Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Purityscan-q


  • This topic is locked This topic is locked
18 replies to this topic

#1 JMateer

JMateer

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 13 May 2008 - 10:16 AM

Experts at Bleeping computer:
I am bleeped at my computer and really need your help! When I statup, Avast finds the purity scan-Q trojan and I put it in the chest. Spybot then identifies multiple requests to change system settings, which I deny. A file named "spuninst.exe" and "spuninst.bat" are multiplying within folders named
$NTuninstall......." under the Windows directory (about 80 of them now). I can access the internet with my compuserve interface, but explorer is slow or locks up or has popups.
I have tried a boot scan with Avast (most recent virus definitions) - no Luck. I have tried to scan the computer for malware with both spybot and system Mechanic, both lock up during the scan.
Any help you can give me would be greatly appreciated!

Thanks in advance.
JMateer

Ps. I was unable to download the latest version of HJT despite disabling my firewall. My computer is too slow (and locks up) to try Kaperskys scan right now. _________________________________________________________________________________



Deckard's System Scanner v20071014.68
Run by James on 2008-05-13 09:19:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-05-13 14:19:36 UTC - RP223 - Deckard's System Scanner Restore Point
1: 2008-05-12 16:45:15 UTC - RP222 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-13 09:34:32
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\WINDOWS\b2new.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SPT\Accessories Plus\ClockPlus.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe
C:\Documents and Settings\James\Application Data\S?mantec\s?chost.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Pepid\PepidMgr.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Documents and Settings\James\Desktop\dss.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll (file missing)
O2 - BHO: (no name) - {508841F8-D52B-4D1F-8DAE-CB5FD175FE04} - C:\WINDOWS\system32\wvUkLFwU.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5E83CCD3-232B-4852-A80D-7154D5C83FF1} - (no file)
O2 - BHO: {571c1923-82c8-4fc9-aaf4-267b2c45a038} - {830a54c2-b762-4faa-9cf4-8c283291c175} - C:\WINDOWS\system32\tfbykatk.dll
O2 - BHO: (no name) - {94085A9D-D675-488F-A754-F906A55C89F2} - C:\WINDOWS\system32\xxyyxwxV.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\ljJASigf.dll
O2 - BHO: (no name) - {e05c6d8e-91c9-4f48-898f-706c28c31243} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [AccessoriesPlus] "C:\Program Files\SPT\Accessories Plus\clockplus.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BM1e1a29d8] Rundll32.exe "C:\WINDOWS\System32\ewnmonqr.dll",s
O4 - HKLM\..\Run: [1d291a44] rundll32.exe "C:\WINDOWS\System32\fvhvejdb.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe"
O4 - HKCU\..\Run: [Cjkafzkh] "C:\Documents and Settings\James\Application Data\S?mantec\s?chost.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = ?
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Launch Pepid Manager.lnk = C:\Program Files\Pepid\PepidMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...8019.9020138889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://enet.phci.org/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{F00AC6CF-A5D8-4746-98B7-95C4AAF32A0D}: NameServer = 205.188.146.145
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: ljJASigf - C:\WINDOWS\System32\ljJASigf.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


--
End of file - 10670 bytes

-- File Associations -----------------------------------------------------------

.txt - txtfile - shell\open\command - notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S1 EXAMPLE - c:\windows\system32\main.sys (file missing)
S2 RZBLKFNF - c:\windows\system32\rzblkfnf.ykx (file missing)
S3 VisorUsb (Handspring USB) - c:\windows\system32\drivers\visorusb.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - c:\program files\executive software\diskeeper\dkservice.exe <Not Verified; Executive Software International, Inc.; Diskeeper ™ Disk Defragmenter>
R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\b2new.exe service

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-13 09:29:55 98928 --a------ C:\WINDOWS\System32\tfbykatk.dll
2008-05-13 09:29:49 83136 --a------ C:\WINDOWS\System32\fvhvejdb.dll
2008-05-13 09:27:41 2112 --a------ C:\WINDOWS\System32\oydegout.exe
2008-05-13 09:27:30 90240 --a------ C:\WINDOWS\System32\ewnmonqr.dll
2008-05-13 09:23:08 2112 --a------ C:\WINDOWS\System32\qtcyhfef.exe
2008-05-13 09:21:09 83136 -----n--- C:\WINDOWS\System32\usjjeqtw.dll
2008-05-13 09:18:05 98928 --a------ C:\WINDOWS\System32\bmpsktlm.dll
2008-05-13 09:17:55 90240 --a------ C:\WINDOWS\System32\jgdptgbe.dll
2008-05-13 09:16:37 83136 -----n--- C:\WINDOWS\System32\kymbnuks.dll
2008-05-13 09:14:20 90240 --a------ C:\WINDOWS\System32\sqlghcdy.dll
2008-05-13 09:13:33 314432 -----n--- C:\WINDOWS\System32\yayxxwwW.dll
2008-05-12 22:53:51 314480 --a------ C:\WINDOWS\System32\vtUlIaAP.dll
2008-05-12 22:44:34 98960 --a------ C:\WINDOWS\System32\cbcawpow.dll
2008-05-12 22:41:35 83072 --a------ C:\WINDOWS\System32\fouujedm.dll
2008-05-12 22:41:09 2112 --a------ C:\WINDOWS\System32\lsubspjr.exe
2008-05-12 22:40:55 90240 --a------ C:\WINDOWS\System32\dfathxla.dll
2008-05-12 14:12:15 83072 --a------ C:\WINDOWS\System32\bkjedkju.dll
2008-05-12 14:09:19 98960 --a------ C:\WINDOWS\System32\wyfuawil.dll
2008-05-12 14:06:15 2112 --a------ C:\WINDOWS\System32\vpybsbnr.exe
2008-05-12 14:05:23 90240 --a------ C:\WINDOWS\System32\hvlslrhe.dll
2008-05-12 14:03:11 314480 -----n--- C:\WINDOWS\System32\awtsTJyV.dll
2008-05-12 12:22:03 1046358 --ahs---- C:\WINDOWS\System32\UwFLkUvw.ini2
2008-05-12 12:22:01 314480 --a------ C:\WINDOWS\System32\wvUkLFwU.dll
2008-05-12 12:13:19 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-12 12:13:19 2547 --a------ C:\WINDOWS\unins000.dat
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Templates
2008-05-12 11:07:01 0 dr------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Start Menu
2008-05-12 11:07:01 0 dr-h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\SendTo
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Recent
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\PrintHood
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NetHood
2008-05-12 11:07:01 0 d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\My Documents
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Local Settings
2008-05-12 11:07:01 0 d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Favorites
2008-05-12 11:07:01 0 d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Desktop
2008-05-12 11:07:01 0 d---s---- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Cookies
2008-05-12 11:07:01 0 dr-h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Application Data
2008-05-12 11:07:01 0 d---s---- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Application Data\Microsoft
2008-05-12 11:07:00 1835008 --ah----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NTUSER.DAT
2008-05-12 09:02:14 2048 --a------ C:\WINDOWS\System32\nufwektd.exe
2008-05-12 09:02:09 98896 --a------ C:\WINDOWS\System32\lvvoehsx.dll
2008-05-12 08:59:57 83008 --a------ C:\WINDOWS\System32\pvvfwssk.dll
2008-05-12 08:59:48 90176 --a------ C:\WINDOWS\System32\uiqhwrxh.dll
2008-05-11 12:53:55 6720 --ahs---- C:\WINDOWS\System32\xaHjlnmp.ini2
2008-05-11 12:53:53 316464 --a------ C:\WINDOWS\System32\pmnljHax.dll
2008-05-11 11:22:06 0 d-------- C:\WINDOWS\System32\spoolX
2008-05-11 11:21:47 0 d-------- C:\WINDOWS\System32\winRem
2008-05-11 11:21:47 0 d-------- C:\WINDOWS\System32\MUI2
2008-05-11 11:21:47 0 d-------- C:\WINDOWS\System32\cdfig
2008-05-11 11:21:18 0 d-------- C:\WINDOWS\System32\1036a
2008-05-11 11:21:14 0 d-------- C:\WINDOWS\System32\dFrnx06
2008-05-11 11:21:13 0 d-------- C:\Temp
2008-05-11 11:20:57 1053753 --ahs---- C:\WINDOWS\System32\Vxwxyyxx.ini2
2008-05-11 11:20:52 316464 --a------ C:\WINDOWS\System32\xxyyxwxV.dll
2008-05-11 11:20:03 0 d-------- C:\Program Files\Outerinfo
2008-05-11 11:20:03 0 d-------- C:\Documents and Settings\James\Application Data\S?mantec
2008-05-11 11:16:00 0 d-------- C:\Program Files\Common Files\?ecurity
2008-05-11 11:16:00 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-11 11:15:50 0 d-------- C:\Program Files\QdrPack
2008-05-11 11:15:48 25728 --a------ C:\WINDOWS\System32\ljJASigf.dll
2008-05-11 11:15:42 0 d-------- C:\Program Files\QdrModule
2008-05-11 11:15:42 0 d-------- C:\Program Files\QdrDrive
2008-05-11 11:15:42 0 d-------- C:\Program Files\ISM
2008-05-11 11:15:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-11 11:15:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-11 11:15:12 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-11 11:15:10 4 --a------ C:\WINDOWS\System32\winfrun32.bin
2008-05-11 11:15:08 91563 --a------ C:\WINDOWS\System32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-05-11 11:15:08 91563 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-11 11:15:05 25600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 19:35:37 8780 --a------ C:\WINDOWS\System32\000090.exe
2008-05-09 13:10:08 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-09 12:10:10 229514 --a------ C:\WINDOWS\System32\000080.exe
2008-05-04 22:10:42 794624 --a------ C:\WINDOWS\System32\spr32d35.dll <Not Verified; FarPoint Technologies, Inc.; Spread>
2008-05-04 21:32:14 0 d-------- C:\Program Files\Punch! Home Design - Platinum
2008-05-03 17:47:17 0 d-------- C:\Documents and Settings\James\Application Data\DTLink Software
2008-05-03 11:48:00 270709 --a------ C:\WINDOWS\System32\000060.exe
2008-05-03 08:19:22 0 d--hs---- C:\FOUND.021


-- Find3M Report ---------------------------------------------------------------

2008-05-12 22:46:38 384 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat
2008-05-12 22:46:38 384 --a------ C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat
2008-05-11 11:20:04 0 d-------- C:\Documents and Settings\James\Application Data\S?mantec
2008-05-11 11:16:02 0 d-------- C:\Program Files\Common Files\?ecurity
2008-03-24 08:53:22 22528 --a------ C:\WINDOWS\System32\smrgdf.exe
2008-03-24 08:53:20 34304 --a------ C:\WINDOWS\System32\iolobtdfg.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{508841F8-D52B-4D1F-8DAE-CB5FD175FE04}]
05/12/2008 12:22 PM 314480 --a------ C:\WINDOWS\System32\wvUkLFwU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E83CCD3-232B-4852-A80D-7154D5C83FF1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{830a54c2-b762-4faa-9cf4-8c283291c175}]
05/13/2008 09:29 AM 98928 --a------ C:\WINDOWS\System32\tfbykatk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94085A9D-D675-488F-A754-F906A55C89F2}]
05/11/2008 11:20 AM 316464 --a------ C:\WINDOWS\System32\xxyyxwxV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
05/11/2008 11:15 AM 25728 --a------ C:\WINDOWS\System32\ljJASigf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e05c6d8e-91c9-4f48-898f-706c28c31243}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccessoriesPlus"="C:\Program Files\SPT\Accessories Plus\clockplus.exe" [05/20/2002 06:00 PM]
"CTHelper"="CTHELPER.EXE" [10/06/2003 02:57 PM C:\WINDOWS\system32\CTHELPER.EXE]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [05/06/2008 04:36 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 12:37 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"BM1e1a29d8"="C:\WINDOWS\System32\ewnmonqr.dll" [05/13/2008 09:27 AM]
"1d291a44"="C:\WINDOWS\System32\fvhvejdb.dll" [05/13/2008 09:29 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/26/2007 12:08 PM]
"System Mechanic Popup Blocker"="C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe" [06/18/2007 05:01 PM]
"Cjkafzkh"="C:\Documents and Settings\James\Application Data\S?mantec\s?chost.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/2/2004 10:23:47 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CompuServe 7.0 Tray Icon.lnk - C:\Program Files\CompuServe 7.0\cstray.exe [5/30/2004 11:45:29 AM]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/23/2003 10:37:56 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 5:23:32 PM]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [3/1/2007 1:32:30 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\System32\ljJASigf.dll [05/11/2008 11:15 AM 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SystemCheck2"= {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll [ ]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJASigf]
ljJASigf.dll 05/11/2008 11:15 AM 25728 C:\WINDOWS\system32\ljJASigf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\wvUkLFwU

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8373 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-13 09:35:52 ------------








Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.60GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 511.48 MiB / 161.43 MiB
Pagefile Memory (total/avail): 866.88 MiB / 484.17 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.7 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 55.88 GiB total, 38.93 GiB free.
D: is Fixed (FAT32) - 74.51 GiB total, 23.31 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST360021A - 55.9 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 55.9 GiB - C:

\\.\PHYSICALDRIVE1 - ST380021A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 74.53 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\James\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DIGITALMEDIA
ComSpec=C:\WINDOWS\system32\cmd.exe
DIRCMD=/a-h
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\James
LOGONSERVER=\\DIGITALMEDIA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Executive Software\Diskeeper\;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\James\LOCALS~1\Temp
TMP=C:\DOCUME~1\James\LOCALS~1\Temp
USERDOMAIN=DIGITALMEDIA
USERNAME=James
USERPROFILE=C:\Documents and Settings\James
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

James (admin)
Administrator.DIGITALMEDIA.000 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe" REMOVEALL --u:{F37167DD-4436-4641-90B6-329D60632DDA}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F445476A-42DE-11D4-80D0-00C04F2750A6}\Setup.exe" -u -uninst -fUninst.isu -c"C:\Program Files\Epocrates\Suite\Win32\Win32_Dll\AupdUnInstall.dll"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
AdsGone Popup Killer Spyware Blocker by A1Tech.com --> "C:\Program Files\AdsGone\unins001.exe"
Advanced Networking Pack for Windows XP --> C:\WINDOWS\$NtUninstallKB817778$\spuninst\spuninst.exe
All Video Splitter 4.0 --> "C:\Program Files\All Video Splitter\unins000.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Beginner Guitar MasterClass --> "c:\Program Files\begin_g\unins001.exe"
Citrix Web Client --> C:\WINDOWS\System32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
CompuServe --> C:\Program Files\Common Files\csshare\csunins_us.exe
Diskeeper Professional Edition --> MsiExec.exe /X{AA67205C-3E80-4062-9198-253A059DEE38}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Documents To Go --> MsiExec.exe /X{EB807EB6-5179-48B7-98D4-7B4934A57A81}
Easy CD & DVD Creator 6 --> MsiExec.exe /I{644F9DBE-CEDB-45AF-ACB8-E26692B74F62}
Epocrates Essentials --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F445476A-42DE-11D4-80D0-00C04F2750A6}\Setup.exe" -u
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Guitar MasterClass 1 --> "c:\Program Files\guitar_MasterClass1\unins000.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
hp deskjet 5550 series --> rundll32 hpzcon07.dll,VendorJettison hp deskjet 5550 series
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
InterVideo WinDVD 7 --> "C:\Program Files\InstallShield Installation Information\{90885A82-9673-49EA-AB39-AF776639C67C}\setup.exe" REMOVEALL
iolo technologies' System Mechanic 7 --> "C:\Program Files\iolo\System Mechanic 7\unins000.exe"
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Microsoft Office Access 2.0 Converter --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\conv90.inf, Uninstall
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{7228CB73-80E9-48D3-A7FD-C2A242686AB3}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Streets and Trips 2004 --> MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790210}
MXpie Patch for WinMX/WPNP --> C:\Program Files\MXpie Patch\MXpie_Uninstaller.exe
Netscape --> regsvr32.exe -u -s C:\WINDOWS\DOWNLO~1\netscape.dll
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
Palm --> MsiExec.exe /X{ADAED43C-BBD9-42C5-8B21-F4FBFA81E3C3}
Palm Desktop and Synchronization Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0F44C2-A883-11D1-AD0A-006097D15E2C}\Setup.exe" Uninstall
PEPID ED for Palm OS --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{55AD1ACE-BFED-4A56-B20E-90304A03189A}
Pepid Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DDC2EBD-B9E3-4956-B6A9-3FD6A7B396F7}\setup.exe" -l0x9
Punch! Home Design - Platinum --> C:\PROGRA~1\PUNCH!~1\UNWISE.EXE C:\PROGRA~1\PUNCH!~1\INSTALL.LOG
Quick MPEG Splitter v2.0 --> "C:\Program Files\Quick MPEG Splitter\unins000.exe"
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
SplitMovie 1.4 --> C:\Program Files\SplitMovie 1.4\uninst.exe
SPT Accessories Plus 2002 --> "C:\Program Files\SPT\Accessories Plus\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Tarascon PDA Reference - Palm Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E60F9B95-D1EA-479C-A196-A0C3283D6E8E}\Setup.exe" -l0x9
Tarascon Pocket Pharmacopoeia Deluxe Palm Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9A36D64-F346-40BE-AA53-4B009BC41868}\Setup.exe" -l0x9
Ulead MediaStudio 6.5 Director's Cut --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99BF44DF-1181-11D5-B627-0010B5557563}\setup.exe"
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows XP Service Pack 1 --> C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinMX --> C:\Program Files\WinMX\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type9238 / Error
Event Submitted/Written: 05/12/2008 11:30:49 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type9237 / Error
Event Submitted/Written: 05/12/2008 11:30:49 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type9235 / Error
Event Submitted/Written: 05/12/2008 11:06:54 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type9234 / Error
Event Submitted/Written: 05/12/2008 11:06:54 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type9232 / Warning
Event Submitted/Written: 05/12/2008 09:27:11 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type438 / Error
Event Submitted/Written: 05/12/2008 09:41:57 PM
Event ID/Source: 19 / Print
Event Description:
Sharing printer failed + 1722, Printer Microsoft Office Document Image Writer share name Printer.

Event Record #/Type435 / Warning
Event Submitted/Written: 05/12/2008 07:00:18 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by WINLOGON.EXE.

Event Record #/Type382 / Warning
Event Submitted/Written: 05/12/2008 11:41:24 AM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type360 / Error
Event Submitted/Written: 05/12/2008 11:33:34 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type359 / Error
Event Submitted/Written: 05/12/2008 11:32:04 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
aswSP
aswTdi
eeCtrl
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
Tcpip



-- End of Deckard's System Scanner: finished at 2008-05-13 09:35:52 ------------

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:18 AM

Posted 13 May 2008 - 02:05 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 JMateer

JMateer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 13 May 2008 - 06:38 PM

Sam:
Thanks for the quick response!

I followed your instructions with combifix. The log file is included. I am now confused as to how I should interpret spybot messages. Since combifix may have disabled or deleted some files from startup, I am likely to have messages from spybot whether to allow or not. I do not want to say yes to allowing a virus or trojan command to be inserted though. What to do? Should I dsable, remove and/or reinstall spybot? Ignore the messages?

Thanks.

JMateer

____________________________________________________________________________________________________________________

ComboFix 08-05-12.1 - James 2008-05-13 18:08:04.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.231 [GMT -5:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\James\Application Data\SMANTE~1
C:\Documents and Settings\James\Application Data\SMANTE~1\s?chost.exe
C:\Documents and Settings\James\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\James\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\James\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\James\Start Menu\Programs\Outerinfo
C:\Documents and Settings\James\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\James\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\ecurit~1\?ecurity\
C:\Program Files\Common Files\ecurit~1\ping.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\alexaie.dll
C:\WINDOWS\alxie328.dll
C:\WINDOWS\alxtb1.dll
C:\WINDOWS\btgrab.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\dlmax.dll
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\pynix.dll
C:\WINDOWS\susp.exe
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\alxres.dll
C:\WINDOWS\system32\bdjevhvf.ini
C:\WINDOWS\system32\bkjedkju.dll
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\fouujedm.dll
C:\WINDOWS\system32\jao.dll
C:\WINDOWS\system32\ksswfvvp.ini
C:\WINDOWS\system32\kvxqsmru.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdejuuof.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pYcLmUtv.ini
C:\WINDOWS\system32\pYcLmUtv.ini2
C:\WINDOWS\system32\questmod.dll
C:\WINDOWS\system32\runsrv32.dll
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\skunbmyk.ini
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tcpservice2.exe
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\system32\udpmod.dll
C:\WINDOWS\system32\ujkdejkb.ini
C:\WINDOWS\system32\Vxwxyyxx.ini
C:\WINDOWS\system32\Vxwxyyxx.ini2
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\wstart.dll
C:\WINDOWS\system32\wtqejjsu.ini
C:\WINDOWS\system32\xaHjlnmp.ini
C:\WINDOWS\system32\xaHjlnmp.ini2

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Legacy_RUNTIME
-------\Service_EXAMPLE
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 18:07 . 2008-05-13 18:07 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 18:04 . 2008-05-13 18:04 314,480 --a------ C:\WINDOWS\system32\vtUmLcYp.dll
2008-05-13 09:46 . 2008-05-13 09:47 98,864 --a------ C:\WINDOWS\system32\jmqnvycp.dll
2008-05-13 09:46 . 2008-05-13 09:47 2,048 --a------ C:\WINDOWS\system32\gistusfy.exe
2008-05-13 09:44 . 2008-05-13 09:44 90,176 --a------ C:\WINDOWS\system32\xgfdflgt.dll
2008-05-13 09:44 . 2008-05-13 09:44 83,072 --a------ C:\WINDOWS\system32\urmsqxvk.dll
2008-05-13 09:29 . 2008-05-13 09:29 98,928 --a------ C:\WINDOWS\system32\tfbykatk.dll
2008-05-13 09:27 . 2008-05-13 09:27 90,240 --a------ C:\WINDOWS\system32\ewnmonqr.dll
2008-05-13 09:27 . 2008-05-13 09:27 2,112 --a------ C:\WINDOWS\system32\oydegout.exe
2008-05-13 09:23 . 2008-05-13 09:23 2,112 --a------ C:\WINDOWS\system32\qtcyhfef.exe
2008-05-13 09:19 . 2008-05-13 09:19 <DIR> d-------- C:\Deckard
2008-05-13 09:18 . 2008-05-13 09:18 98,928 --a------ C:\WINDOWS\system32\bmpsktlm.dll
2008-05-13 09:17 . 2008-05-13 09:17 90,240 --a------ C:\WINDOWS\system32\jgdptgbe.dll
2008-05-13 09:14 . 2008-05-13 09:14 90,240 --a------ C:\WINDOWS\system32\sqlghcdy.dll
2008-05-12 22:54 . 2008-05-12 22:54 150 --ahs---- C:\WINDOWS\system32\PAaIlUtv.ini
2008-05-12 22:53 . 2008-05-12 22:54 314,480 --a------ C:\WINDOWS\system32\vtUlIaAP.dll
2008-05-12 22:44 . 2008-05-12 22:44 98,960 --a------ C:\WINDOWS\system32\cbcawpow.dll
2008-05-12 22:41 . 2008-05-12 22:41 2,112 --a------ C:\WINDOWS\system32\lsubspjr.exe
2008-05-12 22:40 . 2008-05-12 22:40 90,240 --a------ C:\WINDOWS\system32\dfathxla.dll
2008-05-12 14:09 . 2008-05-12 14:09 98,960 --a------ C:\WINDOWS\system32\wyfuawil.dll
2008-05-12 14:06 . 2008-05-12 14:06 2,112 --a------ C:\WINDOWS\system32\vpybsbnr.exe
2008-05-12 14:05 . 2008-05-12 14:05 90,240 --a------ C:\WINDOWS\system32\hvlslrhe.dll
2008-05-12 12:13 . 2008-05-12 12:10 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-12 12:13 . 2008-05-12 12:13 2,547 --a------ C:\WINDOWS\unins000.dat
2008-05-12 11:07 . 2008-05-12 11:07 <DIR> d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000
2008-05-12 11:07 . 2008-05-13 18:07 1,024 --ah----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NTUSER.DAT.LOG
2008-05-12 09:06 . 2008-05-12 09:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-12 09:02 . 2008-05-12 09:02 98,896 --a------ C:\WINDOWS\system32\lvvoehsx.dll
2008-05-12 09:02 . 2008-05-12 09:02 2,048 --a------ C:\WINDOWS\system32\nufwektd.exe
2008-05-12 08:59 . 2008-05-13 18:14 109,803 --a------ C:\WINDOWS\BM1e1a29d8.xml
2008-05-12 08:59 . 2008-05-12 08:59 90,176 --a------ C:\WINDOWS\system32\uiqhwrxh.dll
2008-05-12 08:59 . 2008-05-12 08:59 83,008 --a------ C:\WINDOWS\system32\pvvfwssk.dll
2008-05-11 12:53 . 2008-05-11 12:53 316,464 --a------ C:\WINDOWS\system32\pmnljHax.dll
2008-05-11 11:22 . 2008-05-11 11:22 <DIR> d-------- C:\WINDOWS\system32\spoolX
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\winRem
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\MUI2
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\cdfig
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\1036a
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\Temp\tmpvc14
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\Temp
2008-05-11 11:21 . 2008-05-11 11:21 493,862 --a------ C:\Temp\dUbc1002.exe
2008-05-11 11:21 . 2008-05-11 11:21 578 --a------ C:\WINDOWS\index.html
2008-05-11 11:20 . 2008-05-11 11:20 316,464 --a------ C:\WINDOWS\system32\xxyyxwxV.dll
2008-05-11 11:16 . 2008-05-11 11:16 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-11 11:15 . 2008-05-11 11:15 25,728 --a------ C:\WINDOWS\system32\ljJASigf.dll
2008-05-11 11:15 . 2008-05-11 11:15 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 13:10 . 2008-05-09 13:10 187,904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-04 22:10 . 2002-08-18 19:43 794,624 --a------ C:\WINDOWS\system32\spr32d35.dll
2008-05-04 21:32 . 2008-05-04 21:32 <DIR> d-------- C:\Program Files\Punch! Home Design - Platinum
2008-05-03 17:47 . 2008-05-03 17:47 <DIR> d-------- C:\Documents and Settings\James\Application Data\DTLink Software
2008-05-03 08:19 . 2008-05-03 08:19 <DIR> d--hs---- C:\FOUND.021

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 21:36 428,904 ----a-w C:\WINDOWS\system32\Incinerator.dll
2008-03-24 13:53 34,304 ----a-w C:\WINDOWS\system32\iolobtdfg.exe
2008-03-24 13:53 22,528 ----a-w C:\WINDOWS\system32\smrgdf.exe
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E59A4A5-5029-42AA-AAB2-CDFAE592794C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E83CCD3-232B-4852-A80D-7154D5C83FF1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{693a419d-05c3-49fc-a739-f7c736b6cd0b}]
2008-05-13 09:47 98864 --a------ C:\WINDOWS\System32\jmqnvycp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8077c3ed-49a6-4f19-baa2-fbca6506bd10}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94085A9D-D675-488F-A754-F906A55C89F2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95518F12-21A8-459D-B6B2-A7048E5CB262}]
2008-05-11 11:20 316464 --a------ C:\WINDOWS\System32\xxyyxwxV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C45B510-C31E-44E8-A666-EFB9FEB6F990}]
2008-05-13 18:04 314480 --a------ C:\WINDOWS\System32\vtUmLcYp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 11:15 25728 --a------ C:\WINDOWS\system32\ljJASigf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e05c6d8e-91c9-4f48-898f-706c28c31243}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25A3B87-6AA6-4836-BED7-B6A5B0F803F6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 12:08 68856]
"System Mechanic Popup Blocker"="C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe" [2007-06-18 17:01 514664]
"Cjkafzkh"="C:\Documents and Settings\James\Application Data\S?mantec\s?chost.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccessoriesPlus"="C:\Program Files\SPT\Accessories Plus\clockplus.exe" [2002-05-20 18:00 410112]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 16:36 764776]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"1d291a44"="C:\WINDOWS\System32\urmsqxvk.dll" [2008-05-13 09:44 83072]
"BM1e1a29d8"="C:\WINDOWS\System32\xgfdflgt.dll" [2008-05-13 09:44 90176]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 12:50 51200 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-02 22:23:47 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CompuServe 7.0 Tray Icon.lnk - C:\Program Files\CompuServe 7.0\cstray.exe [2004-05-30 11:45:29 32840]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-03-01 13:32:30 278528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\ljJASigf.dll [2008-05-11 11:15 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SystemCheck2"= {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll [ ]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJASigf]
ljJASigf.dll 2008-05-11 11:15 25728 C:\WINDOWS\system32\ljJASigf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\WINDOWS\System32\dvacm.acm

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-03-29 12:31]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 22:59]
S2 RZBLKFNF;RZBLKFNF;C:\WINDOWS\System32\rzblkfnf.ykx []
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 12:00]
S3 VisorUsb;Handspring USB;C:\WINDOWS\System32\DRIVERS\VisorUsb.sys []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 18:14:33
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RZBLKFNF]
"ImagePath"="\??\C:\WINDOWS\System32\rzblkfnf.ykx"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ljJASigf.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\urmsqxvk.dll
-> C:\WINDOWS\System32\xgfdflgt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Pepid\PepidMgr.exe
.
**************************************************************************
.
Completion time: 2008-05-13 18:16:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 23:15:56

Pre-Run: 41,692,135,424 bytes free
Post-Run: 41,632,628,736 bytes free

267 --- E O F --- 2008-01-07 03:47:47

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:18 AM

Posted 13 May 2008 - 10:55 PM

At this point you should disable Spybot's teatimer function.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Just keep it disabled until we are done and then you can turn it back on.



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Make sure to reboot after the scan from Superantispyware is complete and then run Combofix once again and post that log also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 JMateer

JMateer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 14 May 2008 - 10:34 AM

Sam:

Problems! I downloaded SAS and followed all the instructions above. I have tried to run the program several times with the preferences set as you specified. Each time my computer locks up during the scan. I have tried to do the scan in Safe mode as well and have tried to do a quick scan instead of a complete scan. SAS is finding up to 60 threats before it locks up. The lockup seems to occur each time when it is scanning the registry and is in the following area of the registry: HKLM\Software\Microsoft\Windows\Current Version\Internet Settings\Zone Map\Domain\(final entry here has varied with each lockup).

What is my next step - if there is one?

JMateer
_________________________________________________________________________________________________________________________

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:18 AM

Posted 14 May 2008 - 05:47 PM

There's always a next step. :thumbsup:

Please run combofix again and post a new log.
We'll clean you up manually.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 JMateer

JMateer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 14 May 2008 - 07:15 PM

Sam:

Thanks. I was able to run SAS on part of the flies (Windows system and win32 , etc). About 50 threats were removed. But it still locks up when I try to run it on the registry. Manual cleanup sounds like it could be s lot of work! I am making part of my contribution to this very helpful site in advance! To follow is my latest combofix txt file.

Thanks.
Jim

ComboFix 08-05-12.1 - James 2008-05-14 18:51:07.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.272 [GMT -5:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aHjSrtwa.ini
C:\WINDOWS\system32\aHjSrtwa.ini2
C:\WINDOWS\system32\ekbalelp.ini
C:\WINDOWS\system32\HhgfPqss.ini
C:\WINDOWS\system32\HhgfPqss.ini2
C:\WINDOWS\system32\HhgOonnn.ini
C:\WINDOWS\system32\HhgOonnn.ini2
C:\WINDOWS\system32\ihkftahm.ini
C:\WINDOWS\system32\kyqncnes.ini
C:\WINDOWS\system32\pYcLmUtv.ini
C:\WINDOWS\system32\pYcLmUtv.ini2
C:\WINDOWS\system32\RtENmnpo.ini
C:\WINDOWS\system32\RtENmnpo.ini2
C:\WINDOWS\system32\Vxwxyyxx.ini
C:\WINDOWS\system32\Vxwxyyxx.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 18:55 . 2008-05-14 18:55 314,448 --a------ C:\WINDOWS\system32\cbXOIxwu.dll
2008-05-14 18:55 . 2008-05-14 18:55 347 --ahs---- C:\WINDOWS\system32\uwxIOXbc.ini2
2008-05-14 18:55 . 2008-05-14 18:56 347 --ahs---- C:\WINDOWS\system32\uwxIOXbc.ini
2008-05-14 18:45 . 2008-05-14 18:45 <DIR> d--hs---- C:\FOUND.022
2008-05-14 17:00 . 2008-05-14 17:00 314,448 --a------ C:\WINDOWS\system32\opnmNEtR.dll
2008-05-14 13:13 . 2008-05-14 13:13 83,152 --a------ C:\WINDOWS\system32\plelabke.dll
2008-05-14 13:08 . 2008-05-14 13:08 90,208 --a------ C:\WINDOWS\system32\wnqfieoe.dll
2008-05-14 11:51 . 2008-05-14 11:51 2,992 --a------ C:\WINDOWS\system32\eigfjsio.dll
2008-05-14 11:48 . 2008-05-14 11:48 2,112 --a------ C:\WINDOWS\system32\lteegise.exe
2008-05-14 11:43 . 2008-05-14 11:43 90,272 --a------ C:\WINDOWS\system32\kufbaldv.dll
2008-05-14 10:56 . 2008-05-14 10:56 2,112 --a------ C:\WINDOWS\system32\adiysvwp.exe
2008-05-14 10:51 . 2008-05-14 10:51 90,272 --a------ C:\WINDOWS\system32\uxldtpgm.dll
2008-05-14 09:17 . 2008-05-14 09:17 90,272 --a------ C:\WINDOWS\system32\chohecrf.dll
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-14 08:29 . 2008-05-14 08:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 08:26 . 2008-05-14 08:26 2,112 --a------ C:\WINDOWS\system32\hjesiinh.exe
2008-05-14 08:23 . 2008-05-14 08:23 99,008 --a------ C:\WINDOWS\system32\gtnaqcby.dll
2008-05-14 08:18 . 2008-05-14 08:18 90,288 --a------ C:\WINDOWS\system32\ejwwbfsx.dll
2008-05-13 18:16 . 2008-05-14 08:16 354 ---hs---- C:\WINDOWS\system32\kvxqsmru.ini
2008-05-13 18:07 . 2008-05-13 18:07 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 09:46 . 2008-05-13 09:47 98,864 --a------ C:\WINDOWS\system32\jmqnvycp.dll
2008-05-13 09:44 . 2008-05-13 09:44 90,176 --a------ C:\WINDOWS\system32\xgfdflgt.dll
2008-05-13 09:29 . 2008-05-13 09:29 98,928 --a------ C:\WINDOWS\system32\tfbykatk.dll
2008-05-13 09:27 . 2008-05-13 09:27 90,240 --a------ C:\WINDOWS\system32\ewnmonqr.dll
2008-05-13 09:27 . 2008-05-13 09:27 2,112 --a------ C:\WINDOWS\system32\oydegout.exe
2008-05-13 09:23 . 2008-05-13 09:23 2,112 --a------ C:\WINDOWS\system32\qtcyhfef.exe
2008-05-13 09:19 . 2008-05-13 09:19 <DIR> d-------- C:\Deckard
2008-05-13 09:18 . 2008-05-13 09:18 98,928 --a------ C:\WINDOWS\system32\bmpsktlm.dll
2008-05-13 09:17 . 2008-05-13 09:17 90,240 --a------ C:\WINDOWS\system32\jgdptgbe.dll
2008-05-13 09:14 . 2008-05-13 09:14 90,240 --a------ C:\WINDOWS\system32\sqlghcdy.dll
2008-05-12 22:54 . 2008-05-12 22:54 150 --ahs---- C:\WINDOWS\system32\PAaIlUtv.ini
2008-05-12 22:44 . 2008-05-12 22:44 98,960 --a------ C:\WINDOWS\system32\cbcawpow.dll
2008-05-12 22:41 . 2008-05-12 22:41 2,112 --a------ C:\WINDOWS\system32\lsubspjr.exe
2008-05-12 22:40 . 2008-05-12 22:40 90,240 --a------ C:\WINDOWS\system32\dfathxla.dll
2008-05-12 14:09 . 2008-05-12 14:09 98,960 --a------ C:\WINDOWS\system32\wyfuawil.dll
2008-05-12 14:06 . 2008-05-12 14:06 2,112 --a------ C:\WINDOWS\system32\vpybsbnr.exe
2008-05-12 14:05 . 2008-05-12 14:05 90,240 --a------ C:\WINDOWS\system32\hvlslrhe.dll
2008-05-12 12:13 . 2008-05-12 12:10 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-12 12:13 . 2008-05-12 12:13 2,547 --a------ C:\WINDOWS\unins000.dat
2008-05-12 11:07 . 2008-05-12 11:07 <DIR> d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000
2008-05-12 11:07 . 2008-05-14 11:03 8,192 --ah----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NTUSER.DAT.LOG
2008-05-12 09:06 . 2008-05-12 09:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-12 09:02 . 2008-05-12 09:02 98,896 --a------ C:\WINDOWS\system32\lvvoehsx.dll
2008-05-12 08:59 . 2008-05-14 18:55 109,803 --a------ C:\WINDOWS\BM1e1a29d8.xml
2008-05-12 08:59 . 2008-05-12 08:59 90,176 --a------ C:\WINDOWS\system32\uiqhwrxh.dll
2008-05-12 08:59 . 2008-05-12 08:59 83,008 --a------ C:\WINDOWS\system32\pvvfwssk.dll
2008-05-11 12:53 . 2008-05-11 12:53 316,464 --a------ C:\WINDOWS\system32\pmnljHax.dll
2008-05-11 11:22 . 2008-05-11 11:22 <DIR> d-------- C:\WINDOWS\system32\spoolX
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\winRem
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\MUI2
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\dFrnx06
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\cdfig
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\WINDOWS\system32\1036a
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\Temp\tmpvc14
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\Temp
2008-05-11 11:21 . 2008-05-11 11:21 493,862 --a------ C:\Temp\dUbc1002.exe
2008-05-11 11:21 . 2008-05-11 11:21 578 --a------ C:\WINDOWS\index.html
2008-05-11 11:20 . 2008-05-11 11:20 316,464 --a------ C:\WINDOWS\system32\xxyyxwxV.dll
2008-05-11 11:16 . 2008-05-11 11:16 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-11 11:15 . 2008-05-11 11:15 25,728 --a------ C:\WINDOWS\system32\ljJASigf.dll
2008-05-11 11:15 . 2008-05-11 11:15 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 13:10 . 2008-05-09 13:10 187,904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-04 22:10 . 2002-08-18 19:43 794,624 --a------ C:\WINDOWS\system32\spr32d35.dll
2008-05-04 21:32 . 2008-05-04 21:32 <DIR> d-------- C:\Program Files\Punch! Home Design - Platinum
2008-05-03 17:47 . 2008-05-03 17:47 <DIR> d-------- C:\Documents and Settings\James\Application Data\DTLink Software
2008-05-03 08:19 . 2008-05-03 08:19 <DIR> d--hs---- C:\FOUND.021

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 21:36 428,904 ----a-w C:\WINDOWS\system32\Incinerator.dll
2008-03-24 13:53 34,304 ----a-w C:\WINDOWS\system32\iolobtdfg.exe
2008-03-24 13:53 22,528 ----a-w C:\WINDOWS\system32\smrgdf.exe
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_18.15.28.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 23:12:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 23:54:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 13:30:08 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-14 13:30:08 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-05-14 23:54:58 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_484.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E59A4A5-5029-42AA-AAB2-CDFAE592794C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C64C138-BD25-4BF9-A387-20BC3170C36C}]
2008-05-14 18:55 314448 --a------ C:\WINDOWS\System32\cbXOIxwu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E83CCD3-232B-4852-A80D-7154D5C83FF1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66206B92-F408-43AC-97DF-C5ACD988A5C9}]
2008-05-14 17:00 314448 --a------ C:\WINDOWS\System32\opnmNEtR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8077c3ed-49a6-4f19-baa2-fbca6506bd10}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93B3EE72-8DBE-429E-9713-829C174FD9C4}]
C:\WINDOWS\System32\awtrSjHa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94085A9D-D675-488F-A754-F906A55C89F2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEC37800-2388-4AA7-A006-3E7EC8479AFB}]
C:\WINDOWS\System32\ssqPfghH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B806F20E-F32A-43F4-9A1A-B6519D029039}]
C:\WINDOWS\System32\nnnoOghH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 11:15 25728 --a------ C:\WINDOWS\system32\ljJASigf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e05c6d8e-91c9-4f48-898f-706c28c31243}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ebed31fb-220e-4f3a-b69b-04c3d21697cb}]
C:\WINDOWS\System32\jffsgcgl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25A3B87-6AA6-4836-BED7-B6A5B0F803F6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 12:08 68856]
"System Mechanic Popup Blocker"="C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe" [2007-06-18 17:01 514664]
"Cjkafzkh"="C:\Documents and Settings\James\Application Data\S?mantec\s?chost.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccessoriesPlus"="C:\Program Files\SPT\Accessories Plus\clockplus.exe" [2002-05-20 18:00 410112]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 16:36 764776]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"1d291a44"="C:\WINDOWS\System32\plelabke.dll" [2008-05-14 13:13 83152]
"BM1e1a29d8"="C:\WINDOWS\System32\mlypphex.dll" [2008-05-14 18:57 90208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 12:50 51200 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-02 22:23:47 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CompuServe 7.0 Tray Icon.lnk - C:\Program Files\CompuServe 7.0\cstray.exe [2004-05-30 11:45:29 32840]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-03-01 13:32:30 278528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\ljJASigf.dll [2008-05-11 11:15 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SystemCheck2"= {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll [ ]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJASigf]
ljJASigf.dll 2008-05-11 11:15 25728 C:\WINDOWS\system32\ljJASigf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\WINDOWS\System32\dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\cbXOIxwu

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-03-29 12:31]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 22:59]
S2 RZBLKFNF;RZBLKFNF;C:\WINDOWS\System32\rzblkfnf.ykx []
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 12:00]
S3 VisorUsb;Handspring USB;C:\WINDOWS\System32\DRIVERS\VisorUsb.sys []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 18:56:13
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RZBLKFNF]
"ImagePath"="\??\C:\WINDOWS\System32\rzblkfnf.ykx"
.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:18 AM

Posted 15 May 2008 - 07:32 AM

You do have a bunch in there, but this next step should help a lot.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\WINDOWS\system32\spoolX
C:\WINDOWS\system32\winRem
C:\WINDOWS\system32\MUI2
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\cdfig
C:\WINDOWS\system32\1036a
C:\Temp\tmpvc14


File::
C:\WINDOWS\system32\cbXOIxwu.dll
C:\WINDOWS\system32\uwxIOXbc.ini2
C:\WINDOWS\system32\uwxIOXbc.ini
C:\WINDOWS\system32\opnmNEtR.dll
C:\WINDOWS\system32\plelabke.dll
C:\WINDOWS\system32\wnqfieoe.dll
C:\WINDOWS\system32\eigfjsio.dll
C:\WINDOWS\system32\lteegise.exe
C:\WINDOWS\system32\kufbaldv.dll
C:\WINDOWS\system32\adiysvwp.exe
C:\WINDOWS\system32\uxldtpgm.dll
C:\WINDOWS\system32\chohecrf.dll
C:\WINDOWS\system32\hjesiinh.exe
C:\WINDOWS\system32\gtnaqcby.dll
C:\WINDOWS\system32\ejwwbfsx.dll
C:\WINDOWS\system32\kvxqsmru.ini
C:\WINDOWS\system32\jmqnvycp.dll
C:\WINDOWS\system32\xgfdflgt.dll
C:\WINDOWS\system32\tfbykatk.dll
C:\WINDOWS\system32\ewnmonqr.dll
C:\WINDOWS\system32\oydegout.exe
C:\WINDOWS\system32\qtcyhfef.exe
C:\WINDOWS\system32\bmpsktlm.dll
C:\WINDOWS\system32\jgdptgbe.dll
C:\WINDOWS\system32\sqlghcdy.dll
C:\WINDOWS\system32\PAaIlUtv.ini
C:\WINDOWS\system32\cbcawpow.dll
C:\WINDOWS\system32\lsubspjr.exe
C:\WINDOWS\system32\dfathxla.dll
C:\WINDOWS\system32\wyfuawil.dll
C:\WINDOWS\system32\vpybsbnr.exe
C:\WINDOWS\system32\hvlslrhe.dll
C:\WINDOWS\system32\lvvoehsx.dll
C:\WINDOWS\system32\uiqhwrxh.dll
C:\WINDOWS\system32\pvvfwssk.dll
C:\WINDOWS\system32\pmnljHax.dll
C:\Temp\dUbc1002.exe
C:\WINDOWS\index.html
C:\WINDOWS\system32\xxyyxwxV.dll
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\system32\ljJASigf.dll
C:\WINDOWS\b2new.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\WINDOWS\System32\rzblkfnf.ykx

Driver::
RZBLKFNF

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E59A4A5-5029-42AA-AAB2-CDFAE592794C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C64C138-BD25-4BF9-A387-20BC3170C36C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E83CCD3-232B-4852-A80D-7154D5C83FF1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66206B92-F408-43AC-97DF-C5ACD988A5C9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8077c3ed-49a6-4f19-baa2-fbca6506bd10}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93B3EE72-8DBE-429E-9713-829C174FD9C4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94085A9D-D675-488F-A754-F906A55C89F2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEC37800-2388-4AA7-A006-3E7EC8479AFB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B806F20E-F32A-43F4-9A1A-B6519D029039}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e05c6d8e-91c9-4f48-898f-706c28c31243}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ebed31fb-220e-4f3a-b69b-04c3d21697cb}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25A3B87-6AA6-4836-BED7-B6A5B0F803F6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cjkafzkh"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1d291a44"=-
"BM1e1a29d8"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= -
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SystemCheck2"=-
"WebProxy"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJASigf]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 JMateer

JMateer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 15 May 2008 - 09:01 AM

Sam:

So far so good! Here is the combofix log after inserting CFScript:

ComboFix 08-05-12.1 - James 2008-05-15 8:23:03.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.242 [GMT -5:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Temp\dUbc1002.exe
C:\WINDOWS\b2new.exe
C:\WINDOWS\index.html
C:\WINDOWS\system32\adiysvwp.exe
C:\WINDOWS\system32\bmpsktlm.dll
C:\WINDOWS\system32\cbcawpow.dll
C:\WINDOWS\system32\cbXOIxwu.dll
C:\WINDOWS\system32\chohecrf.dll
C:\WINDOWS\system32\dfathxla.dll
C:\WINDOWS\system32\eigfjsio.dll
C:\WINDOWS\system32\ejwwbfsx.dll
C:\WINDOWS\system32\ewnmonqr.dll
C:\WINDOWS\system32\gtnaqcby.dll
C:\WINDOWS\system32\hjesiinh.exe
C:\WINDOWS\system32\hvlslrhe.dll
C:\WINDOWS\system32\jgdptgbe.dll
C:\WINDOWS\system32\jmqnvycp.dll
C:\WINDOWS\system32\kufbaldv.dll
C:\WINDOWS\system32\kvxqsmru.ini
C:\WINDOWS\system32\ljJASigf.dll
C:\WINDOWS\system32\lsubspjr.exe
C:\WINDOWS\system32\lteegise.exe
C:\WINDOWS\system32\lvvoehsx.dll
C:\WINDOWS\system32\opnmNEtR.dll
C:\WINDOWS\system32\oydegout.exe
C:\WINDOWS\system32\PAaIlUtv.ini
C:\WINDOWS\system32\plelabke.dll
C:\WINDOWS\system32\pmnljHax.dll
C:\WINDOWS\system32\pvvfwssk.dll
C:\WINDOWS\system32\qtcyhfef.exe
C:\WINDOWS\System32\rzblkfnf.ykx
C:\WINDOWS\system32\sqlghcdy.dll
C:\WINDOWS\system32\tfbykatk.dll
C:\WINDOWS\system32\uiqhwrxh.dll
C:\WINDOWS\system32\uwxIOXbc.ini
C:\WINDOWS\system32\uwxIOXbc.ini2
C:\WINDOWS\system32\uxldtpgm.dll
C:\WINDOWS\system32\vpybsbnr.exe
C:\WINDOWS\system32\wnqfieoe.dll
C:\WINDOWS\system32\wyfuawil.dll
C:\WINDOWS\system32\xgfdflgt.dll
C:\WINDOWS\system32\xxyyxwxV.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Temp\dUbc1002.exe
C:\Temp\tmpvc14
C:\Temp\tmpvc14\dllvc.log
C:\WINDOWS\b2new.exe
C:\WINDOWS\index.html
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\1036a
C:\WINDOWS\system32\adiysvwp.exe
C:\WINDOWS\system32\bmpsktlm.dll
C:\WINDOWS\system32\cbcawpow.dll
C:\WINDOWS\system32\cbXOIxwu.dll
C:\WINDOWS\system32\cdfig
C:\WINDOWS\system32\cdfig\bdserv23.exe
C:\WINDOWS\system32\chohecrf.dll
C:\WINDOWS\system32\dfathxla.dll
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\dFrnx06\dFrnx061083.exe
C:\WINDOWS\system32\eigfjsio.dll
C:\WINDOWS\system32\ejwwbfsx.dll
C:\WINDOWS\system32\ewnmonqr.dll
C:\WINDOWS\system32\GgOUwyxx.ini
C:\WINDOWS\system32\GgOUwyxx.ini2
C:\WINDOWS\system32\gtnaqcby.dll
C:\WINDOWS\system32\hjesiinh.exe
C:\WINDOWS\system32\hvlslrhe.dll
C:\WINDOWS\system32\jgdptgbe.dll
C:\WINDOWS\system32\jmqnvycp.dll
C:\WINDOWS\system32\kgymgjla.ini
C:\WINDOWS\system32\kufbaldv.dll
C:\WINDOWS\system32\kvxqsmru.ini
C:\WINDOWS\system32\ljJASigf.dll
C:\WINDOWS\system32\lsubspjr.exe
C:\WINDOWS\system32\lteegise.exe
C:\WINDOWS\system32\lvvoehsx.dll
C:\WINDOWS\system32\MUI2
C:\WINDOWS\system32\opnmNEtR.dll
C:\WINDOWS\system32\oydegout.exe
C:\WINDOWS\system32\PAaIlUtv.ini
C:\WINDOWS\system32\pmnljHax.dll
C:\WINDOWS\system32\pvvfwssk.dll
C:\WINDOWS\system32\qtcyhfef.exe
C:\WINDOWS\system32\RtENmnpo.ini
C:\WINDOWS\system32\RtENmnpo.ini2
C:\WINDOWS\system32\spoolX
C:\WINDOWS\system32\spoolX\NsDatdsrv.exe
C:\WINDOWS\system32\sqlghcdy.dll
C:\WINDOWS\system32\tfbykatk.dll
C:\WINDOWS\system32\uiqhwrxh.dll
C:\WINDOWS\system32\uwxIOXbc.ini
C:\WINDOWS\system32\uwxIOXbc.ini2
C:\WINDOWS\system32\uxldtpgm.dll
C:\WINDOWS\system32\vpybsbnr.exe
C:\WINDOWS\system32\winRem
C:\WINDOWS\system32\winRem\xmapi2pi.exe
C:\WINDOWS\system32\wnqfieoe.dll
C:\WINDOWS\system32\wyfuawil.dll
C:\WINDOWS\system32\xgfdflgt.dll
C:\WINDOWS\system32\xxyyxwxV.dll
C:\WINDOWS\system32\yyJlmnnn.ini
C:\WINDOWS\system32\yyJlmnnn.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RZBLKFNF
-------\Service_RZBLKFNF


((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 08:22 . 2008-05-15 08:22 98,928 --a------ C:\WINDOWS\system32\ryqvlwma.dll
2008-05-15 08:16 . 2008-05-15 08:16 2,048 --a------ C:\WINDOWS\system32\ebiugjym.exe
2008-05-15 08:11 . 2008-05-15 08:11 90,304 --a------ C:\WINDOWS\system32\guegefev.dll
2008-05-15 08:10 . 2008-05-15 08:10 314,480 --a------ C:\WINDOWS\system32\nnnmlJyy.dll
2008-05-14 23:34 . 2008-05-14 23:34 98,928 --a------ C:\WINDOWS\system32\sxcckoes.dll
2008-05-14 23:31 . 2008-05-14 23:31 2,048 --a------ C:\WINDOWS\system32\rfucptcv.exe
2008-05-14 23:26 . 2008-05-14 23:26 90,208 --a------ C:\WINDOWS\system32\cxhujxqk.dll
2008-05-14 23:25 . 2008-05-14 23:25 314,448 --a------ C:\WINDOWS\system32\xxywUOgG.dll
2008-05-14 19:06 . 2008-05-14 19:06 83,152 --a------ C:\WINDOWS\system32\aljgmygk.dll
2008-05-14 19:04 . 2008-05-14 19:04 90,208 --a------ C:\WINDOWS\system32\suacaljv.dll
2008-05-14 19:01 . 2008-05-14 19:01 <DIR> d--hs---- C:\FOUND.023
2008-05-14 18:57 . 2008-05-14 18:57 90,208 --a------ C:\WINDOWS\system32\mlypphex.dll
2008-05-14 18:45 . 2008-05-14 18:45 <DIR> d--hs---- C:\FOUND.022
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-14 08:29 . 2008-05-14 08:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 18:07 . 2008-05-13 18:07 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 09:19 . 2008-05-13 09:19 <DIR> d-------- C:\Deckard
2008-05-12 12:13 . 2008-05-12 12:10 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-12 12:13 . 2008-05-12 12:13 2,547 --a------ C:\WINDOWS\unins000.dat
2008-05-12 11:07 . 2008-05-12 11:07 <DIR> d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000
2008-05-12 11:07 . 2008-05-14 11:03 8,192 --ah----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NTUSER.DAT.LOG
2008-05-12 09:06 . 2008-05-12 09:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-12 08:59 . 2008-05-14 19:02 109,803 --a------ C:\WINDOWS\BM1e1a29d8.xml
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\Temp
2008-05-04 22:10 . 2002-08-18 19:43 794,624 --a------ C:\WINDOWS\system32\spr32d35.dll
2008-05-04 21:32 . 2008-05-04 21:32 <DIR> d-------- C:\Program Files\Punch! Home Design - Platinum
2008-05-03 17:47 . 2008-05-03 17:47 <DIR> d-------- C:\Documents and Settings\James\Application Data\DTLink Software
2008-05-03 08:19 . 2008-05-03 08:19 <DIR> d--hs---- C:\FOUND.021

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 21:36 428,904 ----a-w C:\WINDOWS\system32\Incinerator.dll
2008-03-24 13:53 34,304 ----a-w C:\WINDOWS\system32\iolobtdfg.exe
2008-03-24 13:53 22,528 ----a-w C:\WINDOWS\system32\smrgdf.exe
.

------- Sigcheck -------

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-13_18.15.28.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 23:12:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 13:28:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 13:30:08 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-14 13:30:08 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-05-15 13:28:24 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_4dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{373AF871-3BC8-4CF0-8066-0C0D34EEC8A1}]
2008-05-14 23:25 314448 --a------ C:\WINDOWS\System32\xxywUOgG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62ecbe10-8327-4173-9b40-c5faa5e4d87d}]
2008-05-15 08:22 98928 --a------ C:\WINDOWS\System32\ryqvlwma.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1430FF9-2ED1-48A3-BC33-2A9965A4B753}]
2008-05-15 08:10 314480 --a------ C:\WINDOWS\System32\nnnmlJyy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 12:08 68856]
"System Mechanic Popup Blocker"="C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe" [2007-06-18 17:01 514664]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccessoriesPlus"="C:\Program Files\SPT\Accessories Plus\clockplus.exe" [2002-05-20 18:00 410112]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 16:36 764776]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 12:50 51200 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-02 22:23:47 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CompuServe 7.0 Tray Icon.lnk - C:\Program Files\CompuServe 7.0\cstray.exe [2004-05-30 11:45:29 32840]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-03-01 13:32:30 278528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\WINDOWS\System32\dvacm.acm

R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-03-29 12:31]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-05-02 12:31]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 12:00]
S3 VisorUsb;Handspring USB;C:\WINDOWS\System32\DRIVERS\VisorUsb.sys []

.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:18 AM

Posted 15 May 2008 - 10:50 AM

It's hanging tough. Let's hit it again with a new script.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\ryqvlwma.dll
C:\WINDOWS\system32\ebiugjym.exe
C:\WINDOWS\system32\guegefev.dll
C:\WINDOWS\system32\nnnmlJyy.dll
C:\WINDOWS\system32\sxcckoes.dll
C:\WINDOWS\system32\rfucptcv.exe
C:\WINDOWS\system32\cxhujxqk.dll
C:\WINDOWS\system32\xxywUOgG.dll
C:\WINDOWS\system32\aljgmygk.dll
C:\WINDOWS\system32\suacaljv.dll
C:\WINDOWS\system32\mlypphex.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{373AF871-3BC8-4CF0-8066-0C0D34EEC8A1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62ecbe10-8327-4173-9b40-c5faa5e4d87d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1430FF9-2ED1-48A3-BC33-2A9965A4B753}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Make sure you reboot even if it doesn't ask you to.
Then try running Superantispyware again and post that log for me if it works.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 JMateer

JMateer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 15 May 2008 - 04:25 PM

Sam:

I followed instructions. I still can't run SAS without a lockup when it scans the registry. Again, it seems to lock up when its scanning the following area: HKLM\Software\Microsoft\Windows\Current Version\Internet Settings\Zone Map\Domain\(final entry here has varied with each lockup).

Is there any connection to my problem with the numberous folders I found in my Windows directory ["A file named "spuninst.exe" and "spuninst.bat" are multiplying within folders named "$NTuninstall......." under the Windows directory (about 80 of them now). "]? Is spuninst.exe a malware file and if so, how and at what point do we delete these?

Thanks again.
Jim

Combifix text following CFScript#2 follows:

ComboFix 08-05-12.1 - James 2008-05-15 14:47:29.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.314 [GMT -5:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\aljgmygk.dll
C:\WINDOWS\system32\cxhujxqk.dll
C:\WINDOWS\system32\ebiugjym.exe
C:\WINDOWS\system32\guegefev.dll
C:\WINDOWS\system32\mlypphex.dll
C:\WINDOWS\system32\nnnmlJyy.dll
C:\WINDOWS\system32\rfucptcv.exe
C:\WINDOWS\system32\ryqvlwma.dll
C:\WINDOWS\system32\suacaljv.dll
C:\WINDOWS\system32\sxcckoes.dll
C:\WINDOWS\system32\xxywUOgG.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aljgmygk.dll
C:\WINDOWS\system32\cxhujxqk.dll
C:\WINDOWS\system32\ebiugjym.exe
C:\WINDOWS\system32\GgOUwyxx.ini
C:\WINDOWS\system32\GgOUwyxx.ini2
C:\WINDOWS\system32\guegefev.dll
C:\WINDOWS\system32\mlypphex.dll
C:\WINDOWS\system32\nnnmlJyy.dll
C:\WINDOWS\system32\rfucptcv.exe
C:\WINDOWS\system32\ryqvlwma.dll
C:\WINDOWS\system32\suacaljv.dll
C:\WINDOWS\system32\sxcckoes.dll
C:\WINDOWS\system32\xxywUOgG.dll
C:\WINDOWS\system32\yyJlmnnn.ini
C:\WINDOWS\system32\yyJlmnnn.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 08:34 . 2008-05-15 08:34 <DIR> d--hs---- C:\FOUND.024
2008-05-14 19:01 . 2008-05-14 19:01 <DIR> d--hs---- C:\FOUND.023
2008-05-14 18:45 . 2008-05-14 18:45 <DIR> d--hs---- C:\FOUND.022
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
2008-05-14 08:30 . 2008-05-14 08:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-14 08:29 . 2008-05-14 08:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 18:07 . 2008-05-13 18:07 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 09:19 . 2008-05-13 09:19 <DIR> d-------- C:\Deckard
2008-05-12 12:13 . 2008-05-12 12:10 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-12 12:13 . 2008-05-12 12:13 2,547 --a------ C:\WINDOWS\unins000.dat
2008-05-12 11:07 . 2008-05-12 11:07 <DIR> d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000
2008-05-12 11:07 . 2008-05-14 11:03 8,192 --ah----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NTUSER.DAT.LOG
2008-05-12 09:06 . 2008-05-12 09:06 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-12 08:59 . 2008-05-14 19:02 109,803 --a------ C:\WINDOWS\BM1e1a29d8.xml
2008-05-11 11:21 . 2008-05-11 11:21 <DIR> d-------- C:\Temp
2008-05-04 22:10 . 2002-08-18 19:43 794,624 --a------ C:\WINDOWS\system32\spr32d35.dll
2008-05-04 21:32 . 2008-05-04 21:32 <DIR> d-------- C:\Program Files\Punch! Home Design - Platinum
2008-05-03 17:47 . 2008-05-03 17:47 <DIR> d-------- C:\Documents and Settings\James\Application Data\DTLink Software
2008-05-03 08:19 . 2008-05-03 08:19 <DIR> d--hs---- C:\FOUND.021

.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:18 AM

Posted 16 May 2008 - 01:57 AM

Is there any connection to my problem with the numberous folders I found in my Windows directory ["A file named "spuninst.exe" and "spuninst.bat" are multiplying within folders named "$NTuninstall......." under the Windows directory (about 80 of them now). "]? Is spuninst.exe a malware file and if so, how and at what point do we delete these?

These are not malware files, they are related to your Windows updates. They are there in case you want to uninstall one of the critical updates that Windows installs. Unless you are really short on space on your hard drive I recommend leaving them alone.


Please post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 JMateer

JMateer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 16 May 2008 - 11:35 AM

Sam:

Here is the latest HJT file prinout as requested:

Thanks.
Jim

Deckard's System Scanner v20071014.68
Run by James on 2008-05-16 11:26:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as James.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27, on 2008-05-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SPT\Accessories Plus\UpdateTime.exe
C:\Program Files\SPT\Accessories Plus\UpdateTime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SPT\Accessories Plus\clockplus.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Documents and Settings\James\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\James.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AccessoriesPlus] "C:\Program Files\SPT\Accessories Plus\clockplus.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Launch Pepid Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} (Netscape) - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://enet.phci.org/dana-cached/setup/JuniperSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7373 bytes

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-16 11:27:20 0 d-------- C:\Program Files\Trend Micro
2008-05-15 14:55:40 0 d--hs---- C:\FOUND.025
2008-05-15 08:34:00 0 d--hs---- C:\FOUND.024
2008-05-15 08:26:20 32768 --a------ C:\WINDOWS\PSEXESVC.EXE
2008-05-14 19:01:34 0 d--hs---- C:\FOUND.023
2008-05-14 18:45:10 0 d--hs---- C:\FOUND.022
2008-05-14 08:30:23 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-14 08:30:02 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-14 08:30:02 0 d-------- C:\Documents and Settings\James\Application Data\SUPERAntiSpyware.com
2008-05-14 08:29:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 18:06:55 68096 --a------ C:\WINDOWS\zip.exe
2008-05-13 18:06:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-13 18:06:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-13 18:06:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-13 18:06:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-13 18:06:55 98816 --a------ C:\WINDOWS\sed.exe
2008-05-13 18:06:55 80412 --a------ C:\WINDOWS\grep.exe
2008-05-13 18:06:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 12:13:19 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-12 12:13:19 2547 --a------ C:\WINDOWS\unins000.dat
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Templates
2008-05-12 11:07:01 0 dr------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Start Menu
2008-05-12 11:07:01 0 dr-h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\SendTo
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Recent
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\PrintHood
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NetHood
2008-05-12 11:07:01 0 d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\My Documents
2008-05-12 11:07:01 0 d--h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Local Settings
2008-05-12 11:07:01 0 d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Favorites
2008-05-12 11:07:01 0 d-------- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Desktop
2008-05-12 11:07:01 0 d---s---- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Cookies
2008-05-12 11:07:01 0 dr-h----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Application Data
2008-05-12 11:07:01 0 d---s---- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\Application Data\Microsoft
2008-05-12 11:07:00 1835008 --ah----- C:\Documents and Settings\Administrator.DIGITALMEDIA.000\NTUSER.DAT
2008-05-11 11:21:13 0 d-------- C:\Temp
2008-05-11 11:15:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-11 11:15:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-05-11 11:15:12 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-04 22:10:42 794624 --a------ C:\WINDOWS\System32\spr32d35.dll <Not Verified; FarPoint Technologies, Inc.; Spread>
2008-05-04 21:32:14 0 d-------- C:\Program Files\Punch! Home Design - Platinum
2008-05-03 17:47:17 0 d-------- C:\Documents and Settings\James\Application Data\DTLink Software
2008-05-03 08:19:22 0 d--hs---- C:\FOUND.021


-- Find3M Report ---------------------------------------------------------------

2008-05-15 21:33:26 384 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat
2008-05-15 21:33:26 384 --a------ C:\WINDOWS\System32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00531102}.dat
2008-03-24 08:53:22 22528 --a------ C:\WINDOWS\System32\smrgdf.exe
2008-03-24 08:53:20 34304 --a------ C:\WINDOWS\System32\iolobtdfg.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AccessoriesPlus"="C:\Program Files\SPT\Accessories Plus\clockplus.exe" [2002-05-20 18:00]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 C:\WINDOWS\system32\CTHELPER.EXE]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 16:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 12:08]
"System Mechanic Popup Blocker"="C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe" [2007-06-18 17:01]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-02 22:23:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CompuServe 7.0 Tray Icon.lnk - C:\Program Files\CompuServe 7.0\cstray.exe [2004-05-30 11:45:29]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-03-01 13:32:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-05-16 11:28:15 ------------

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:18 AM

Posted 17 May 2008 - 08:27 AM

Since Superantispyware is not working out for us, go ahead and uninstall it now.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: Netscape - {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - C:\WINDOWS\DOWNLO~1\netscape.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present



Reboot your computer.


Download and scan with the free 15 day trial of Counterspy
Save the report when it's finished:
  • Once Counterspy has done scanning,the 'Scan Results' box will appear.
  • Click on 'View Results'.
  • Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to Remove.
  • Then click on Take Action.
  • Once everything has been removed,click on View Details.
  • Copy and Paste those details into your next reply here.

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 JMateer

JMateer
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 18 May 2008 - 01:05 PM

Sam:

I followed the above instructions. Attached are 1: Counterspy details after a "Quick" scan and action applied. 2. Counterspy details after a subsequent "Full Scan" and action applied. 3. A current HJT log (done after both counterspy actions were completed and computer rebooted).

Counterspy scan did not lock up. It found a lot of malware files - which were all deleted (except Combofix related files).

Now, my computer did not like these actions. It is running very slowly - especially for any program that uses explorer interface (explorer, Office software, etc.) and is locking up with these. Other programs (like Punch home design or HJT) seem to be running fine. The computer has to be forced down to turn it off.

What's the next step? Should we just nuke this thing?

Thanks.

Jim
_______________________________________________________________________________________________________________________
Scan History Details
Start Date: 2008-05-17 12:18:07
End Date: 2008-05-17 12:28:56
Total Time: 10 Min 49 Sec
Detected security risks

BookedSpace Browser Plug-in more information...
Details: BookedSpace is an Internet Explorer Browser Helper Object used to show popup advertising.
Status: Deleted

Files detected
C:\WINDOWS\bsx32\ADTMI1.bsx
C:\WINDOWS\bsx32\ADVC5.bsx
C:\WINDOWS\bsx32\ADVCTX2.bsx
C:\WINDOWS\bsx32\ASIB9894.bsx
C:\WINDOWS\bsx32\ASIC29667.bsx
C:\WINDOWS\bsx32\ASID12180.bsx
C:\WINDOWS\bsx32\ASIE17070.bsx
C:\WINDOWS\bsx32\ASIF29819.bsx
C:\WINDOWS\bsx32\ASIF4502.bsx
C:\WINDOWS\bsx32\ASIFA15376.bsx
C:\WINDOWS\bsx32\ASIFWH29233.bsx
C:\WINDOWS\bsx32\ASIG21943.bsx
C:\WINDOWS\bsx32\ASIGT10102.bsx
C:\WINDOWS\bsx32\ASIH21180.bsx
C:\WINDOWS\bsx32\ASIH7853.bsx
C:\WINDOWS\bsx32\ASII21469.bsx
C:\WINDOWS\bsx32\ASIL18549.bsx
C:\WINDOWS\bsx32\ASILS29399.bsx
C:\WINDOWS\bsx32\ASIM9740.bsx
C:\WINDOWS\bsx32\ASIOG19375.bsx
C:\WINDOWS\bsx32\ASIOT25456.bsx
C:\WINDOWS\bsx32\ASIPF1965.bsx
C:\WINDOWS\bsx32\ASIR21184.bsx
C:\WINDOWS\bsx32\ASIRE20082.bsx
C:\WINDOWS\bsx32\ASIS24110.bsx
C:\WINDOWS\bsx32\ASIS31590.bsx
C:\WINDOWS\bsx32\ASIT17011.bsx
C:\WINDOWS\bsx32\ASIT26116.bsx
C:\WINDOWS\bsx32\ASIW11211.bsx
C:\WINDOWS\bsx32\ASIWS3.bsx
C:\WINDOWS\bsx32\AUTOS2.bsx
C:\WINDOWS\bsx32\BID1.bsx
C:\WINDOWS\bsx32\BingoRoom1.bsx
C:\WINDOWS\bsx32\CARD2.bsx
C:\WINDOWS\bsx32\CARS3.bsx
C:\WINDOWS\bsx32\DATE4.bsx
C:\WINDOWS\bsx32\EECH1.bsx
C:\WINDOWS\bsx32\EML1.bsx
C:\WINDOWS\bsx32\FAST1.bsx
C:\WINDOWS\bsx32\FINC3.bsx
C:\WINDOWS\bsx32\FINC5.bsx
C:\WINDOWS\bsx32\FLWR1.bsx
C:\WINDOWS\bsx32\FMND1.bsx
C:\WINDOWS\bsx32\HERBS1.bsx
C:\WINDOWS\bsx32\INK1.bsx
C:\WINDOWS\bsx32\JOBS4.bsx
C:\WINDOWS\bsx32\MOVS2.bsx
C:\WINDOWS\bsx32\NEWS2.bsx
C:\WINDOWS\bsx32\SHOP2.bsx
C:\WINDOWS\bsx32\SPZ3.bsx
C:\WINDOWS\bsx32\TECH2.bsx
C:\WINDOWS\bsx32\TRVL6.bsx
C:\WINDOWS\bsx32\TVEN1.bsx
C:\WINDOWS\bsx32\UTONE2.bsx
C:\WINDOWS\bsx32\WWW3.bsx
C:\WINDOWS\bsx32\XTFL2.bsx
C:\WINDOWS\BSX32


SubSearch/HighTraffic Browser Plug-in more information...
Details: SubSearch/HighTraffic is an Internet Explorer Browser Helper Object. It detects when you are using a search engine, and opens its own 'enhanced results' sidebar containing paid links.
Status: Deleted

Files detected
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\IESERVICE\inf.fil
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\IESERVICE


KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1229272821-1580818891-854245398-1003\SOFTWARE\KAZAA
HKEY_USERS\S-1-5-21-1229272821-1580818891-854245398-1003\SOFTWARE\KAZAA\LocalContent


KeenValue.PerfectNav Hijacker more information...
Details: The PerfectNav Internet Explorer spyware software is designed to redirect your URL typing errors to PerfectNav's web page.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8E148FF0-F42E-42FE-95C0-BAA9FCDA72B8}\1.0\HELPDIR


Transponder.TPS108 Browser Plug-in more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\SOFTWARE\TPS108
HKEY_LOCAL_MACHINE\SOFTWARE\SOFTWARE\TPS108


Trojan-Clicker.gen Trojan more information...
Details: Trojan-Clicker.gen is a program designed to generate requests to certain Web URLs.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32


Xplugin Trojan Downloader more information...
Details: Xplugin is an adware type program, which offers the application in which it is included at the only cost of viewing a series of adult advertisements.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0}


WindUpdates Browser Plug-in more information...
Details: WindUpdates is an adware application that installs as a browser plug-in and displays advertising on the desktop.
Status: Deleted

Files detected
C:\WINDOWS\system32\winupdt.001
C:\WINDOWS\system32\winupdt.bin


My Search Bar Potentially Unwanted Program more information...
Details: My Search Bar and the variants "My Way Speedbar" and "My Way Search Assistant", are browser helper objects that allows you to search on multiple search engines.
Status: Deleted

Files detected
C:\PROGRAM FILES\MySearch\bar\History\search
C:\PROGRAM FILES\MYSEARCH
C:\PROGRAM FILES\MYSEARCH\BAR
C:\PROGRAM FILES\MYSEARCH\BAR\HISTORY


Fastfind Browser Plug-in more information...
Details: Fastfind is an Internet Explorer plugin that may be used to display targeted advertisements.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\Implemented Categories
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\Programmable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\Version
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2E65A557-173C-4DE9-860B-28FC5CACA542}\Version
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\Implemented Categories
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\Programmable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\Version
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9}\Version


AproposMedia.ContextPlus Hijacker more information...
Details: AproposMedia.ContextPlus is a component of PeopleOnPage that spawns pop-up ads and hijacks browser settings including the user's default homepage and search settings. Some variants may install a toolbar.
Status: Deleted

Files detected
C:\PROGRAM FILES\CxtPls\AI_20-11-2004.log
C:\PROGRAM FILES\CxtPls\data.bin
C:\PROGRAM FILES\CXTPLS


DailyToolbar Toolbar more information...
Details: DailyToolbar is a pornographic-related toolbar that periodically generates pop-up advertisements.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\APPID\DAILYTOOLBAR.DLL
HKEY_LOCAL_MACHINE\Software\Classes\APPID\DAILYTOOLBAR.DLL
HKEY_LOCAL_MACHINE\Software\Classes\APPID\{951B3138-AE8E-4676-A05A-250A5F111631}
HKEY_LOCAL_MACHINE\Software\Classes\APPID\{951B3138-AE8E-4676-A05A-250A5F111631}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{10195311-E434-47A9-ADBA-48839E3F7E4E}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{10195311-E434-47A9-ADBA-48839E3F7E4E}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{ABAFA0B4-F78D-42E5-8C31-1A441D01C1DF}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{ABAFA0B4-F78D-42E5-8C31-1A441D01C1DF}


Vx2.ZServ Trojan more information...
Details: Part of the Vx2 Transponder infection.
Status: Deleted

Files detected
C:\WINDOWS\ZServ.dll


TMKSoft.Admess Adware (General) more information...
Details: Admess opens Web pages and displays advertisements with adult content. Admess is related to Xplugin by the same vendor.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\APPID\WSTART.DLL
HKEY_LOCAL_MACHINE\Software\Classes\APPID\WSTART.DLL
HKEY_LOCAL_MACHINE\Software\Classes\APPID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}
HKEY_LOCAL_MACHINE\Software\Classes\APPID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}


Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1229272821-1580818891-854245398-1003\SOFTWARE\WGET


KeyLogger (Kaksoft) Key Logger more information...
Details: KeyLogger (Kaksoft) is an easy-to-use tool to monitor every keystroke on your own computer
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-1229272821-1580818891-854245398-1003\SOFTWARE\KAKSOFTSTUDIO


Trojan.FakeAlert Trojan more information...
Details: Trojan.FakeAlert consists of files that cause false warnings of spyware on the computer. Usually the alerts are displayed in a balloon type pop-up from an icon in the system tray.
Status: Deleted

Files detected
C:\WINDOWS\balloon.wav


Trojan.Smitfraud Trojan more information...
Details: Trojan.Smitfraud is a group of programs that are used to download rogue security products and change the user's desktop to display false warnings that the computer is infected with spyware.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\ADOBEPNL.ADOBE_PANEL
HKEY_LOCAL_MACHINE\Software\Classes\ADOBEPNL.ADOBE_PANEL
HKEY_LOCAL_MACHINE\Software\Classes\ADOBEPNL.ADOBE_PANEL\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\ADOBEPNL.ADOBE_PANEL\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81}
HKEY_LOCAL_MACHINE\Software\Classes\URL_RELPACER.URLRESOLVER
HKEY_LOCAL_MACHINE\Software\Classes\URL_RELPACER.URLRESOLVER


Trojan.Tfactory-A Trojan more information...
Details: Trojan.Tfactory-A is a program that purports to be a spyware and adware remover, but actually installs dummy files which it then detects as spyware to frighten the user into purchasing the program.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\Implemented Categories
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\Programmable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\VERSION
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}\VERSION
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}\ProxyStubClsid
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\INTERFACE\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\OFFICE_PNL.OFFICE_PANEL
HKEY_LOCAL_MACHINE\Software\Classes\OFFICE_PNL.OFFICE_PANEL
HKEY_LOCAL_MACHINE\Software\Classes\OFFICE_PNL.OFFICE_PANEL\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\OFFICE_PNL.OFFICE_PANEL\Clsid
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}\1.0\HELPDIR


Trojan-Downloader.Win32.Small.dkt Trojan Downloader more information...
Status: Deleted

Files detected
C:\WINDOWS\system32\ansi.cfg


Hyperlinks Rotator Browser Plug-in more information...
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\Implemented Categories
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1212BCB8-67DD-475E-8025-9D2198FB8F61}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8334A30C-49E5-489A-B63D-5B927C1EF46E}\VersionIndependentProgID


Cookie: Tracking Cookies Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\james\cookies\james@2o7[1].txt
c:\documents and settings\james\cookies\james@2o7[2].txt
c:\documents and settings\james\cookies\james@ad.yieldmanager[2].txt
c:\documents and settings\james\cookies\james@burstnet[1].txt
c:\documents and settings\james\cookies\james@cgi-bin[2].txt
c:\documents and settings\james\cookies\james@en[1].txt
c:\documents and settings\james\cookies\james@overture[1].txt
c:\documents and settings\james\cookies\james@revsci[2].txt
c:\documents and settings\james\cookies\james@shareit[1].txt
c:\documents and settings\james\cookies\james@smartmoney[1].txt
c:\documents and settings\james\cookies\james@tribalfusion[2].txt
c:\documents and settings\james\cookies\james@www.softandco[1].txt




__________________________________________________________________________________________________
Scan History Details
Start Date: 2008-05-17 13:15:12
End Date: 2008-05-17 14:07:28
Total Time: 52 Min 16 Sec
Detected security risks

ClickSpring.PuritySCAN Adware (General) more information...
Details: PurityScan is an ad supported program that scans the user's Internet Explorer files, including browser cache, cookies and history for pornographic/adult related words and allows the user to delete them.
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir


CWS.DesktopHijack Adware (General) more information...
Details: CWS.DesktopHijack hijacks the Internet Explorer home page and search page, installs a toolbar, and hijacks the desktop to display deceptive ads for rogue security products.
Status: Deleted

Files detected
C:\WINDOWS\download_box.gif
C:\WINDOWS\footer_back.jpg
C:\WINDOWS\header_3.gif
C:\WINDOWS\header_4.gif
C:\WINDOWS\icon_warning_big.gif
C:\WINDOWS\infected.gif
C:\WINDOWS\warning_icon.gif
C:\WINDOWS\win_logo.gif


Zenotecnico Adware (General) more information...
Details: Zenotecnico is a program used to display pop-up advertisements based upon user browsing habits.
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\winRem\xmapi2pi.exe.vir


iDesk Adware (General) more information...
Details: iDesk is an application that sits on the desktop to guide users to the findwhales web site
Status: Deleted

Files detected
C:\WINDOWS\system32\spyware.bmp


Backdoor.Unidentified.gen Backdoor more information...
Status: Ignored

Files detected
C:\ComboFix\NirCmdC.cfexe


Trojan-Downloader.Win32.Agent.aww Trojan Downloader more information...
Status: Deleted

Files detected
C:\ComboFix\swxcacls.cfexe
C:\WINDOWS\swxcacls.exe


TopInstalls Trojan Downloader more information...
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\WINDOWS\b2new.exe.vir


Hyperlinks Rotator Browser Plug-in more information...
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir
C:\QooBox\Quarantine\C\Program Files\QdrDrive\qdrloader.exe.vir
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir


Trojan-Downloader.VB.VQL Trojan Downloader more information...
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir


Trojan.BHO.Agent.Z Trojan more information...
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\Program Files\QdrDrive\QdrDrive15.dll.vir


Trojan-Dropper.AdBand.W.2 Trojan Downloader more information...
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\WINDOWS\system32\000060.exe.vir


Trojan-Downloader.Win32.VB.ehl Trojan Downloader more information...
Status: Deleted

Files detected
C:\QooBox\Quarantine\C\WINDOWS\system32\dFrnx06\dFrnx061083.exe.vir




________________________________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40, on 2008-05-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SPT\Accessories Plus\clockplus.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Pepid\PepidMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AccessoriesPlus] "C:\Program Files\SPT\Accessories Plus\clockplus.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 7\PopupBlocker.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: AdsGone 2006.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Launch Pepid Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - http://downloads.netscape.com/search/toolbar/netscape.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://enet.phci.org/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6733 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users