ.dll
2008-05-12 13:44 . 2008-05-12 13:44 2,112 --a------ C:\WINDOWS\system32\pjtrniic.exe
2008-05-12 11:18 . 2008-05-12 11:18 2,112 --a------ C:\WINDOWS\system32\pxfuecku.exe
2008-05-12 01:54 . 2007-12-14 10:06 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-05-12 01:52 . 2007-12-14 10:06 157,663 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-10 23:37 . 2008-05-10 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 22:16 . 2008-05-10 22:16 <DIR> d-------- C:\Deckard
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 19:38 . 2008-05-10 19:38 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-10 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 19:37 . 2008-05-10 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 19:37 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 18:01 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 17:55 . 2008-05-10 19:22 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 00:13 . 2008-05-10 00:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-10 00:13 . 2008-05-10 17:43 <DIR> d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:12 . 2008-05-10 00:12 <DIR> d-------- C:\Program Files\Java
2008-05-10 00:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-10 00:11 . 2008-05-10 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 00:05 . 2008-05-10 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 22:50 . 2008-05-09 22:50 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-09 22:50 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-08 18:29 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-08 18:10 . 2008-05-08 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19 . 2008-05-08 17:19 <DIR> d-------- C:\Program Files\WinWay Resume
2008-05-08 17:18 . 2008-05-08 17:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-08 17:07 . 2008-05-08 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04 . 2008-05-08 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a--c--- C:\WINDOWS\system32\dllcache\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a--c--- C:\WINDOWS\system32\dllcache\secupd.dat
2008-05-08 13:07 . 2008-05-09 21:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07 . 2008-05-08 13:07 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-08 13:07 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-08 13:00 . 2008-03-31 21:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27 . 2008-04-15 00:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:27 . 2008-04-15 00:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-15 00:27 . 2008-04-15 00:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-15 00:25 . 2008-04-15 00:25 <DIR> d-------- C:\Program Files\Intel
2008-04-15 00:24 . 2008-04-15 00:24 <DIR> d-------- C:\Program Files\Boot Camp
2008-04-15 00:23 . 2008-05-12 01:54 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Motorola
2008-04-15 00:23 . 2008-05-12 01:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22 . 2008-05-12 01:59 <DIR> d-------- C:\WINDOWS\nview
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\SigmaTel
2008-04-15 00:22 . 2008-05-12 01:50 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:21 . 2008-04-15 00:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 00:21 . 2007-12-14 10:04 1,296,800 --a------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-04-15 00:21 . 2007-12-06 09:51 285,952 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2008-04-15 00:21 . 2007-12-14 10:03 8,064 --a------ C:\WINDOWS\system32\drivers\applebt.sys
2008-04-15 00:20 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-14 23:06 . 2008-05-10 09:58 <DIR> d-------- C:\Documents and Settings\Jen
2008-04-14 23:06 . 2008-05-12 13:55 36,864 --ah----- C:\Documents and Settings\Jen\ntuser.dat.LOG
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-04-14 23:05 . 2008-05-12 13:55 16,384 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
2008-04-14 23:04 . 2008-04-14 23:04 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-04-14 23:04 . 2008-04-14 23:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-04-14 23:04 . 2008-05-12 13:55 1,024 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
2008-04-14 23:02 . 2001-08-23 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:00 . 2008-04-14 23:00 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-14 01:01 . 2008-05-10 23:39 <DIR> d-------- C:\Program Files\Safari
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iPod
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00 . 2008-05-12 13:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:00 . 2008-04-14 01:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 00:59 . 2008-04-14 00:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57 . 2008-04-14 00:58 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 00:57 . 2008-04-14 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55 . 2008-04-14 00:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:55 . 2008-05-12 13:55 5,178 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-14 00:54 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-14 00:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-14 00:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-14 00:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-14 00:52 . 2008-04-14 00:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-14 00:52 . 2008-04-21 12:19 <DIR> d-------- C:\Program Files\McAfee
2008-04-14 00:52 . 2008-04-14 00:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-14 00:48 . 2008-04-14 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:45 . 2008-04-14 00:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33 . 2008-04-14 00:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32 . 2008-03-01 08:03 6,067,712 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 00:32 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 00:32 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 00:32 . 2008-03-01 08:03 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 00:32 . 2008-03-01 08:03 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 00:32 . 2008-03-01 08:03 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 00:32 . 2008-03-01 08:03 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 00:32 . 2008-03-01 08:03 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 00:32 . 2008-02-22 04:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 05:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 05:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-15 03:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 01:53 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
2008-04-01 01:53 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2008-04-01 01:52 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
2008-04-01 01:52 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
2008-04-01 01:44 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-12_ 2.21.44.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 07:14:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 18:54:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DEC12E1-8AD7-44DD-9E77-A121B75F06F3}]
C:\WINDOWS\system32\fccyxxUl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-14 10:06 8527872]
"nwiz"="nwiz.exe" [2007-12-14 10:06 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-12-14 10:03 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-12-14 10:27 419120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-14 10:06 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-14 10:07 16855552 C:\WINDOWS\RTHDCPL.exe]
"combofix"="C:\WINDOWS\system32\CF8536.exe" [2004-08-03 18:56 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-08 13:07:00 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\cbXOFuTJ.dll [2008-05-12 13:55 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOFuTJ]
cbXOFuTJ.dll 2008-05-12 13:55 45568 C:\WINDOWS\system32\cbXOFuTJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCrRhi]
ljJCrRhi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-12-14 10:26]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-12-14 10:26]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-12-14 10:03]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-12-14 10:03]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-12-14 10:03]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-12-14 10:03]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-12-14 10:03]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-12-14 10:03]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-12-14 10:03]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-12-14 10:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 04:37:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 05:52:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-14 05:52:40 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 13:55:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXOFuTJ.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-12 13:58:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-12 18:58:18
ComboFix2.txt 2008-05-12 16:11:18
ComboFix3.txt 2008-05-12 07:22:51
ComboFix4.txt 2008-05-12 00:38:07
ComboFix5.txt 2008-05-12 00:22:47

Pre-Run: 22,478,610,432 bytes free
Post-Run: 22,472,056,832 bytes free

278 --- E O F --- 2008-05-08 22:24:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:09 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O20 - Winlogon Notify: cbXOFuTJ - C:\WINDOWS\SYSTEM32\cbXOFuTJ.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7589 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 12 May 2008 - 02:08 PM

Let's give it another run, still in the same way as I explained earlier - we are making progress, however, not finished yet.

Still not sure what is interfering here - as I can't see any other loaders present that may reload it.;

So do this again in Windows safe mode with this script..



File::
C:\WINDOWS\system32\cbXOFuTJ.dll
C:\WINDOWS\system32\pjtrniic.exe
C:\WINDOWS\system32\pxfuecku.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DEC12E1-8AD7-44DD-9E77-A121B75F06F3}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOFuTJ]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJCrRhi]


Fingers crossed...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jacobean

jacobean
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 12 May 2008 - 10:23 PM

ComboFix 08-05-11.1 - Jen 2008-05-12 22:08:33.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1787 [GMT -5:00]
Running from: C:\Documents and Settings\Jen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jen\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cbXOFuTJ.dll
C:\WINDOWS\system32\pjtrniic.exe
C:\WINDOWS\system32\pxfuecku.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbXOFuTJ.dll
C:\WINDOWS\system32\cbXOGWoP.dll
C:\WINDOWS\system32\pjtrniic.exe
C:\WINDOWS\system32\pxfuecku.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 22:17 . 2008-05-12 22:17 276,992 --a------ C:\WINDOWS\system32\awtqoMdC.dll
2008-05-12 22:17 . 2008-05-12 22:17 345 --ahs---- C:\WINDOWS\system32\CdMoqtwa.ini2
2008-05-12 22:17 . 2008-05-12 22:18 345 --ahs---- C:\WINDOWS\system32\CdMoqtwa.ini
2008-05-12 22:16 . 2008-05-12 22:16 45,568 --a------ C:\WINDOWS\system32\ddcBTlKC.dll
2008-05-12 01:54 . 2007-12-14 10:06 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-05-12 01:52 . 2007-12-14 10:06 157,663 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-10 23:37 . 2008-05-10 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 22:16 . 2008-05-10 22:16 <DIR> d-------- C:\Deckard
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 19:38 . 2008-05-10 19:38 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-10 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 19:37 . 2008-05-10 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 19:37 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 18:01 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 17:55 . 2008-05-10 19:22 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 00:13 . 2008-05-10 00:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-10 00:13 . 2008-05-10 17:43 <DIR> d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:12 . 2008-05-10 00:12 <DIR> d-------- C:\Program Files\Java
2008-05-10 00:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-10 00:11 . 2008-05-10 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 00:05 . 2008-05-10 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 22:50 . 2008-05-09 22:50 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-09 22:50 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-08 18:29 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-08 18:10 . 2008-05-08 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19 . 2008-05-08 17:19 <DIR> d-------- C:\Program Files\WinWay Resume
2008-05-08 17:18 . 2008-05-08 17:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-08 17:07 . 2008-05-08 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04 . 2008-05-08 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a--c--- C:\WINDOWS\system32\dllcache\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a--c--- C:\WINDOWS\system32\dllcache\secupd.dat
2008-05-08 13:07 . 2008-05-09 21:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07 . 2008-05-08 13:07 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-08 13:07 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-08 13:00 . 2008-03-31 21:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27 . 2008-04-15 00:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:27 . 2008-04-15 00:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-15 00:27 . 2008-04-15 00:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-15 00:25 . 2008-04-15 00:25 <DIR> d-------- C:\Program Files\Intel
2008-04-15 00:24 . 2008-04-15 00:24 <DIR> d-------- C:\Program Files\Boot Camp
2008-04-15 00:23 . 2008-05-12 01:54 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Motorola
2008-04-15 00:23 . 2008-05-12 01:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22 . 2008-05-12 01:59 <DIR> d-------- C:\WINDOWS\nview
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\SigmaTel
2008-04-15 00:22 . 2008-05-12 01:50 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:21 . 2008-04-15 00:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 00:21 . 2007-12-14 10:04 1,296,800 --a------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-04-15 00:21 . 2007-12-06 09:51 285,952 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2008-04-15 00:21 . 2007-12-14 10:03 8,064 --a------ C:\WINDOWS\system32\drivers\applebt.sys
2008-04-15 00:20 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-14 23:06 . 2008-05-10 09:58 <DIR> d-------- C:\Documents and Settings\Jen
2008-04-14 23:06 . 2008-05-12 22:18 1,024 --ah----- C:\Documents and Settings\Jen\ntuser.dat.LOG
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-04-14 23:05 . 2008-05-12 22:16 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
2008-04-14 23:04 . 2008-04-14 23:04 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-04-14 23:04 . 2008-04-14 23:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-04-14 23:04 . 2008-05-12 22:16 1,024 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
2008-04-14 23:02 . 2001-08-23 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:00 . 2008-04-14 23:00 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-14 01:01 . 2008-05-10 23:39 <DIR> d-------- C:\Program Files\Safari
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iPod
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00 . 2008-05-12 22:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:00 . 2008-04-14 01:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 00:59 . 2008-04-14 00:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57 . 2008-04-14 00:58 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 00:57 . 2008-04-14 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55 . 2008-04-14 00:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:55 . 2008-05-12 22:13 5,178 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-14 00:54 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-14 00:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-14 00:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-14 00:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-14 00:52 . 2008-04-14 00:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-14 00:52 . 2008-04-21 12:19 <DIR> d-------- C:\Program Files\McAfee
2008-04-14 00:52 . 2008-04-14 00:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-14 00:48 . 2008-04-14 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:45 . 2008-04-14 00:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33 . 2008-04-14 00:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32 . 2008-03-01 08:03 6,067,712 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 00:32 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 00:32 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 00:32 . 2008-03-01 08:03 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 00:32 . 2008-03-01 08:03 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 00:32 . 2008-03-01 08:03 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 00:32 . 2008-03-01 08:03 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 00:32 . 2008-03-01 08:03 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 00:32 . 2008-02-22 04:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 05:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 05:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-15 03:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 01:53 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
2008-04-01 01:53 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2008-04-01 01:52 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
2008-04-01 01:52 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
2008-04-01 01:44 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-12_ 2.21.44.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 07:14:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 03:12:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14B83830-BC8E-476E-A843-673EC4280502}]
2008-05-12 22:17 276992 --a------ C:\WINDOWS\system32\awtqoMdC.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-14 10:06 8527872]
"nwiz"="nwiz.exe" [2007-12-14 10:06 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-12-14 10:03 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-12-14 10:27 419120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-14 10:06 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-14 10:07 16855552 C:\WINDOWS\RTHDCPL.exe]
"combofix"="C:\WINDOWS\system32\CF8000.exe" [2004-08-03 18:56 388608]
"BMc35c1f75"="C:\WINDOWS\system32\tnnshhtf.dll" [2008-05-12 22:19 100416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-08 13:07:00 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\ddcBTlKC.dll [2008-05-12 22:16 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOFuTJ]
cbXOFuTJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBTlKC]
ddcBTlKC.dll 2008-05-12 22:16 45568 C:\WINDOWS\system32\ddcBTlKC.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqoMdC

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-12-14 10:26]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-12-14 10:26]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-12-14 10:03]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-12-14 10:03]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-12-14 10:03]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-12-14 10:03]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-12-14 10:03]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-12-14 10:03]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-12-14 10:03]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-12-14 10:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 04:37:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 05:52:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-14 05:52:40 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 22:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\CdMoqtwa.ini 345 bytes
C:\WINDOWS\system32\CdMoqtwa.ini2 345 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcBTlKC.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\tnnshhtf.dll
-> C:\WINDOWS\system32\awtqoMdC.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-12 22:20:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 03:20:05
ComboFix2.txt 2008-05-12 18:58:27
ComboFix3.txt 2008-05-12 16:11:18
ComboFix4.txt 2008-05-12 07:22:51
ComboFix5.txt 2008-05-12 00:38:07

Pre-Run: 22,481,268,736 bytes free
Post-Run: 22,466,383,872 bytes free

272 --- E O F --- 2008-05-08 22:24:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:28 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BMc35c1f75] Rundll32.exe "C:\WINDOWS\system32\tnnshhtf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7523 bytes



ComboFix 08-05-11.1 - Jen 2008-05-12 22:08:33.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1787 [GMT -5:00]
Running from: C:\Documents and Settings\Jen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jen\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cbXOFuTJ.dll
C:\WINDOWS\system32\pjtrniic.exe
C:\WINDOWS\system32\pxfuecku.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cbXOFuTJ.dll
C:\WINDOWS\system32\cbXOGWoP.dll
C:\WINDOWS\system32\pjtrniic.exe
C:\WINDOWS\system32\pxfuecku.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 22:17 . 2008-05-12 22:17 276,992 --a------ C:\WINDOWS\system32\awtqoMdC.dll
2008-05-12 22:17 . 2008-05-12 22:17 345 --ahs---- C:\WINDOWS\system32\CdMoqtwa.ini2
2008-05-12 22:17 . 2008-05-12 22:18 345 --ahs---- C:\WINDOWS\system32\CdMoqtwa.ini
2008-05-12 22:16 . 2008-05-12 22:16 45,568 --a------ C:\WINDOWS\system32\ddcBTlKC.dll
2008-05-12 01:54 . 2007-12-14 10:06 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-05-12 01:52 . 2007-12-14 10:06 157,663 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-10 23:37 . 2008-05-10 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 22:16 . 2008-05-10 22:16 <DIR> d-------- C:\Deckard
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 19:38 . 2008-05-10 19:38 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-10 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 19:37 . 2008-05-10 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 19:37 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 18:01 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 17:55 . 2008-05-10 19:22 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 00:13 . 2008-05-10 00:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-10 00:13 . 2008-05-10 17:43 <DIR> d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:12 . 2008-05-10 00:12 <DIR> d-------- C:\Program Files\Java
2008-05-10 00:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-10 00:11 . 2008-05-10 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 00:05 . 2008-05-10 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 22:50 . 2008-05-09 22:50 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-09 22:50 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-08 18:29 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-08 18:10 . 2008-05-08 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19 . 2008-05-08 17:19 <DIR> d-------- C:\Program Files\WinWay Resume
2008-05-08 17:18 . 2008-05-08 17:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-08 17:07 . 2008-05-08 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04 . 2008-05-08 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a--c--- C:\WINDOWS\system32\dllcache\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a--c--- C:\WINDOWS\system32\dllcache\secupd.dat
2008-05-08 13:07 . 2008-05-09 21:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07 . 2008-05-08 13:07 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-08 13:07 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-08 13:00 . 2008-03-31 21:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27 . 2008-04-15 00:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:27 . 2008-04-15 00:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-15 00:27 . 2008-04-15 00:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-15 00:25 . 2008-04-15 00:25 <DIR> d-------- C:\Program Files\Intel
2008-04-15 00:24 . 2008-04-15 00:24 <DIR> d-------- C:\Program Files\Boot Camp
2008-04-15 00:23 . 2008-05-12 01:54 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Motorola
2008-04-15 00:23 . 2008-05-12 01:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22 . 2008-05-12 01:59 <DIR> d-------- C:\WINDOWS\nview
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\SigmaTel
2008-04-15 00:22 . 2008-05-12 01:50 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:21 . 2008-04-15 00:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 00:21 . 2007-12-14 10:04 1,296,800 --a------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-04-15 00:21 . 2007-12-06 09:51 285,952 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2008-04-15 00:21 . 2007-12-14 10:03 8,064 --a------ C:\WINDOWS\system32\drivers\applebt.sys
2008-04-15 00:20 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-14 23:06 . 2008-05-10 09:58 <DIR> d-------- C:\Documents and Settings\Jen
2008-04-14 23:06 . 2008-05-12 22:18 1,024 --ah----- C:\Documents and Settings\Jen\ntuser.dat.LOG
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05 . 2008-04-14 23:05 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-04-14 23:05 . 2008-05-12 22:16 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
2008-04-14 23:04 . 2008-04-14 23:04 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-04-14 23:04 . 2008-04-14 23:04 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-04-14 23:04 . 2008-05-12 22:16 1,024 --ah----- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
2008-04-14 23:02 . 2001-08-23 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01 . 2008-04-14 23:01 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:00 . 2008-04-14 23:00 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\WindowsLogon.manifest
2008-04-14 23:00 . 2008-04-14 23:00 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-14 01:01 . 2008-05-10 23:39 <DIR> d-------- C:\Program Files\Safari
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Program Files\iPod
2008-04-14 01:00 . 2008-04-14 01:00 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00 . 2008-05-12 22:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 01:00 . 2008-04-14 01:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-14 00:59 . 2008-04-14 00:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57 . 2008-04-14 00:58 <DIR> d-------- C:\Program Files\QuickTime
2008-04-14 00:57 . 2008-04-14 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55 . 2008-04-14 00:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:55 . 2008-05-12 22:13 5,178 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-14 00:54 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-14 00:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-14 00:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-14 00:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-14 00:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-14 00:52 . 2008-04-14 00:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-14 00:52 . 2008-04-21 12:19 <DIR> d-------- C:\Program Files\McAfee
2008-04-14 00:52 . 2008-04-14 00:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-14 00:48 . 2008-04-14 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:45 . 2008-04-14 00:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33 . 2008-04-14 00:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32 . 2008-03-01 08:03 6,067,712 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 00:32 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 00:32 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 00:32 . 2008-03-01 08:03 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 00:32 . 2008-03-01 08:03 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 00:32 . 2008-03-01 08:03 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 00:32 . 2008-03-01 08:03 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 00:32 . 2008-03-01 08:03 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 00:32 . 2008-02-22 04:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 05:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 05:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-15 03:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-01 01:53 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
2008-04-01 01:53 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2008-04-01 01:52 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
2008-04-01 01:52 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
2008-04-01 01:44 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-12_ 2.21.44.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 07:14:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 03:12:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14B83830-BC8E-476E-A843-673EC4280502}]
2008-05-12 22:17 276992 --a------ C:\WINDOWS\system32\awtqoMdC.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-14 10:06 8527872]
"nwiz"="nwiz.exe" [2007-12-14 10:06 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-12-14 10:03 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-12-14 10:27 419120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-14 10:06 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-14 10:07 16855552 C:\WINDOWS\RTHDCPL.exe]
"combofix"="C:\WINDOWS\system32\CF8000.exe" [2004-08-03 18:56 388608]
"BMc35c1f75"="C:\WINDOWS\system32\tnnshhtf.dll" [2008-05-12 22:19 100416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-08 13:07:00 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\ddcBTlKC.dll [2008-05-12 22:16 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXOFuTJ]
cbXOFuTJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBTlKC]
ddcBTlKC.dll 2008-05-12 22:16 45568 C:\WINDOWS\system32\ddcBTlKC.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\awtqoMdC

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-12-14 10:26]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-12-14 10:26]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-12-14 10:03]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-12-14 10:03]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-12-14 10:03]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-12-14 10:03]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-12-14 10:03]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-12-14 10:03]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-12-14 10:03]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-12-14 10:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 04:37:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 05:52:42 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-14 05:52:40 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 22:17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\CdMoqtwa.ini 345 bytes
C:\WINDOWS\system32\CdMoqtwa.ini2 345 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcBTlKC.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\tnnshhtf.dll
-> C:\WINDOWS\system32\awtqoMdC.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-12 22:20:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 03:20:05
ComboFix2.txt 2008-05-12 18:58:27
ComboFix3.txt 2008-05-12 16:11:18
ComboFix4.txt 2008-05-12 07:22:51
ComboFix5.txt 2008-05-12 00:38:07

Pre-Run: 22,481,268,736 bytes free
Post-Run: 22,466,383,872 bytes free

272 --- E O F --- 2008-05-08 22:24:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:28 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BMc35c1f75] Rundll32.exe "C:\WINDOWS\system32\tnnshhtf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7523 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 13 May 2008 - 12:08 AM

Hi,

Something else must be present here which is not showing in your logs that is reloading it - That's why I want you to do the following online scan..

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with a new log from Deckard system scanner.

Also, do you have a second computer? Because it may be easier afterwards to disconnect from the internet (unplug the internet cable computer) for this infected computer and transfer the logs via usb to the clean computer, because during our removal attempts, new files are always downloaded in between, so we miss some loaders during the script and that may also explain why it's respawning everytime again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jacobean

jacobean
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 14 May 2008 - 10:41 PM

<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Wednesday, May 14, 2008 10:26:30 PM<br>
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)<br>
Kaspersky Online Scanner version: 5.0.98.0<br>
Kaspersky Anti-Virus database last update: 15/05/2008<br>
Kaspersky Anti-Virus database records: 774238<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
C:\<br>
D:\<br>
F:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>28286</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>8</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>69</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>00:26:57</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{B8779E25-4E3B-47C5-A3A6-CDE31557B7B1}.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\.housecall6.6\Quarantine\css4[1].bac_a03492 </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\.housecall6.6\Quarantine\opnkJyvV.dll.bac_a03492 </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\History\History.IE5\MSHist012008051420080515\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\Temporary Internet Files\Content.IE5\FM1G2TM4\moorate[1] </td>
<td>Infected: Trojan.Win32.KillAV.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\Temporary Internet Files\Content.IE5\NHUP733A\hctp[1] </td>
<td>Infected: Trojan.Win32.Monder.du </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\Local Settings\Temporary Internet Files\Content.IE5\NHUP733A\idkfa[1] </td>
<td>Infected: Trojan.Win32.Monder.do </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Jen\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\adsfidfm.dll.vir </td>
<td>Infected: Trojan.Win32.KillAV.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\bsjosqwj.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.di </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\cbXOGWoP.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\geBtTLdb.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\gpvfycjl.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.dj </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\hgGxWnKC.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\hhxhjvki.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.dl </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\iqdousba.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.dk </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\jkbgssku.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.dk </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\khfFYSKa.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\ljJCSlLE.dll.vir.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\ljJDWQhf.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\maqeynwe.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.di </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\opnNDSLD.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\rqRHYpOg.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\ssqNEwTL.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\tuvVNHXr.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\urqPjKde.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\vtUmJBUo.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\wvUlihEX.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\xxyvWPfG.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\yayvSiJB.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\C\WINDOWS\system32\yqbdmwpj.dll.vir </td>
<td>Infected: Trojan.Win32.Monder.dk </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\catchme2008-05-12_135232.34.zip/ljJCrRhi.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\catchme2008-05-12_135232.34.zip </td>
<td>ZIP: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\catchme2008-05-12_221051.67.zip/cbXOFuTJ.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\QooBox\Quarantine\catchme2008-05-12_221051.67.zip </td>
<td>ZIP: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\MountPointManagerRemoteDatabase </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP11\change.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP3\A0000163.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP3\A0000164.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP3\A0000165.dll </td>
<td>Infected: Trojan.Win32.Monder.dl </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP3\A0000166.dll </td>
<td>Infected: Trojan.Win32.Monder.dk </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP4\A0000232.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP4\A0000233.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP4\A0000234.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP6\A0000821.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP6\A0000822.dll </td>
<td>Infected: Trojan.Win32.Monder.dk </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP6\A0000825.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP6\A0000826.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP8\A0000898.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP8\A0000900.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP8\A0000901.dll </td>
<td>Infected: Trojan.Win32.Monder.dk </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP8\A0000903.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP9\A0000979.dll </td>
<td>Infected: Trojan.Win32.Monder.di </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP9\A0000981.dll </td>
<td>Infected: Trojan.Win32.KillAV.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP9\A0000982.dll </td>
<td>Infected: Trojan.Win32.Monder.di </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP9\A0000983.dll </td>
<td>Infected: Trojan.Win32.Monder.dj </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP9\A0000985.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP9\A0000986.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{709F1D4B-6C9C-4EFF-9946-F31F7207A482}\RP9\A0001051.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Debug\PASSWD.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SchedLgU.Txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Sti_Trace.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\edb.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\tmp.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\AppEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\DEFAULT.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\Internet.evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SecEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SOFTWARE.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SysEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SYSTEM.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\ddcBTlKC.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\dfqpmkke.dll </td>
<td>Infected: Trojan.Win32.Monder.du </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\efcccbcA.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\gceadfje.dll </td>
<td>Infected: Trojan.Win32.KillAV.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\h323log.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\hqryxkov.dll </td>
<td>Infected: Trojan.Win32.Monder.do </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\jbhlytfp.dll </td>
<td>Infected: Trojan.Win32.Monder.do </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\ljJBsTmk.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\pbfwcdvt.dll </td>
<td>Infected: Trojan.Win32.KillAV.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\tnnshhtf.dll </td>
<td>Infected: Trojan.Win32.Monder.di </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\uqboghwb.dll </td>
<td>Infected: Trojan.Win32.KillAV.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\vvasjuyf.dll </td>
<td>Infected: Trojan.Win32.KillAV.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\WgaTray.exe/data0000.cab/is201779.exe </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\WgaTray.exe/data0000.cab </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\WgaTray.exe </td>
<td>Rsrc-Package: infected - 2 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wvUlmlLC.dll </td>
<td>Infected: Trojan.Win32.Monder.gen </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\mcafee_BX6UXiMkfav7e1y </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\mcmsc_9jKF7ktvu13BZvq </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\mcmsc_EzNn9AVbZ2dMmFw </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\mcmsc_hoUW3PQtSxYQArq </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\TEMP\mcmsc_MlFkfsxcZZDYtTW </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiadebug.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\wiaservc.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='3' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>


Deckard's System Scanner v20071014.68
Run by Jen on 2008-05-14 22:26:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jen.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:53 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - C:\WINDOWS\system32\ddcBTlKC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AFCCD151-FEAC-4318-AFF2-F51CC87630F4} - C:\WINDOWS\system32\awtqoMdC.dll
O2 - BHO: {0133c0bd-93e7-c96a-7e24-a3de9d7833ff} - {ff3387d9-ed3a-42e7-a69c-7e39db0c3310} - C:\WINDOWS\system32\ciadjqsl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BMc35c1f75] Rundll32.exe "C:\WINDOWS\system32\hpytmjaj.dll",s
O4 - HKLM\..\Run: [c06f2ce9] rundll32.exe "C:\WINDOWS\system32\dfqpmkke.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O20 - Winlogon Notify: ddcBTlKC - C:\WINDOWS\SYSTEM32\ddcBTlKC.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8231 bytes

-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-14 21:59:02 101440 --a------ C:\WINDOWS\system32\ciadjqsl.dll
2008-05-14 21:56:04 92224 --a------ C:\WINDOWS\system32\dfqpmkke.dll
2008-05-14 21:56:01 2112 --a------ C:\WINDOWS\system32\kurtkfql.exe
2008-05-14 21:54:32 3648 --a------ C:\WINDOWS\system32\pbfwcdvt.dll
2008-05-14 21:54:23 96832 --a------ C:\WINDOWS\system32\hpytmjaj.dll
2008-05-14 21:53:58 45568 --a------ C:\WINDOWS\system32\efcccbcA.dll
2008-05-13 19:02:59 90688 -----n--- C:\WINDOWS\system32\osjlcsmo.dll
2008-05-13 19:02:56 2112 --a------ C:\WINDOWS\system32\blkehlsy.exe
2008-05-13 18:59:54 100928 --a------ C:\WINDOWS\system32\xlujeulo.dll
2008-05-13 18:58:26 3648 --a------ C:\WINDOWS\system32\uqboghwb.dll
2008-05-13 18:58:26 100928 --a------ C:\WINDOWS\system32\jbhlytfp.dll
2008-05-13 18:57:55 45568 --a------ C:\WINDOWS\system32\wvUlmlLC.dll
2008-05-13 08:48:17 2112 --a------ C:\WINDOWS\system32\ofqlutju.exe
2008-05-13 08:39:18 100928 --a------ C:\WINDOWS\system32\noppjpms.dll
2008-05-13 08:37:46 100928 --a------ C:\WINDOWS\system32\hqryxkov.dll
2008-05-13 08:37:45 3648 --a------ C:\WINDOWS\system32\vvasjuyf.dll
2008-05-13 08:37:14 45568 --a------ C:\WINDOWS\system32\ljJBsTmk.dll
2008-05-12 22:23:15 101440 --a------ C:\WINDOWS\system32\doclepng.dll
2008-05-12 22:20:26 3648 --a------ C:\WINDOWS\system32\gceadfje.dll
2008-05-12 22:19:04 100416 --a------ C:\WINDOWS\system32\tnnshhtf.dll
2008-05-12 22:17:12 1205067 --ahs---- C:\WINDOWS\system32\CdMoqtwa.ini2
2008-05-12 22:17:06 276992 --a------ C:\WINDOWS\system32\awtqoMdC.dll
2008-05-12 22:16:18 45568 --a------ C:\WINDOWS\system32\ddcBTlKC.dll
2008-05-12 01:56:51 0 dr-hs---- C:\cmdcons
2008-05-12 01:56:49 0 d-------- C:\WINDOWS\setup.pss
2008-05-12 01:56:37 0 d-------- C:\WINDOWS\setupupd
2008-05-11 19:10:48 68096 --a------ C:\WINDOWS\zip.exe
2008-05-11 19:10:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-11 19:10:48 80412 --a------ C:\WINDOWS\grep.exe
2008-05-11 19:10:47 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-11 19:10:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-11 19:10:47 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-11 19:10:47 98816 --a------ C:\WINDOWS\sed.exe
2008-05-11 19:10:47 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-10 23:37:07 0 d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24:36 0 d-------- C:\Program Files\Trend Micro
2008-05-10 21:15:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 21:15:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 19:38:10 0 d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 17:55:16 0 d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 17:45:04 0 d-------- C:\WINDOWS\CSC
2008-05-10 00:13:59 0 d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:13:04 0 d-------- C:\WINDOWS\Sun
2008-05-10 00:13:04 0 d-------- C:\Documents and Settings\Jen\Application Data\Sun
2008-05-10 00:12:05 0 d-------- C:\Program Files\Java
2008-05-10 00:11:43 0 d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05:49 0 d-------- C:\Program Files\Lavasoft
2008-05-10 00:05:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 00:05:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 22:50:43 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-09 22:50:13 0 d-------- C:\Program Files\The Rosetta Stone
2008-05-08 18:10:26 0 d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19:48 0 d-------- C:\Program Files\WinWay Resume
2008-05-08 17:07:11 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04:20 0 d-------- C:\WINDOWS\ShellNew
2008-05-08 13:07:12 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07:00 96256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-05-08 13:07:00 0 d-------- C:\Program Files\MagicDisc
2008-05-08 13:00:57 676224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27:26 0 d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:25:21 0 d-------- C:\Program Files\Intel
2008-04-15 00:24:55 0 d-------- C:\Program Files\Boot Camp
2008-04-15 00:24:33 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-15 00:23:43 0 d-------- C:\b6e08edce99366c883379f40db2e1f
2008-04-15 00:23:38 0 d-------- C:\Program Files\Motorola
2008-04-15 00:23:33 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-04-15 00:23:15 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23:07 0 d-------- C:\Program Files\Realtek
2008-04-15 00:23:06 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-04-15 00:23:06 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-15 00:23:06 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22:53 0 d-------- C:\Program Files\SigmaTel
2008-04-15 00:22:35 0 d-------- C:\WINDOWS\nview
2008-04-15 00:22:24 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2008-04-15 00:22:24 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-04-15 00:22:24 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-04-15 00:22:24 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-15 00:22:23 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-04-15 00:22:23 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-04-15 00:22:23 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-04-15 00:22:22 1474560 --a------ C:\WINDOWS\system32\nview.dll
2008-04-15 00:22:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:22:04 0 d-------- C:\Intel
2008-04-15 00:21:33 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21:33 0 d-------- C:\Program Files\DIFX
2008-04-15 00:21:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 23:06:17 0 d-------- C:\Documents and Settings\Jen\Application Data\Identities
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Templates
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Start Menu
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\SendTo
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Recent
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\PrintHood
2008-04-14 23:06:07 1572864 --ah----- C:\Documents and Settings\Jen\NTUSER.DAT
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\NetHood
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\My Documents
2008-04-14 23:06:07 0 d--h----- C:\Documents and Settings\Jen\Local Settings
2008-04-14 23:06:07 0 dr------- C:\Documents and Settings\Jen\Favorites
2008-04-14 23:06:07 0 d-------- C:\Documents and Settings\Jen\Desktop
2008-04-14 23:06:07 0 d--hs---- C:\Documents and Settings\Jen\Cookies
2008-04-14 23:06:07 0 dr-h----- C:\Documents and Settings\Jen\Application Data
2008-04-14 23:05:08 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-14 23:05:08 0 d-------- C:\WINDOWS\Prefetch
2008-04-14 23:05:06 237568 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-14 23:05:06 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-14 23:05:06 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-14 23:05:06 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-14 23:05:06 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-14 23:04:46 237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-14 23:04:46 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-14 23:04:46 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-14 23:04:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-14 23:04:46 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-14 23:01:37 0 d-------- C:\WINDOWS\system32\xircom
2008-04-14 23:01:37 0 d-------- C:\Program Files\microsoft frontpage
2008-04-14 23:01:27 237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-14 23:01:14 0 -rahs---- C:\MSDOS.SYS
2008-04-14 23:01:14 0 -rahs---- C:\IO.SYS
2008-04-14 23:01:14 0 --a------ C:\CONFIG.SYS
2008-04-14 23:01:14 0 --a------ C:\AUTOEXEC.BAT
2008-04-14 23:00:13 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-14 22:59:53 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-14 22:59:32 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-14 22:58:57 0 d---s---- C:\WINDOWS\Tasks
2008-04-14 22:58:56 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-14 22:58:52 0 d-------- C:\WINDOWS\srchasst
2008-04-14 22:58:42 0 d-------- C:\Program Files\Movie Maker
2008-04-14 22:58:33 0 d-------- C:\WINDOWS\system32\Restore
2008-04-14 22:57:44 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-14 22:57:24 0 d-------- C:\WINDOWS\Registration
2008-04-14 22:57:15 0 d-------- C:\Program Files\Online Services
2008-04-14 22:57:07 0 d-------- C:\WINDOWS\Offline Web Pages
2008-04-14 22:57:07 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-14 22:56:56 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-14 22:56:53 0 d-------- C:\Program Files\Messenger
2008-04-14 22:56:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-14 22:56:11 0 d-------- C:\Program Files\Windows NT
2008-04-14 22:56:07 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-14 22:56:06 0 d-------- C:\WINDOWS\system32\Com
2008-04-14 01:01:21 0 d-------- C:\Program Files\Safari
2008-04-14 01:00:48 0 d-------- C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 01:00:32 0 d-------- C:\Program Files\iPod
2008-04-14 01:00:27 0 d-------- C:\Program Files\iTunes
2008-04-14 00:59:44 0 d-------- C:\Program Files\Common Files\Apple
2008-04-14 00:57:51 0 d-------- C:\Program Files\QuickTime
2008-04-14 00:57:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 00:55:39 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-14 00:54:29 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-04-14 00:52:26 0 d-------- C:\Program Files\McAfee.com
2008-04-14 00:52:22 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-14 00:52:17 0 d-------- C:\Program Files\McAfee
2008-04-14 00:48:10 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-14 00:46:51 0 d-------- C:\Documents and Settings\Jen\Application Data\Macromedia
2008-04-14 00:45:32 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-14 00:33:24 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-14 00:32:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage


-- Find3M Report ---------------------------------------------------------------

2008-05-10 00:11:43 0 d-------- C:\Program Files\Common Files
2008-04-13 22:39:01 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-13 22:38:58 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-13 22:38:34 62 --ahs---- C:\Documents and Settings\Jen\Application Data\desktop.ini
2008-03-19 04:40:27 1845888 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}]
05/12/2008 10:16 PM 45568 --a------ C:\WINDOWS\system32\ddcBTlKC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFCCD151-FEAC-4318-AFF2-F51CC87630F4}]
05/12/2008 10:17 PM 276992 --a------ C:\WINDOWS\system32\awtqoMdC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff3387d9-ed3a-42e7-a69c-7e39db0c3310}]
05/14/2008 09:59 PM 101440 --a------ C:\WINDOWS\system32\ciadjqsl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/14/2007 10:06 AM]
"nwiz"="nwiz.exe" [12/14/2007 10:06 AM C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/03/2004 06:56 PM C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [12/14/2007 10:03 AM]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [12/14/2007 10:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/14/2007 10:06 AM]
"RTHDCPL"="RTHDCPL.EXE" [12/14/2007 10:07 AM C:\WINDOWS\RTHDCPL.exe]
"BMc35c1f75"="C:\WINDOWS\system32\hpytmjaj.dll" [05/14/2008 09:54 PM]
"c06f2ce9"="C:\WINDOWS\system32\dfqpmkke.dll" [05/14/2008 09:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 06:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [5/8/2008 1:07:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 7:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\ddcBTlKC.dll [05/12/2008 10:16 PM 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBTlKC]
ddcBTlKC.dll 05/12/2008 10:16 PM 45568 C:\WINDOWS\system32\ddcBTlKC.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqoMdC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-05-14 22:28:12 ------------


Sorry about the Kap file. I failed to save it in txt format. I hope u can use this. I have had a tough time with Kapersky on the laptop. This virus/malware messes with my internet connection.

Thanks again
jacob

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 15 May 2008 - 12:11 AM

Hi,

Also, do you have a second computer? Because it may be easier afterwards to disconnect from the internet (unplug the internet cable computer) for this infected computer and transfer the logs via usb to the clean computer, because during our removal attempts, new files are always downloaded in between, so we miss some loaders during the script and that may also explain why it's respawning everytime again.

Can you also answer this question?

Anyway, McAfee is interfering here as well though. Did the test in another thread where it was respawning everytime again. McAfee was installed there as well and interfered with Combofix after reboot.

That's why I want you to temporary uninstall McAfee first (disabling won't make sense, it should be uninstalled).
Then reboot after uninstalling

After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\ddcBTlKC.dll
C:\WINDOWS\system32\dfqpmkke.dll
C:\WINDOWS\system32\hpytmjaj.dll
C:\WINDOWS\system32\ciadjqsl.dll
C:\WINDOWS\system32\awtqoMdC.dll
C:\WINDOWS\system32\ciadjqsl.dll
C:\WINDOWS\system32\dfqpmkke.dll
C:\WINDOWS\system32\kurtkfql.exe
C:\WINDOWS\system32\pbfwcdvt.dll
C:\WINDOWS\system32\hpytmjaj.dll
C:\WINDOWS\system32\efcccbcA.dll
C:\WINDOWS\system32\osjlcsmo.dll
C:\WINDOWS\system32\blkehlsy.exe
C:\WINDOWS\system32\xlujeulo.dll
C:\WINDOWS\system32\uqboghwb.dll
C:\WINDOWS\system32\jbhlytfp.dll
C:\WINDOWS\system32\wvUlmlLC.dll
C:\WINDOWS\system32\ofqlutju.exe
C:\WINDOWS\system32\noppjpms.dll
C:\WINDOWS\system32\hqryxkov.dll
C:\WINDOWS\system32\vvasjuyf.dll
C:\WINDOWS\system32\ljJBsTmk.dll
C:\WINDOWS\system32\doclepng.dll
C:\WINDOWS\system32\gceadfje.dll
C:\WINDOWS\system32\tnnshhtf.dll
C:\WINDOWS\system32\CdMoqtwa.ini2
C:\WINDOWS\system32\awtqoMdC.dll
C:\WINDOWS\system32\ddcBTlKC.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFCCD151-FEAC-4318-AFF2-F51CC87630F4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff3387d9-ed3a-42e7-a69c-7e39db0c3310}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMc35c1f75"=-
"c06f2ce9"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBTlKC]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jacobean

jacobean
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 15 May 2008 - 09:34 AM

ComboFix 08-05-11.1 - Jen 2008-05-15 9:16:34.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1627 [GMT -5:00]
Running from: C:\Documents and Settings\Jen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jen\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\awtqoMdC.dll
C:\WINDOWS\system32\blkehlsy.exe
C:\WINDOWS\system32\CdMoqtwa.ini2
C:\WINDOWS\system32\ciadjqsl.dll
C:\WINDOWS\system32\ddcBTlKC.dll
C:\WINDOWS\system32\dfqpmkke.dll
C:\WINDOWS\system32\doclepng.dll
C:\WINDOWS\system32\efcccbcA.dll
C:\WINDOWS\system32\gceadfje.dll
C:\WINDOWS\system32\hpytmjaj.dll
C:\WINDOWS\system32\hqryxkov.dll
C:\WINDOWS\system32\jbhlytfp.dll
C:\WINDOWS\system32\kurtkfql.exe
C:\WINDOWS\system32\ljJBsTmk.dll
C:\WINDOWS\system32\noppjpms.dll
C:\WINDOWS\system32\ofqlutju.exe
C:\WINDOWS\system32\osjlcsmo.dll
C:\WINDOWS\system32\pbfwcdvt.dll
C:\WINDOWS\system32\tnnshhtf.dll
C:\WINDOWS\system32\uqboghwb.dll
C:\WINDOWS\system32\vvasjuyf.dll
C:\WINDOWS\system32\wvUlmlLC.dll
C:\WINDOWS\system32\xlujeulo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtqoMdC.dll
C:\WINDOWS\system32\blkehlsy.exe
C:\WINDOWS\system32\CdMoqtwa.ini
C:\WINDOWS\system32\CdMoqtwa.ini2
C:\WINDOWS\system32\ciadjqsl.dll
C:\WINDOWS\system32\ddcBTlKC.dll
C:\WINDOWS\system32\dfqpmkke.dll
C:\WINDOWS\system32\doclepng.dll
C:\WINDOWS\system32\efcccbcA.dll
C:\WINDOWS\system32\ekkmpqfd.ini
C:\WINDOWS\system32\gceadfje.dll
C:\WINDOWS\system32\hpytmjaj.dll
C:\WINDOWS\system32\hqryxkov.dll
C:\WINDOWS\system32\jbhlytfp.dll
C:\WINDOWS\system32\kurtkfql.exe
C:\WINDOWS\system32\ljJBsTmk.dll
C:\WINDOWS\system32\noppjpms.dll
C:\WINDOWS\system32\ofqlutju.exe
C:\WINDOWS\system32\omscljso.ini
C:\WINDOWS\system32\pbfwcdvt.dll
C:\WINDOWS\system32\pdcosxgs.ini
C:\WINDOWS\system32\ssqPjjIc.dll
C:\WINDOWS\system32\tnnshhtf.dll
C:\WINDOWS\system32\uqboghwb.dll
C:\WINDOWS\system32\vtUkhghe.dll
C:\WINDOWS\system32\vvasjuyf.dll
C:\WINDOWS\system32\wvUlmlLC.dll
C:\WINDOWS\system32\xlujeulo.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 09:23 . 2008-05-15 09:23 276,992 --a------ C:\WINDOWS\system32\jkkIcdDs.dll
2008-05-15 09:23 . 2008-05-15 09:23 45,568 --a------ C:\WINDOWS\system32\vtUkkJYP.dll
2008-05-15 09:23 . 2008-05-15 09:23 345 --ahs---- C:\WINDOWS\system32\sDdcIkkj.ini2
2008-05-15 09:23 . 2008-05-15 09:23 345 --ahs---- C:\WINDOWS\system32\sDdcIkkj.ini
2008-05-12 22:19 . 2008-05-14 21:55 109,812 --a------ C:\WINDOWS\BMc35c1f75.xml
2008-05-12 01:54 . 2007-12-14 10:06 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-05-12 01:52 . 2007-12-14 10:06 157,663 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-10 23:37 . 2008-05-10 23:37 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 22:24 . 2008-05-10 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 22:16 . 2008-05-10 22:16 <DIR> d-------- C:\Deckard
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 21:15 . 2008-05-10 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 19:38 . 2008-05-10 19:38 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-10 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 19:37 . 2008-05-10 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 19:37 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 19:37 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 18:01 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-10 17:55 . 2008-05-10 19:22 <DIR> d-------- C:\Documents and Settings\Jen\Application Data\HouseCall 6.6
2008-05-10 00:13 . 2008-05-10 00:13 <DIR> d-------- C:\WINDOWS\Sun
2008-05-10 00:13 . 2008-05-10 17:43 <DIR> d-------- C:\Documents and Settings\Jen\.housecall6.6
2008-05-10 00:12 . 2008-05-10 00:12 <DIR> d-------- C:\Program Files\Java
2008-05-10 00:12 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-10 00:11 . 2008-05-10 00:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 00:05 . 2008-05-10 00:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 00:05 . 2008-05-10 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 22:50 . 2008-05-09 22:50 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-09 22:50 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-08 18:29 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-08 18:10 . 2008-05-08 18:16 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-08 17:19 . 2008-05-08 17:19 <DIR> d-------- C:\Program Files\WinWay Resume
2008-05-08 17:18 . 2008-05-08 17:18 376 --a------ C:\WINDOWS\ODBC.INI
2008-05-08 17:07 . 2008-05-08 17:07 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-08 17:04 . 2008-05-08 17:07 <DIR> d-------- C:\WINDOWS\ShellNew
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 7,208 --a--c--- C:\WINDOWS\system32\dllcache\secupd.sig
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-05-08 13:17 . 2006-12-31 07:57 4,569 --a--c--- C:\WINDOWS\system32\dllcache\secupd.dat
2008-05-08 13:07 . 2008-05-09 21:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-08 13:07 . 2008-05-08 13:07 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-08 13:07 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-08 13:00 . 2008-03-31 21:24 676,224 --a------ C:\WINDOWS\system32\OGACheckControl.dll
2008-04-15 00:27 . 2008-04-15 00:27 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-15 00:27 . 2008-04-15 00:27 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-15 00:27 . 2008-04-15 00:27 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-15 00:25 . 2008-04-15 00:25 <DIR> d-------- C:\Program Files\Intel
2008-04-15 00:24 . 2008-04-15 00:24 <DIR> d-------- C:\Program Files\Boot Camp
2008-04-15 00:23 . 2008-05-12 01:54 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Realtek
2008-04-15 00:23 . 2008-04-15 00:23 <DIR> d-------- C:\Program Files\Motorola
2008-04-15 00:23 . 2008-05-12 01:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 00:22 . 2008-05-12 01:59 <DIR> d-------- C:\WINDOWS\nview
2008-04-15 00:22 . 2008-04-15 00:22 <DIR> d-------- C:\Program Files\SigmaTel
2008-04-15 00:22 . 2008-05-12 01:50 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-15 00:21 . 2008-04-15 00:25 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Program Files\DIFX
2008-04-15 00:21 . 2008-04-15 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-15 00:21 . 2007-12-14 10:04 1,296,800 --a------ C:\WINDOWS\system32\drivers\ar5416.sys
2008-04-15 00:21 . 2007-12-06 09:51 285,952 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2008-04-15 00:21 . 2007-12-14 10:03 8,064 --a------ C:\WINDOWS\system32\drivers\applebt.sys
2008-04-15 00:20 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-11 04:39 --------- d-----w C:\Program Files\Safari
2008-04-15 05:24 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-15 05:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-15 04:01 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-15 03:57 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-14 06:00 --------- d-----w C:\Program Files\iTunes
2008-04-14 06:00 --------- d-----w C:\Program Files\iPod
2008-04-14 06:00 --------- d-----w C:\Documents and Settings\Jen\Application Data\Apple Computer
2008-04-14 05:59 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-14 05:58 --------- d-----w C:\Program Files\QuickTime
2008-04-14 05:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-14 05:45 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-01 01:53 54,784 ----a-w C:\WINDOWS\system32\msvci70.dll
2008-04-01 01:53 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
2008-04-01 01:52 974,848 ----a-w C:\WINDOWS\system32\mfc70.dll
2008-04-01 01:52 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
2008-04-01 01:44 964,608 ----a-w C:\WINDOWS\system32\mfc70u.dll
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-01 13:03 827,392 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-12_ 2.21.44.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-12 07:14:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 14:22:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3740FC3-0D92-48F7-8783-CC5A4B315149}]
2008-05-15 09:23 276992 --a------ C:\WINDOWS\system32\jkkIcdDs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-14 10:06 8527872]
"nwiz"="nwiz.exe" [2007-12-14 10:06 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 18:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"IRW"="C:\WINDOWS\system32\IRW.exe" [2007-12-14 10:03 147456]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-12-14 10:27 419120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-14 10:06 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-14 10:07 16855552 C:\WINDOWS\RTHDCPL.exe]
"BMc35c1f75"="C:\WINDOWS\system32\svgjdxpu.dll" [2008-05-15 09:25 99904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\Jen\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-08 13:07:00 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5C060FE2-B3CA-47DD-B68E-BD1A6E297226}"= C:\WINDOWS\system32\vtUkkJYP.dll [2008-05-15 09:23 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUkkJYP]
vtUkkJYP.dll 2008-05-15 09:23 45568 C:\WINDOWS\system32\vtUkkJYP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkIcdDs

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-12-14 10:26]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-12-14 10:26]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-12-14 10:03]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-12-14 10:03]
R3 aapltctp;Apple Trackpad Enabler;C:\WINDOWS\system32\DRIVERS\aapltctp.sys [2007-12-14 10:03]
R3 aapltp;Apple Trackpad;C:\WINDOWS\system32\DRIVERS\aapltp.sys [2007-12-14 10:03]
R3 applebt;Apple Built-in Bluetooth;C:\WINDOWS\system32\DRIVERS\applebt.sys [2007-12-14 10:03]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\WINDOWS\system32\DRIVERS\IRFilter.sys [2007-12-14 10:03]
R3 KeyMagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-12-14 10:03]
S3 BthKicker;Apple Bluetooth Device Driver;C:\WINDOWS\system32\DRIVERS\BthKicker.sys [2007-12-14 10:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 04:37:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 09:23:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\vtUkkJYP.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\svgjdxpu.dll
-> C:\WINDOWS\system32\jkkIcdDs.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-15 9:26:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 14:26:17
ComboFix2.txt 2008-05-13 03:20:18
ComboFix3.txt 2008-05-12 18:58:27
ComboFix4.txt 2008-05-12 16:11:18
ComboFix5.txt 2008-05-12 07:22:51

Pre-Run: 22,449,246,208 bytes free
Post-Run: 22,472,359,936 bytes free

253 --- E O F --- 2008-05-08 22:24:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:41 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20772)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BMc35c1f75] Rundll32.exe "C:\WINDOWS\system32\svgjdxpu.dll",s
O4 - HKLM\..\Run: [c06f2ce9] rundll32.exe "C:\WINDOWS\system32\xovryows.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5595 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users