Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help My Comper Is Infected!


  • This topic is locked This topic is locked
2 replies to this topic

#1 keepieusa

keepieusa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 12 May 2008 - 11:20 PM

eckard's System Scanner v20071014.68
Run by Owner on 2008-05-12 23:55:46
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
40: 2008-05-12 21:43:56 UTC - RP97 - Restore Operation
39: 2008-05-12 02:56:37 UTC - RP96 - Installed ESET Smart Security
38: 2008-05-12 02:04:03 UTC - RP95 - Last known good configuration
37: 2008-05-12 02:03:41 UTC - RP94 - Installed Microsoft ActiveSync 4.0
36: 2008-05-12 02:03:40 UTC - RP93 - Installed Microsoft Outlook 2002


-- First Restore Point --
1: 2008-05-12 02:03:33 UTC - RP58 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-13 00:01:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\Owner\cftmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {423d786d-ea4c-5dea-7f94-e6f5f1ffa062} - {260aff1f-5f6e-49f7-aed5-c4aed687d324} - C:\WINDOWS\SYSTEM32\wuuqshml.dll
O2 - BHO: (no name) - {58BD5858-93E1-4723-8089-D93DC1B28DDA} - C:\WINDOWS\SYSTEM32\xxyxWOiJ.dll
O2 - BHO: QXK Rhythm - {BA99F228-D9E2-47D5-9A8D-A295E8E52E93} - C:\WINDOWS\fvowketqplo.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O2 - BHO: QXK Rhythm - {DF47FCFB-AA32-4ECC-9F32-C99E30385AF3} - C:\WINDOWS\fvowketqsoq.dll (file missing)
O2 - BHO: (no name) - {F7F6584C-864B-411D-A410-BB2DE0D33CA1} - C:\WINDOWS\SYSTEM32\yayaBTji.dll
O3 - Toolbar: pvnsmfor - {C17C95A8-9A32-4250-8F46-D7DFBB4B4947} - C:\WINDOWS\pvnsmfor.dll
O3 - Toolbar: pvnsmfor - {5AC18EE0-E9B2-428D-844F-6D3EEA227215} - C:\WINDOWS\pvnsmfor.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [88feac9a] rundll32.exe "C:\WINDOWS\system32\axujmknh.dll",b
O4 - HKLM\..\Run: [BM8bcd9f06] Rundll32.exe "C:\WINDOWS\system32\yqblflbx.dll",s
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [clfadsme] C:\WINDOWS\system32\wtczavwn.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Policies\Explorer\Run: [5wGxfmAw4X] C:\Documents and Settings\All Users\Application Data\adcpovkn\gpyhgpqf.exe
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-b.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O20 - Winlogon Notify: yayaBTji - C:\WINDOWS\system32\yayaBTji.dll
O21 - SSODL: mpfanvqg - {AA79829A-B747-4CB6-A5DC-D29F6D29BC97} - C:\WINDOWS\mpfanvqg.dll
O21 - SSODL: vbksrofa - {7D1185A0-F8F8-4C07-926D-E7DBAA2DD432} - C:\WINDOWS\vbksrofa.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Eset\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Eset\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\SYSTEM32\PackethSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7470 bytes

-- File Associations -----------------------------------------------------------

.exe - exefile - shell\open\command - C:\WINDOWS\system32\drivers\spools.exe "%1" %*
.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrempr5.sys (file missing)
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\progra~1\common~1\motive\mrendis5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 PackethSvc (Virtual NIC Service) - c:\windows\system32\packethsvc.exe <Not Verified; America Online, Inc.; America Online>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2001-09-29 15:47:07 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job


-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-12 23:27:01 0 d-------- C:\WINDOWS\privacy_danger
2008-05-12 23:25:55 13824 --a------ C:\WINDOWS\system32\drivers\spools.exe
2008-05-12 20:38:40 2112 --a------ C:\WINDOWS\system32\stkqtthl.exe
2008-05-12 20:35:41 90688 --a------ C:\WINDOWS\system32\axujmknh.dll
2008-05-12 20:32:42 101440 --a------ C:\WINDOWS\system32\wuuqshml.dll
2008-05-12 20:29:52 3648 --a------ C:\WINDOWS\system32\kjxucusx.dll
2008-05-12 20:29:42 100416 --a------ C:\WINDOWS\system32\yqblflbx.dll
2008-05-12 19:51:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 19:49:56 0 d-------- C:\Program Files\Spyware Doctor
2008-05-12 19:49:56 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-05-12 19:35:25 217088 --a------ C:\WINDOWS\vbksrofa.dll
2008-05-12 19:35:25 155648 --a------ C:\WINDOWS\pvnsmfor.dll
2008-05-12 19:35:25 188416 --a------ C:\WINDOWS\mpfanvqg.dll
2008-05-12 19:35:25 282624 --a------ C:\WINDOWS\fvowketqplo.dll
2008-05-12 17:45:40 13824 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-05-12 17:44:26 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-05-12 17:44:26 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-05-12 17:44:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-12 17:44:26 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-12 17:44:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-12 17:44:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-12 17:44:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-12 17:44:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-12 17:44:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-12 17:36:54 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-12 17:36:54 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-12 17:36:54 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-12 17:36:54 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-12 17:36:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-12 17:36:53 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-12 17:36:53 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-12 17:36:53 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-12 17:36:53 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-05-12 17:36:53 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-11 23:01:15 0 d-------- C:\Documents and Settings\Owner\Application Data\ESET
2008-05-11 22:56:59 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-11 22:35:24 0 d-------- C:\Nod32 3.0.621.0 Finally with a fix
2008-05-11 22:03:01 1059033 --ahs---- C:\WINDOWS\system32\JiOWxyxx.ini2
2008-05-11 22:02:58 276992 --a------ C:\WINDOWS\system32\xxyxWOiJ.dll
2008-05-11 22:02:52 114688 --a------ C:\WINDOWS\system32\wtczavwn.exe
2008-05-11 22:02:52 0 d-------- C:\Documents and Settings\All Users\Application Data\adcpovkn
2008-05-11 22:01:13 3072 --a------ C:\jgkpt.exe
2008-05-11 21:58:09 13824 --a------ C:\Documents and Settings\Owner\cftmon.exe
2008-05-11 21:58:08 13824 --a------ C:\kbvxxo.exe
2008-05-11 21:57:53 41984 --a------ C:\WINDOWS\system32\yayaBTji.dll
2008-05-11 20:20:05 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-11 20:17:45 0 d-------- C:\WINDOWS\Downloaded Installations
2008-05-06 22:02:38 0 d-------- C:\Documents and Settings\Owner\Application Data\RealPopup
2008-05-06 22:02:35 0 d-------- C:\Program Files\RealPopup
2008-05-04 13:48:03 266240 --a------ C:\WINDOWS\system32\hpdj <Not Verified; HP; HP DeskJet>
2008-04-27 22:19:26 120 --a------ C:\drmHeader.bin
2008-04-27 22:18:37 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-04-27 01:27:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2008-04-27 01:27:28 0 d-------- C:\Program Files\Opera
2008-04-21 00:59:28 0 d-------- C:\Program Files\MSXML 6.0
2008-04-20 23:49:35 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-04-20 23:49:33 0 d-------- C:\Downloads
2008-04-20 23:48:52 0 d-------- C:\Program Files\BitComet
2008-04-20 21:05:15 0 d-------- C:\Program Files\Winamp
2008-04-20 21:05:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-04-20 21:01:24 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-04-20 19:56:57 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-20 19:07:34 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-04-20 19:05:18 62464 --a------ C:\WINDOWS\system32\ZuneUsbTransport.dll <Not Verified; Microsoft Corporation; Zune®>
2008-04-20 19:05:18 35840 --a------ C:\WINDOWS\system32\ZuneUsbCOnnection.dll <Not Verified; Microsoft Corporation; Zune®>
2008-04-20 19:05:18 145408 --a------ C:\WINDOWS\system32\ZuneMTPZ.dll <Not Verified; Microsoft Corporation; Zune®>
2008-04-20 19:05:18 70656 --a------ C:\WINDOWS\system32\ZuneIpTransport.dll <Not Verified; Microsoft Corporation; Zune®>
2008-04-20 19:04:39 0 d-------- C:\Program Files\Zune
2008-04-20 18:42:13 0 d-------- C:\WINDOWS\system32\custom matrices
2008-04-20 18:41:59 0 d-------- C:\WINDOWS\system32\C2MP
2008-04-20 18:23:19 0 d-------- C:\Program Files\The Playa
2008-04-20 18:22:59 0 d-------- C:\Program Files\MediaTV
2008-04-20 18:21:14 0 d-------- C:\Program Files\NimoCodec Pack
2008-04-20 18:21:14 0 d-------- C:\Program Files\DivXCodec
2008-04-20 18:20:44 56320 --a------ C:\WINDOWS\system32\iyvu9_32.dll
2008-04-20 18:20:44 136704 --a------ C:\WINDOWS\system32\iacenc.dll <Not Verified; Ligos Corporation; Indeo® Audio Software>
2008-04-20 18:20:41 0 d-------- C:\Program Files\Ligos
2008-04-20 17:22:39 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-20 16:26:24 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2008-04-20 16:19:07 0 d-------- C:\Program Files\DIFX
2008-04-20 16:19:06 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-20 16:18:58 0 d-------- C:\Program Files\Common Files\ComponentOne
2008-04-19 00:38:55 0 d-------- C:\Documents and Settings\Owner\Application Data\RadialPoint


-- Find3M Report ---------------------------------------------------------------

2008-05-12 23:47:21 2180 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-11 20:22:36 2508 --a------ C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
2008-05-11 20:15:40 0 d-------- C:\Program Files\Common Files
2008-05-10 04:36:51 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-06 18:18:04 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-27 01:30:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-04-19 00:38:52 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-18 19:48:51 0 d-------- C:\Program Files\Verizon
2008-04-18 19:48:35 0 d-------- C:\Program Files\Common Files\Motive
2008-04-18 19:48:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-18 19:43:19 0 d-------- C:\Program Files\Kodak
2008-04-18 19:37:23 0 d-------- C:\Program Files\Common Files\Visioneer Shared
2008-04-18 18:25:51 0 d-------- C:\Program Files\Norton SystemWorks
2008-04-18 18:25:51 0 d-------- C:\Program Files\Common Files\AOL
2008-04-18 18:25:50 0 d-------- C:\Program Files\HP DeskJet 895C Series
2008-04-18 18:02:08 0 d-------- C:\Documents and Settings\Owner\Application Data\AOL
2008-04-18 16:58:40 0 d-------- C:\Program Files\Symantec
2008-04-10 12:52:08 662016 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-10 12:52:06 404992 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-04-10 12:52:06 114688 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-04-10 12:52:06 3143168 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-04-10 12:52:06 568320 --a------ C:\WINDOWS\system32\ff_x264.dll
2008-04-10 12:52:06 23552 --a------ C:\WINDOWS\system32\ff_wmv9.dll
2008-04-10 12:52:06 38400 --a------ C:\WINDOWS\system32\ff_unrar.dll
2008-04-10 12:52:06 81408 --a------ C:\WINDOWS\system32\ff_tremor.dll
2008-04-10 12:52:06 143360 --a------ C:\WINDOWS\system32\ff_theora.dll
2008-04-10 12:52:06 122880 --a------ C:\WINDOWS\system32\ff_samplerate.dll
2008-04-10 12:52:06 97280 --a------ C:\WINDOWS\system32\ff_realaac.dll
2008-04-10 12:52:06 118784 --a------ C:\WINDOWS\system32\ff_libmad.dll
2008-04-10 12:52:06 245760 --a------ C:\WINDOWS\system32\ff_libfaad2.dll
2008-04-10 12:52:06 155648 --a------ C:\WINDOWS\system32\ff_libdts.dll
2008-04-10 12:52:06 37376 --a------ C:\WINDOWS\system32\ff_liba52.dll
2008-04-10 12:50:40 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-31 17:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-29 11:42:22 245248 --a------ C:\WINDOWS\system32\dxr.dll
2008-03-29 11:42:20 159744 --a------ C:\WINDOWS\system32\mmfinfo.dll
2008-03-29 11:42:14 102400 --a------ C:\WINDOWS\system32\avss.dll
2008-03-29 11:42:08 148992 --a------ C:\WINDOWS\system32\mkx.dll
2008-03-29 11:42:04 141312 --a------ C:\WINDOWS\system32\mp4.dll
2008-03-29 11:42:04 108032 --a------ C:\WINDOWS\system32\avi.dll
2008-03-29 11:42:02 120832 --a------ C:\WINDOWS\system32\ogm.dll
2008-03-29 11:42:02 335872 --a------ C:\WINDOWS\system32\gdsmux.exe
2008-03-29 11:42:00 163840 --a------ C:\WINDOWS\system32\ts.dll
2008-03-29 11:42:00 103424 --a------ C:\WINDOWS\system32\dsmux.exe
2008-03-29 11:41:54 135168 --a------ C:\WINDOWS\system32\mkv2vfr.exe
2008-03-29 11:41:54 97280 --a------ C:\WINDOWS\system32\avs.dll
2008-03-29 11:41:52 79360 --a------ C:\WINDOWS\system32\mkzlib.dll
2008-03-29 11:41:52 23552 --a------ C:\WINDOWS\system32\mkunicode.dll
2008-03-21 16:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 16:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 16:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{260aff1f-5f6e-49f7-aed5-c4aed687d324}]
05/12/2008 08:32 PM 101440 --a------ C:\WINDOWS\system32\wuuqshml.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58BD5858-93E1-4723-8089-D93DC1B28DDA}]
05/11/2008 10:02 PM 276992 --a------ C:\WINDOWS\system32\xxyxWOiJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA99F228-D9E2-47D5-9A8D-A295E8E52E93}]
05/12/2008 01:24 PM 282624 --a------ C:\WINDOWS\fvowketqplo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
C:\WINDOWS\system32\jfiehayd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF47FCFB-AA32-4ECC-9F32-C99E30385AF3}]
C:\WINDOWS\fvowketqsoq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7F6584C-864B-411D-A410-BB2DE0D33CA1}]
05/11/2008 09:57 PM 41984 --a------ C:\WINDOWS\system32\yayaBTji.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 12:04 PM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [06/15/2001 06:34 PM]
"NvCplDaemon"="NvQTwk" []
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [04/29/2008 07:56 PM]
"autoload"="C:\Documents and Settings\Owner\cftmon.exe" [05/11/2008 09:58 PM]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [12/21/2007 08:21 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]
"88feac9a"="C:\WINDOWS\system32\axujmknh.dll" [05/12/2008 08:35 PM]
"BM8bcd9f06"="C:\WINDOWS\system32\yqblflbx.dll" [05/12/2008 08:29 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [05/11/2008 09:58 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" [08/29/2001 08:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"RealPopup"="C:\Program Files\RealPopup\RealPopup.exe" [02/24/2005 12:50 AM]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [06/20/2006 10:36 PM]
"autoload"="C:\Documents and Settings\Owner\cftmon.exe" [05/11/2008 09:58 PM]
"clfadsme"="C:\WINDOWS\system32\wtczavwn.exe" [05/11/2008 10:02 PM]
"ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [05/11/2008 09:58 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"autoload"=C:\Documents and Settings\LocalService\cftmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"5wGxfmAw4X"=C:\Documents and Settings\All Users\Application Data\adcpovkn\gpyhgpqf.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F7F6584C-864B-411D-A410-BB2DE0D33CA1}"= C:\WINDOWS\system32\yayaBTji.dll [05/11/2008 09:57 PM 41984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {AA79829A-B747-4CB6-A5DC-D29F6D29BC97} - C:\WINDOWS\mpfanvqg.dll [05/12/2008 01:23 PM 188416]
"vbksrofa"= {7D1185A0-F8F8-4C07-926D-E7DBAA2DD432} - C:\WINDOWS\vbksrofa.dll [05/12/2008 01:23 PM 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdrfa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaBTji]
yayaBTji.dll 05/11/2008 09:57 PM 41984 C:\WINDOWS\SYSTEM32\yayaBTji.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxyxWOiJ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
backup=C:\WINDOWS\pss\hp center UI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
backup=C:\WINDOWS\pss\hp center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Shortcut to New Text Document.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Shortcut to New Text Document.lnk
backup=C:\WINDOWS\pss\Shortcut to New Text Document.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\checktime]
c:\program files\HPSelect\Frontend\ct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Custom Uninstall Tracking]
C:\DOCUME~1\Owner\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20efecfb-0f27-11dd-a069-00038a000011}]
AutoRun\command- G:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-05-13 00:04:01 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:28 AM

Posted 14 May 2008 - 10:36 AM

Hi,

Please ComboFix from the links above and follow all instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • "If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!"
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer


Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:28 AM

Posted 20 May 2008 - 12:56 PM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users