Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Coolwwwsearch.leftovers


  • This topic is locked This topic is locked
20 replies to this topic

#1 Mike R. D.

Mike R. D.

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 15 May 2008 - 10:38 PM

Hi,

My computer has 7 infections (Coolwwwsearch.leftovers/180Solutions.SearchAssistant/2020Search/Zango/Smithfraud-C/Smithfraud-C.gp/SecondThoughts.STCLoader) that I just can't get rid of. I've run Spybot numerous times to get rid of them. Spybot says it needs to run on reboot to complete the removal process, which I allow it to do, but when it finishes and the computer reboots into Windows again, a new scan shows that the problems remain. I've tried running it in Windows safe mode, but I get the same results. In fact, the adware starts up with Windows in Safe Mode too! I have made sure that both Windows and Spybot are up-to-date with patches/updates.

I have tried to follow the HJT and Malware Removal Prep Guide and have scanned the PC with Kaspersky and DSS. Please see HJT/DSS & Spybot logs below. The Kaspersky Log is very large (5+ MB) - too large to attach, so I've included a link where it can be downloaded...here: Kaspersky Scan Log (http://ourfamilysite.homeip.net/Kaspersky_Scan_Log.txt in case link doesn't work)

In addition, I've attached an extra DSS Scan log that says to attach it with the post. Thank you in advance for any help you may provide.

(Moderator edit: shortened Topic Title for forum viewing purposes and added Topic Description. jgweed)

PC Info:

Computer: Dell Dimension DM061
Processor: Pent-D 2.66 Ghz
RAM: 1 Gb
OS: WinXP Media Center Edition, SP2


********************************************************************************************************************************DSS/HIJACK THIS LOG**************************************************
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-26 00:11:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore
--------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2008-04-26 07:12:04 UTC - RP502 - Deckard's System Scanner Restore Point
28: 2008-04-26 02:43:44 UTC - RP501 - Spybot-S&D Spyware removal
27: 2008-04-26 00:43:15 UTC - RP500 - Spybot-S&D Spyware removal
26: 2008-04-26 00:42:06 UTC - RP499 - Spybot-S&D Spyware removal
25: 2008-04-26 00:40:49 UTC - RP498 - Spybot-S&D System Internals


-- First Restore Point --
1: 2008-04-07 03:22:51 UTC - RP474 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe)
---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:37 AM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1COMMON~1AOLACSAOLacsd.exe
C:Program FilesCommon FilesAppleMobile Device
SupportbinAppleMobileDeviceService.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesLogMeInx86RaMaint.exe
C:Program FilesLogMeInx86LogMeIn.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSwinself.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesViewpointCommonViewpointService.exe
C:WINDOWSwanmpsvc.exe
C:WINDOWSsystem32fxssvc.exe
C:WINDOWSehomemcrdsvc.exe
C:WINDOWSsystem32dllhost.exe
C:WINDOWSSystem32alg.exe
C:Program FilesViewpointViewpoint ManagerViewMgr.exe
C:WINDOWSsystem32wmsdkns.exe
C:WINDOWSExplorer.EXE
C:Documents and SettingsAll UsersApplication Datasvuzctgpmvgpohsl.exe
C:WINDOWSstsystra.exe
C:Program FilesLogMeInx86LogMeInSystray.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32regsvr32.exe
C:Documents and SettingsAll UsersApplication DataCommonehsdgjqb.exe
C:WINDOWSsystem32snqbmrsj.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesDigital Line DetectDLG.exe
C:Program FilesKodakKodak EasyShare softwarebinEasyShare.exe
C:Program FilesKodakKODAK Software Updater7288971ProgramKodak
Software Updater.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesLogMeInx86LogMeIn.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Documents and SettingsAdministratorDesktopdss.exe
C:Documents and SettingsAll UsersApplication DataCommonehsdgjqb.exe
C:WINDOWSsystem32msiexec.exe
C:PROGRA~1TRENDM~1HIJACK~1Administrator.exe
C:WINDOWSsystem32wbemwmiprvse.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =
www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061110
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =
http://www.dell.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://www.dell.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerSearch,Default_Page_URL
= www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061110
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext =
http://winsecuritysolutions.com/?aid=444.0
F2 - REG:system.ini:
UserInit=C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program
FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f} -
C:WINDOWShunqvmdm.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} -
C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:WINDOWSSystem32DLADLASHX_W.DLL
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:Program
FilesBatBat.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:Program FilesJavajre1.5.0_06binssv.dll
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} -
C:Program FilesQdrDriveQdrDrive15.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Viewpoint Toolbar BHO -
{A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:Program
FilesViewpointViewpoint Toolbar3.8.0ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program
filesgooglegoogletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program
FilesGoogleGoogleToolbarNotifier2.0.301.7164swg.dll
O2 - BHO: Browser Address Error Redirector -
{CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:Program FilesBAEBAE.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:program filesgooglegoogletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar -
{F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:Program FilesCommon
FilesViewpointToolbar Runtime3.8.0IEViewBar.dll
O4 - HKLM..Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [LogMeIn GUI] "C:Program
FilesLogMeInx86LogMeInSystray.exe"
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [lubudops] regsvr32 /u "C:Documents and
SettingsAll UsersApplication Datalubudops.dll"
O4 - HKLM..Run: [apicfgwin] C:Documents and SettingsAll
UsersApplication DataCommonehsdgjqb.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE
C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [MSConfig]
C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 - HKLM..RunOnce: [SpybotSnD] "C:Program FilesSpybot - Search &
DestroySpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKCU..Run: [nzunyzka] C:WINDOWSsystem32snqbmrsj.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [jwqvtlbb] C:WINDOWSsystem32idqrkxsd.exe
O4 - HKCU..Run: [gsgdnaje] C:WINDOWSsystem32nklylode.exe
O4 - HKCU..Run: [ptvlafvs] C:WINDOWSsystem32xqvopktu.exe
O4 - HKCU..Run: [nsxmtofu] C:WINDOWSsystem32wjaxqvwn.exe
O4 - HKLM..PoliciesExplorerRun: [g6bghUFGHF] C:Documents and
SettingsAll UsersApplication Datasvuzctgpmvgpohsl.exe
O4 - HKUSS-1-5-21-2455963964-3395364074-987033648-1011..Run:
[DellSupport] "C:Program FilesDell SupportDSAgnt.exe" /startup
(User 'LogMeInRemoteUser')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:Program
FilesKodakKodak EasyShare softwarebinEasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:Program
FilesKodakKODAK Software Updater7288971ProgramKodak Software
Updater.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: &Google Search - res://C:Program
FilesGoogleGoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://C:Program FilesGoogleGoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:Program
FilesGoogleGoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:Program FilesGoogleGoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:PROGRA~1MI1933~1OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:Program
FilesGoogleGoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:Program FilesGoogleGoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:Program FilesJavajre1.5.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program
FilesJavajre1.5.0_06binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
- C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program
FilesMessengermsmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
- http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
http://update.microsoft.com/microsoftupdat...b?1163995300396
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour
Photo Online Control) -
https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer
Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs: C:PROGRA~1GoogleGOOGLE~1GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC -
C:PROGRA~1COMMON~1AOLACSAOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program
FilesCommon FilesAppleMobile Device
SupportbinAppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -
Symantec Corporation - C:Program FilesSymantec AntiVirusDefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program
FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) -
Intel Corporation - C:Program FilesIntelIntel Matrix Storage
ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:Program FilesCommon
FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program
FilesiPodbiniPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc.
- C:Program FilesLogMeInx86RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:Program
FilesLogMeInx86LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:Program
FilesSymantec AntiVirusSavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:Program
FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:Program
FilesSymantec AntiVirusRtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
C:Program FilesViewpointCommonViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -
America Online, Inc. - C:WINDOWSwanmpsvc.exe

--
End of file - 12589 bytes

-- File Associations
-----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
---------------------

R1 DVDVRRdr_xp - c:windowssystem32driversdvdvrrdr_xp.sys <Not
Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 ASCTRM - c:windowssystem32driversasctrm.sys <Not Verified;
Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 DSproct - c:program filesdell
supportgtactiontriggersdsproct.sys <Not Verified; GTek Technologies
Ltd.; processt>
S3 NAL (Nal Service ) - c:windowssystem32driversiqvw32.sys <Not
Verified; Intel Corporation; Intel® iQVW32.SYS>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
--------------------

R2 Apple Mobile Device - "c:program filescommon filesapplemobile
device supportbinapplemobiledeviceservice.exe" <Not Verified; Apple,
Inc.; Apple Mobile Device Service>
R2 Viewpoint Manager Service - "c:program
filesviewpointcommonviewpointservice.exe" <Not Verified; Viewpoint
Corporation; Viewpoint Manager>
R4 MsSecurity1.209.4 (MsSecurity Updated) - c:windowswinself.exe service


-- Device Manager: Disabled
----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks
-------------------------------------------------------------

2008-04-25 18:30:00 358 --a------ C:WINDOWSTasksMcAfee.com
Scan for Viruses - My Computer (DAY-Debby Day).job
2008-04-25 16:04:01 284 --a------
C:WINDOWSTasksAppleSoftwareUpdate.job
2008-04-20 17:46:01 444 --a------ C:WINDOWSTasksEasyShare
Registration Task.job


-- Files created between 2008-03-26 and 2008-04-26
-----------------------------

2008-04-26 00:15:20 0 d-------- C:Program FilesTrend Micro
2008-04-25 22:05:31 0 d---s---- C:Documents and
SettingsAdministratorUserData
2008-04-25 21:54:41 0 d-------- C:WINDOWSsystem32Kaspersky Lab
2008-04-25 21:54:41 0 d-------- C:Documents and SettingsAll
UsersApplication DataKaspersky Lab
2008-04-25 21:54:39 0 d-------- C:WINDOWSLastGood
2008-04-25 20:03:44 110592 --a------ C:WINDOWSsystem32wjaxqvwn.exe
2008-04-25 20:00:45 0 dr-hs---- C:cmdcons
2008-04-25 20:00:44 0 d-------- C:WINDOWSsetup.pss
2008-04-25 20:00:35 0 d-------- C:WINDOWSsetupupd
2008-04-25 19:12:55 0 d-------- C:WINDOWSpss
2008-04-25 18:16:24 122880 --a------ C:WINDOWSsystem32xqvopktu.exe
2008-04-25 17:44:27 134184778 --a------
C:Windows_Registry_Backup_4-25-08.reg <WINDOW~1.REG>
2008-04-25 17:43:33 21504 --a------ C:WINDOWSstcloader.exe
2008-04-25 17:43:32 23552 --a------ C:WINDOWS2020search2.dll
2008-04-25 17:43:32 25088 --a------ C:WINDOWS2020search.dll
2008-04-25 17:30:08 0 d-------- C:Documents and
SettingsAdministratorApplication DataViewpoint
2008-04-25 17:06:43 122880 --a------ C:WINDOWSsystem32nklylode.exe
2008-04-25 15:49:43 102400 --a------ C:WINDOWSsystem32idqrkxsd.exe
2008-04-25 15:46:50 15104 --a------ C:WINDOWSbjam.dll
2008-04-25 13:18:12 14848 --a------ C:WINDOWSbokja.exe
2008-04-25 13:16:11 9216 --a------ C:WINDOWScdsm32.dll
2008-04-25 09:47:49 0 d-------- C:Documents and
SettingsAdministratorApplication DataMacromedia
2008-04-25 09:47:49 0 d-------- C:Documents and
SettingsAdministratorApplication DataAdobe
2008-04-24 22:22:38 0 d-------- C:Documents and
SettingsTEMPApplication DataAdobe
2008-04-24 20:07:16 114688 --a------ C:WINDOWSsystem32fejmlatw.exe
2008-04-24 20:02:02 0 d-------- C:Documents and
SettingsTEMPApplication DataIntuit
2008-04-24 19:56:45 0 d-------- C:Documents and
SettingsAdministratorApplication DataIntuit
2008-04-24 19:29:17 0 d-------- C:Documents and
SettingsTEMPApplication DataGoogle
2008-04-23 21:31:57 0 d-------- C:Documents and
SettingsTEMPApplication Dataacccore
2008-04-23 21:31:54 0 d-------- C:Documents and
SettingsTEMPApplication DataAIMPro
2008-04-23 21:31:48 94208 --a------ C:WINDOWSsystem32oderqnkx.exe
2008-04-23 21:31:27 0 d--h----- C:Documents and
SettingsTEMPTemplates
2008-04-23 21:31:27 0 dr------- C:Documents and
SettingsTEMPStart Menu
2008-04-23 21:31:27 0 dr-h----- C:Documents and SettingsTEMPSendTo
2008-04-23 21:31:27 0 dr-h----- C:Documents and SettingsTEMPRecent
2008-04-23 21:31:27 0 d--h----- C:Documents and
SettingsTEMPPrintHood
2008-04-23 21:31:27 2359296 --ah----- C:Documents and
SettingsTEMPNTUSER.DAT
2008-04-23 21:31:27 0 d--h----- C:Documents and SettingsTEMPNetHood
2008-04-23 21:31:27 0 dr------- C:Documents and
SettingsTEMPMy Documents
2008-04-23 21:31:27 0 d--h----- C:Documents and
SettingsTEMPLocal Settings
2008-04-23 21:31:27 0 dr------- C:Documents and
SettingsTEMPFavorites
2008-04-23 21:31:27 0 d-------- C:Documents and SettingsTEMPDesktop
2008-04-23 21:31:27 0 d---s---- C:Documents and SettingsTEMPCookies
2008-04-23 21:31:27 0 dr-h----- C:Documents and
SettingsTEMPApplication Data
2008-04-23 21:31:27 0 d---s---- C:Documents and
SettingsTEMPApplication DataMicrosoft
2008-04-23 21:31:27 0 d-------- C:Documents and
SettingsTEMPApplication DataInstallShield
2008-04-23 21:31:27 0 d-------- C:Documents and
SettingsTEMPApplication DataIdentities
2008-04-23 21:31:27 0 d--h----- C:Documents and
SettingsTEMPApplication DataGtek
2008-04-23 21:26:47 0 d-------- C:Documents and
SettingsAdministratorApplication DataApple Computer
2008-04-23 11:09:39 0 d-------- C:Documents and
SettingsAdministratorApplication DataGoogle
2008-04-23 10:19:12 4096 --a------ C:WINDOWSsystem32winlogonpc.exe
2008-04-23 10:19:11 4096 --a------ C:WINDOWSsystem32taack.exe
2008-04-23 10:19:11 4096 --a------ C:WINDOWSsystem32taack.dat
2008-04-23 10:19:11 4096 --a------ C:WINDOWSsystem32sncntr.exe
2008-04-23 10:19:11 4096 --a------ C:WINDOWSsystem32mwin32.exe
2008-04-23 10:19:11 4096 --a------ C:WINDOWSsystem32hxiwlgpm.exe
2008-04-23 10:19:11 4096 --a------ C:WINDOWSsystem32hxiwlgpm.dat
2008-04-23 10:19:11 4096 --a------ C:WINDOWSsystem32hoproxy.dll
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32thun32.dll
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32thun.dll
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32temp#01.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32ssvchost.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32ssvchost.com
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32ssurf022.dll
2008-04-23 10:19:10 0 d-------- C:WINDOWSsystem32smp
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32regm64.dll
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32regc64.dll
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32psoft1.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32psof1.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32ps1.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32netode.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32mtr2.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32msvchost.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32msnbho.dll
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32msgp.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32medup012.dll
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32dpcproxy.exe
2008-04-23 10:19:10 4096 --a------ C:WINDOWSsystem32bsva-egihsg52.exe
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32WINWGPX.EXE
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32winsystem.exe
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32vcatchpi.dll
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32vbsys2.dll
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32sysreq.exe
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32Rundl1.exe
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32newsd32.exe
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32mssecu.exe
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32emesx.dll
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32bdn.com
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32awtoolb.dll
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32anticipator.dll
2008-04-23 10:19:09 4096 --a------ C:WINDOWSsystem32akttzn.exe
2008-04-23 10:19:00 94208 --a------ C:WINDOWSsystem32snqbmrsj.exe
2008-04-23 10:19:00 0 d-------- C:Documents and
SettingsAdministratorApplication Dataacccore
2008-04-23 10:18:59 0 d-------- C:Documents and
SettingsAdministratorApplication DataAIMPro
2008-04-23 10:06:20 0 d-------- C:41ca95805cf65078822f <41CA95~1>
2008-04-22 20:39:55 0 d-------- C:Documents and SettingsAll
UsersApplication DataSpybot - Search & Destroy
2008-04-22 20:37:06 0 d-------- C:Setup_Files <SETUP_~1>
2008-04-20 21:23:38 0 d-------- C:Program FilesPC-Cleaner
2008-04-20 07:58:19 98304 --a------ C:WINDOWSsystem32mxuzadin.exe
2008-04-19 15:55:22 22784 --a------ C:WINDOWSvoiceip.dll
2008-04-19 15:55:22 25344 --a------ C:WINDOWSswin32.dll
2008-04-19 15:55:22 15616 --a------ C:WINDOWSmssvr.exe
2008-04-19 15:55:22 19712 --a------ C:WINDOWSmspphe.dll
2008-04-19 15:55:18 19968 --a------ C:WINDOWSsaiemod.dll
2008-04-19 15:55:18 9728 --a------ C:WINDOWSmsapasrc.dll
2008-04-19 15:55:18 27904 --a------ C:WINDOWSmsa64chk.dll
2008-04-19 15:55:17 9728 --a------ C:WINDOWSshdocpl.dll
2008-04-19 15:55:16 27136 --a------ C:WINDOWSwinsb.dll
2008-04-19 15:55:16 27648 --a------ C:WINDOWSshdocpe.dll
2008-04-19 15:55:16 26880 --a------ C:WINDOWSntnut.exe
2008-04-19 15:55:15 28416 --a------ C:WINDOWSbrowserad.dll
2008-04-19 15:55:15 16384 --a------ C:WINDOWSaviwrap32.dll
2008-04-19 15:55:15 17152 --a------ C:WINDOWSavisynthex32.dll
2008-04-19 15:55:15 13056 --a------ C:WINDOWSavifile32.dll
2008-04-19 15:55:15 21248 --a------ C:WINDOWSautodisc32.dll
2008-04-19 15:55:15 21248 --a------ C:WINDOWSaudiosrv32.dll
2008-04-19 15:55:15 30208 --a------ C:WINDOWSati2dvag32.dll
2008-04-19 15:55:14 20480 --a------ C:WINDOWSchangeurl_30.dll
2008-04-19 15:55:14 9984 --a------ C:WINDOWSati2dvaa32.dll
2008-04-19 15:55:14 18432 --a------ C:WINDOWSathprxy32.dll
2008-04-19 15:55:14 16640 --a------ C:WINDOWSasycfilt32.dll
2008-04-19 15:55:14 16640 --a------ C:WINDOWSasferror32.dll
2008-04-19 15:55:14 11264 --a------ C:WINDOWSapphelp32.dll
2008-04-19 15:23:36 0 d-------- C:Program FilesQdrPack
2008-04-19 15:23:30 0 d-------- C:Program FilesQdrModule
2008-04-19 15:23:29 0 d-------- C:Program FilesQdrDrive
2008-04-19 15:23:29 0 d-------- C:Program FilesISM
2008-04-19 15:23:00 0 d-------- C:Documents and
SettingsLocalServiceApplication DataMacromedia
2008-04-19 15:23:00 0 d-------- C:Documents and
SettingsLocalServiceApplication DataAdobe
2008-04-19 15:22:57 0 d-------- C:WINDOWSsystem32??mbols
2008-04-19 15:22:52 0 d-------- C:Documents and SettingsAll
UsersApplication Datasvuzctgp
2008-04-19 15:22:52 0 d-------- C:Documents and SettingsAll
UsersApplication DataCommon
2008-04-19 15:22:48 192512 --a------ C:WINDOWSrenipaby.dll
2008-04-19 15:22:48 0 d-------- C:WINDOWSPerfInfo
2008-04-19 15:22:48 0 d-------- C:WINDOWSmgwwgmke
2008-04-19 15:22:47 65024 --a------ C:Documents and SettingsAll
UsersApplication Datalubudops.dll
2008-04-19 15:22:46 65024 --a------ C:WINDOWShunqvmdm.dll
2008-04-19 15:22:45 0 d-------- C:Program Files??sembly
2008-04-19 15:22:40 0 d-------- C:Documents and SettingsAll
UsersApplication DataRabio
2008-04-19 15:22:39 4 --a------ C:WINDOWSsystem32winfrun32.bin
2008-04-19 15:22:38 89515 --a------
C:WINDOWSsystem32wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-19 15:22:38 89515 --a------ C:WINDOWSlfn.exe <Not
Verified; Microsoft; XML Media>
2008-04-19 15:22:37 0 d-------- C:Program FilesBat
2008-04-19 15:22:23 28672 --a------ C:WINDOWSwinself.exe
2008-04-19 15:22:06 6656 --a------ C:WINDOWSctions.dll
2008-04-18 16:58:40 6656 --a------ C:WINDOWSsystem32000060.exe
2008-04-13 13:45:36 0 d-------- C:Program FilesSafari
2008-04-13 13:38:53 0 d-------- C:Program FilesiPod
2008-04-11 11:44:58 229526 --a------ C:WINDOWSsystem32000080.exe
2008-04-04 22:29:14 270694 --a------ C:WINDOWSsystem32000090.exe
2008-04-03 07:44:28 0 d-------- C:Documents and
SettingsAdminApplication DataAIMPro
2008-04-03 07:44:28 0 d-------- C:Documents and
SettingsAdminApplication Dataacccore
2008-03-30 23:01:14 0 d-------- C:Documents and
SettingsvisitorApplication DataCorel
2008-03-29 19:27:39 0 d-------- C:Documents and
SettingsvisitorAIMPro
2008-03-29 19:24:42 0 d-------- C:Documents and
SettingsvisitorApplication DataAdobe
2008-03-29 19:24:12 0 d-------- C:Documents and
SettingsvisitorApplication DataAIMPro


-- Find3M Report
---------------------------------------------------------------

2008-04-26 00:14:03 0 d-------- C:Program FilesLogMeIn
2008-04-25 19:09:35 545207 --a------ C:logfile
2008-04-25 13:17:33 0 d-------- C:Program FilesCommon Files
2008-04-23 00:00:44 0 d-------- C:Program FilesGreetings Workshop
2008-04-22 20:38:55 0 d-------- C:Program FilesSymantec AntiVirus
2008-04-22 20:38:55 0 d-------- C:Program FilesCommon
FilesSymantec Shared
2008-04-19 20:16:38 2516 --ahs---- C:WINDOWSsystem32KGyGaAvL.sys
2008-04-19 20:04:41 88 -r-hs---- C:WINDOWSsystem32AAD8C3D184.sys
2008-04-19 15:22:45 0 d-------- C:Program Files??sembly
2008-04-13 13:39:34 0 d-------- C:Program FilesiTunes
2008-04-13 13:36:38 0 d-------- C:Program FilesQuickTime
2008-03-19 16:01:36 0 d-------- C:Program FilesAIM


-- Registry Dump
---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE~Browser Helper
Objects{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}]
04/19/2008 03:22 PM 65024 --a------ C:WINDOWShunqvmdm.dll

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{63F7460B-C831-4142-A4AA-5EC303EC4343}]
03/07/2008 09:15 PM 413696 --a------ C:Program FilesBatBat.dll

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{8334A30C-49E5-489a-B63D-5B927C1EF46E}]
04/03/2008 01:05 PM 147456 --a------ C:Program FilesQdrDriveQdrDrive15.dll

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE~Browser Helper
Objects{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SigmatelSysTrayApp"="stsystra.exe" [07/24/2006 04:20 PM
C:WINDOWSstsystra.exe]
"KernelFaultCheck"="C:WINDOWSsystem32dumprep 0 -k" []
"LogMeIn GUI"="C:Program FilesLogMeInx86LogMeInSystray.exe"
[08/03/2007 04:09 PM]
"iTunesHelper"="C:Program FilesiTunesiTunesHelper.exe" [03/30/2008
10:36 AM]
"lubudops"="regsvr32 /u C:Documents and SettingsAll
UsersApplication Datalubudops.dll" []
"apicfgwin"="C:Documents and SettingsAll UsersApplication
DataCommonehsdgjqb.exe" [04/19/2008 03:22 PM]
"NvCplDaemon"="C:WINDOWSsystem32NvCpl.dll" [06/16/2006 02:39 PM]
"MSConfig"="C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe"
[09/26/2005 05:34 PM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"nzunyzka"="C:WINDOWSsystem32snqbmrsj.exe" [04/23/2008 10:19 AM]
"ctfmon.exe"="C:WINDOWSsystem32ctfmon.exe" [08/10/2004 04:00 AM]
"jwqvtlbb"="C:WINDOWSsystem32idqrkxsd.exe" [04/25/2008 03:49 PM]
"gsgdnaje"="C:WINDOWSsystem32nklylode.exe" [04/25/2008 05:06 PM]
"ptvlafvs"="C:WINDOWSsystem32xqvopktu.exe" [04/25/2008 06:16 PM]
"nsxmtofu"="C:WINDOWSsystem32wjaxqvwn.exe" [04/25/2008 08:03 PM]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrunonce]
"SpybotSnD"="C:Program FilesSpybot - Search & DestroySpybotSD.exe"
/autocheck /autofix /autoclose

C:Documents and SettingsAll UsersStart MenuProgramsStartup
Digital Line Detect.lnk - C:Program FilesDigital Line DetectDLG.exe
[11/10/2006 11:00:28 AM]
Kodak EasyShare software.lnk - C:Program FilesKodakKodak EasyShare
softwarebinEasyShare.exe [2/20/2007 5:10:26 AM]
KODAK Software Updater.lnk - C:Program FilesKodakKODAK Software
Updater7288971ProgramKodak Software Updater.exe [2/13/2004 2:12:08
PM]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"InstallVisualStyle"=C:WINDOWSResourcesThemesRoyaleRoyale.msstyles
"InstallTheme"=C:WINDOWSResourcesThemesRoyale.theme
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciesexplorerRun]
"g6bghUFGHF"=C:Documents and SettingsAll UsersApplication
Datasvuzctgpmvgpohsl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogon]
"Userinit"="C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32wmsdkns.exe,"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows
ntcurrentversionwinlogonnotifyLMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:WINDOWSsystem32LMIinit.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwindows]
"appinit_dlls"=C:PROGRA~1GoogleGOOGLE~1GOEC62~1.DLL

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionimage
file execution optionsehshell.exe]
Debugger="C:Program FilesLogMeInx86LogMeInSystray.exe" -MceShellRedirect

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"MsSecurity1.209.4"=2 (0x2)

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrun-]
"ctfmon.exe"=C:WINDOWSsystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun-]
"AIMPro"="C:Program FilesAIMAIM Proaimpro.exe"
"Corel Photo Downloader"=C:Program FilesCorelCorel Snapfire
PlusCorel Photo Downloader.exe
"QuickTime Task"="C:Program FilesQuickTimeqttask.exe" -atboottime


[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRuncommand- E:setup.exe




-- Hosts
-----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8300 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-26 00:16:14
------------



******************************************************************************************************************************************************SPYBOT LOG**************************************

--- Report generated: 2008-04-28 14:25 ---

Zango: [SBI $DF8DAC14] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{5929CD6E-2062-44a4-B2C5-2C7E78FBAB38}

180Solutions.SearchAssistant: [SBI $AB2A8735] Executable (File, fixed)
C:WINDOWSdidduid.ini

180Solutions.SearchAssistant: [SBI $D1508A11] Browser helper object
(Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{5dafd089-24b1-4c5e-bd42-8ca72550717b}

2020Search: [SBI $1C86D773] Library (File, fixed)
C:WINDOWS2020search2.dll

2020Search: [SBI $524079D1] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorerBrowser
Helper Objects{4E7BD74F-2B8D-469E-92C6-CE7EB590A94D}

CoolWWWSearch.Leftovers: [SBI $C5CA9532] Library (File, fixed)
C:WINDOWS2020search.dll

Smitfraud-C.: [SBI $DAFF8341] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{00000250-0320-4dd4-be4f-7566d2314352}

Smitfraud-C.: [SBI $749A49D8] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{13197ace-6851-45c3-a7ff-c281324d5489}

Smitfraud-C.: [SBI $CA8B78D4] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{4e1075f4-eec4-4a86-add7-cd5f52858c31}

Smitfraud-C.: [SBI $D738367D] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{5fa6752a-c4a0-4222-88c2-928ae5ab4966}

Smitfraud-C.: [SBI $8A7B2B35] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{8674aea0-9d3d-11d9-99dc-00600f9a01f1}

Smitfraud-C.: [SBI $A507ED05] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{965a592f-8efa-4250-8630-7960230792f1}

Smitfraud-C.: [SBI $81292234] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{cf021f40-3e14-23a5-cba2-717765728274}

Smitfraud-C.: [SBI $73C55E9B] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser
Helper Objects{fc3a74e5-f281-4f10-ae1e-733078684f3c}

Smitfraud-C.gp: [SBI $29222CE9] Web page (File, fixed)
C:WINDOWSdefault.htm

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings
(Registry change, fixed)
HKEY_USERSS-1-5-21-2455963964-3395364074-987033648-500SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $B2E55F62] Settings
(Registry change, fixed)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemDisableTaskMgr

SecondThought.STCLoader: [SBI $CD09A67D] Executable (File, fixed)
C:WINDOWSstcloader.exe

Virtumonde: [SBI $3BE84E58] Settings (Registry key, fixed)
HKEY_USERSS-1-5-21-2455963964-3395364074-987033648-500Softwaremwc


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-04-22 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-16 IncludesAdware.sbi (*)
2008-04-24 IncludesAdwareC.sbi (*)
2008-04-24 IncludesCookies.sbi (*)
2007-12-26 IncludesDialer.sbi (*)
2008-04-24 IncludesDialerC.sbi (*)
2008-04-24 IncludesHeavyDuty.sbi (*)
2008-03-19 IncludesHijackers.sbi (*)
2008-04-24 IncludesHijackersC.sbi (*)
2008-02-27 IncludesKeyloggers.sbi (*)
2008-04-24 IncludesKeyloggersC.sbi (*)
2004-11-29 IncludesLSP.sbi (*)
2008-04-22 IncludesMalware.sbi (*)
2008-04-24 IncludesMalwareC.sbi (*)
2008-03-26 IncludesPUPS.sbi (*)
2008-04-24 IncludesPUPSC.sbi (*)
2008-04-24 IncludesRevision.sbi (*)
2008-01-09 IncludesSecurity.sbi (*)
2008-04-24 IncludesSecurityC.sbi (*)
2008-04-16 IncludesSpybots.sbi (*)
2008-04-24 IncludesSpybotsC.sbi (*)
2008-04-16 IncludesSpyware.sbi (*)
2008-04-24 IncludesSpywareC.sbi (*)
2007-11-06 IncludesTracks.uti
2008-04-24 IncludesTrojans.sbi (*)
2008-04-24 IncludesTrojansC.sbi (*)
2008-03-04 PluginsChai.dll
2008-03-05 PluginsFennel.dll
2008-02-26 PluginsMate.dll
2007-12-24 PluginsTCPIPAddress.dll

Attached Files


Edited by jgweed, 16 May 2008 - 08:23 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 16 May 2008 - 02:08 AM

Hello Mike R. D.,

Welcome to Bleeping Computer :thumbsup:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 16 May 2008 - 12:25 PM

Thanks for welcoming this newbie to the forum :)

Thank you for responding so quickly to my post, Tea. I downloaded and ran MBAM - it looks like it worked...no adware popping up so far! Thank you so much! I have a friend that has this same adware on her computer, is it safe to run MBAM on her computer to remove it, or is this a solution customized just for my situation? (She's running Win XP Pro).

Here's the logs you requested...

(MBAM created 2 logs - 1 before restart, another after restart):

*********************************FIRST MBAM LOG**************************************
Malwarebytes' Anti-Malware 1.12
Database version: 755

Scan type: Quick Scan
Objects scanned: 96107
Time elapsed: 21 minute(s), 41 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 1
Registry Keys Infected: 39
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 13
Files Infected: 136

Memory Processes Infected:
c:\WINDOWS\winself.exe (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Common\ehsdgjqb.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Common\ehsdgjqb.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\wmsdkns.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
c:\program files\Bat\Bat.dll (Adware.Batco) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> No action taken.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> No action taken.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> No action taken.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> No action taken.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apicfgwin (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\wmsdkns.exe -> No action taken.

Folders Infected:
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> No action taken.
C:\Program Files\QdrDrive (Adware.AdBand) -> No action taken.
C:\Program Files\Bat (Adware.Batco) -> No action taken.
C:\Program Files\ISM (Adware.ISM) -> No action taken.
C:\Program Files\QdrModule (Adware.ISM) -> No action taken.
C:\Program Files\QdrPack (Adware.ISM) -> No action taken.
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> No action taken.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\visitor\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\virii (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\virii (Fake.Dropped.Malware) -> No action taken.

Files Infected:
c:\WINDOWS\winself.exe (Rootkit.Agent) -> No action taken.
c:\program files\Bat\Bat.dll (Adware.Batco) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Common\ehsdgjqb.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\visitor\Local Settings\Temp\BatSetup.exe (Adware.Batco) -> No action taken.
C:\Documents and Settings\visitor\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> No action taken.
C:\Documents and Settings\visitor\Local Settings\Temporary Internet Files\Content.IE5\1MLRSMV8\msiexec[1].exe (Trojan.Clicker) -> No action taken.
C:\Documents and Settings\visitor\Local Settings\Temporary Internet Files\Content.IE5\FB5HX5DE\BatSetup[1].exe (Adware.Batco) -> No action taken.
C:\Documents and Settings\visitor\Local Settings\Temporary Internet Files\Content.IE5\PKP1J55V\leem2[1].exe (Trojan.FakeAlert) -> No action taken.
C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.AdBand) -> No action taken.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> No action taken.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> No action taken.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> No action taken.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> No action taken.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> No action taken.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> No action taken.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Batco) -> No action taken.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> No action taken.
C:\Program Files\Bat\X_Bat.exe (Adware.Batco) -> No action taken.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> No action taken.
C:\Program Files\ISM\ism.exe (Adware.ISM) -> No action taken.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> No action taken.
C:\Program Files\QdrModule\dicy.gz (Adware.ISM) -> No action taken.
C:\Program Files\QdrModule\kwdy.gz (Adware.ISM) -> No action taken.
C:\Program Files\QdrModule\pckr.dat (Adware.ISM) -> No action taken.
C:\Program Files\QdrModule\QdrModule15.exe (Adware.ISM) -> No action taken.
C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> No action taken.
C:\Program Files\QdrPack\QdrPack15.exe (Adware.ISM) -> No action taken.
C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> No action taken.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\visitor\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> No action taken.
C:\Documents and Settings\visitor\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\wmsdkns.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\000060.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\licencia.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\textos.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> No action taken.
C:\Documents and Settings\visitor\Local Settings\Temp\ie.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\filemanagerclient.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\fkwp1.5.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\fkwp2.0.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\fwebd.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\TEMP\Desktop\Trojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> No action taken.
C:\Documents and Settings\visitor\Local Settings\Temp\ismtpa15.exe (Adware.ISM) -> No action taken.
C:\Documents and Settings\visitor\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> No action taken.


****************************************SECOND MBAM LOG***************************************

Malwarebytes' Anti-Malware 1.12
Database version: 755

Scan type: Quick Scan
Objects scanned: 96107
Time elapsed: 21 minute(s), 41 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 1
Registry Keys Infected: 39
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 13
Files Infected: 136

Memory Processes Infected:
c:\WINDOWS\winself.exe (Rootkit.Agent) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\Common\ehsdgjqb.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\Common\ehsdgjqb.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\wmsdkns.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\Bat\Bat.dll (Adware.Batco) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apicfgwin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\wmsdkns.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\Bat (Adware.Batco) -> Delete on reboot.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\virii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\winself.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\program files\Bat\Bat.dll (Adware.Batco) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Common\ehsdgjqb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Local Settings\Temp\BatSetup.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Local Settings\Temporary Internet Files\Content.IE5\1MLRSMV8\msiexec[1].exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Local Settings\Temporary Internet Files\Content.IE5\FB5HX5DE\BatSetup[1].exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Local Settings\Temporary Internet Files\Content.IE5\PKP1J55V\leem2[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\ISM\ism.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\dicy.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\kwdy.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\pckr.dat (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\virii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmsdkns.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\lfn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winfrun32.bin (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Local Settings\Temp\ie.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\blackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\EditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\EditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\filemanagerclient.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\fkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\fkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\fwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\FWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Desktop\Trojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Local Settings\Temp\ismtpa15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\visitor\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.

*******************************************NEW HJT LOG*****************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:15 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061110
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061110
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://winsecuritysolutions.com/?aid=444.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jwqvtlbb] C:\WINDOWS\system32\idqrkxsd.exe
O4 - HKCU\..\Run: [gsgdnaje] C:\WINDOWS\system32\nklylode.exe
O4 - HKCU\..\Run: [ptvlafvs] C:\WINDOWS\system32\xqvopktu.exe
O4 - HKCU\..\Run: [nsxmtofu] C:\WINDOWS\system32\wjaxqvwn.exe
O4 - HKCU\..\Run: [gnxuywjs] C:\WINDOWS\system32\vibsvmxk.exe
O4 - HKUS\S-1-5-21-2455963964-3395364074-987033648-1011\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'LogMeInRemoteUser')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163995300396
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10531 bytes
*****************************************************************************************

TEA, THANKS A MILLION! YOU'RE AWESOME! :thumbsup:

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 16 May 2008 - 12:33 PM

Hello there,

You're welcome. :thumbsup:

Yes, your friend can run MBAM, but NOT this next one! This one is for you only.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 16 May 2008 - 01:10 PM

I ran ComboFix, then HJT...here are the logs. Thanks again for your advice & help! :thumbsup:

**********************************COMBO FIX*********************************
ComboFix 08-05-15.3 - Administrator 2008-05-16 10:40:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\sembly~1
C:\Program Files\sembly~1\??sembly\
C:\Program Files\sembly~1\spoolsv.exe
C:\WINDOWS\default.htm
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mbols~1\m?hta.exe
C:\WINDOWS\system32\x64
C:\WINDOWS\Web\def.htm
C:\WINDOWS\wintst32.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 09:30 . 2008-05-16 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 09:30 . 2008-05-16 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 09:30 . 2008-05-16 09:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 09:30 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 09:30 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 13:15 . 2008-04-29 15:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Roxio
2008-04-28 16:52 . 2008-03-01 06:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-28 16:52 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-28 16:52 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-28 16:52 . 2008-03-01 06:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-28 16:52 . 2008-03-01 06:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-28 16:52 . 2008-03-01 06:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-28 16:52 . 2008-03-01 06:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-28 16:52 . 2008-03-01 06:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-28 16:52 . 2008-02-22 03:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-28 15:47 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-28 15:43 . 2008-04-28 15:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-26 00:15 . 2008-04-26 00:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 00:11 . 2008-04-26 00:11 <DIR> d-------- C:\Deckard
2008-04-26 00:07 . 2008-04-26 00:09 21,050,144 --a------ C:\Kaspersky Scan.html
2008-04-25 22:05 . 2008-04-25 22:05 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-04-25 21:54 . 2008-04-25 21:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 21:54 . 2008-04-25 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 17:44 . 2008-04-25 17:44 134,184,778 --a------ C:\Windows_Registry_Backup_4-25-08.reg
2008-04-25 17:30 . 2008-04-25 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-04-24 20:03 . 2008-04-24 20:03 5,959 --a------ C:\WINDOWS\Instlog.lyt
2008-04-24 20:02 . 2008-04-24 20:02 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Intuit
2008-04-24 19:56 . 2008-04-24 19:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-23 21:31 . 2006-11-10 11:09 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\InstallShield
2008-04-23 21:31 . 2006-11-10 11:12 <DIR> d--h----- C:\Documents and Settings\TEMP\Application Data\Gtek
2008-04-23 21:31 . 2008-04-23 21:31 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AIMPro
2008-04-23 21:31 . 2008-04-23 21:31 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\acccore
2008-04-23 21:31 . 2008-04-24 22:39 <DIR> d-------- C:\Documents and Settings\TEMP
2008-04-23 21:31 . 2008-05-16 10:56 1,024 --ah----- C:\Documents and Settings\TEMP\ntuser.dat.LOG
2008-04-23 21:26 . 2008-04-23 21:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-23 10:19 . 2008-04-23 10:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-04-23 10:18 . 2008-04-23 10:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AIMPro
2008-04-23 10:06 . 2008-04-23 10:06 <DIR> d-------- C:\41ca95805cf65078822f
2008-04-23 10:01 . 2006-11-12 23:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-04-23 10:01 . 2006-11-12 23:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-04-23 10:01 . 2006-11-12 23:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-04-22 20:39 . 2008-04-22 20:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-22 20:39 . 2008-04-25 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 20:37 . 2008-05-16 09:27 <DIR> d-------- C:\Setup_Files
2008-04-19 15:22 . 2008-04-19 15:22 <DIR> d-------- C:\WINDOWS\mgwwgmke
2008-04-19 15:22 . 2008-04-28 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\svuzctgp
2008-04-19 15:22 . 2008-05-16 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-19 15:22 . 2008-04-19 15:22 192,512 --a------ C:\WINDOWS\renipaby.dll
2008-04-19 15:22 . 2008-04-19 15:22 6,656 --a------ C:\WINDOWS\ctions.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 16:24 --------- d-----w C:\Program Files\LogMeIn
2008-04-23 07:00 --------- d-----w C:\Program Files\Greetings Workshop
2008-04-23 03:38 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-23 03:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-16 02:58 --------- d-----w C:\Documents and Settings\visitor\Application Data\Corel
2008-04-13 20:45 --------- d-----w C:\Program Files\Safari
2008-04-13 20:39 --------- d-----w C:\Program Files\iTunes
2008-04-13 20:38 --------- d-----w C:\Program Files\iPod
2008-04-13 20:36 --------- d-----w C:\Program Files\QuickTime
2008-04-03 14:44 --------- d-----w C:\Documents and Settings\Admin\Application Data\AIMPro
2008-04-03 14:44 --------- d-----w C:\Documents and Settings\Admin\Application Data\acccore
2008-03-30 02:24 --------- d-----w C:\Documents and Settings\visitor\Application Data\AIMPro
2008-03-19 23:01 --------- d-----w C:\Program Files\AIM
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,736 2006-11-07 15:29:02 C:\Program Files\AIM6\bak\aim6.exe

----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1169617523\ee\bak\AOLSoftware.exe

----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe

----a-w 81,920 2004-07-27 22:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 22:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 53,408 2006-03-25 01:14:48 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 53,408 2006-03-25 00:14:48 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 94,208 2005-10-05 09:12:00 C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe

----a-w 389,120 2006-07-17 03:29:54 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 2,494,464 2007-12-04 13:57:56 C:\Program Files\Electronic Arts\EADM\bak\Core.exe

----a-w 68,856 2007-06-25 00:36:41 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 151,552 2006-07-06 13:15:00 C:\Program Files\Intel\Intel Matrix Storage Manager\bak\Iaanotif.exe

----a-w 267,064 2007-09-26 21:42:04 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-03-30 17:36:40 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 1,117,184 2005-07-13 01:05:30 C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe

----a-w 286,720 2007-06-29 13:24:52 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-03-29 06:37:20 C:\Program Files\QuickTime\QTTask.exe

----a-w 1,695,744 2005-03-09 05:13:56 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe
----a-w 1,695,744 2005-03-09 04:13:56 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

----a-w 124,656 2006-06-15 09:40:34 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 124,656 2006-06-15 08:40:34 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-r 94,208 2003-08-27 22:20:00 C:\WINDOWS\bak\SM1BG.EXE

----a-w 67,584 2005-09-29 20:01:14 C:\WINDOWS\ehome\bak\ehtray.exe

----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 86,016 2006-07-22 05:50:10 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 81,920 2006-07-22 05:47:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2006-07-22 05:48:02 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 122,940 2005-09-08 11:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"jwqvtlbb"="C:\WINDOWS\system32\idqrkxsd.exe" [ ]
"gsgdnaje"="C:\WINDOWS\system32\nklylode.exe" [ ]
"ptvlafvs"="C:\WINDOWS\system32\xqvopktu.exe" [ ]
"nsxmtofu"="C:\WINDOWS\system32\wjaxqvwn.exe" [ ]
"gnxuywjs"="C:\WINDOWS\system32\vibsvmxk.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 16:20 282624 C:\WINDOWS\stsystra.exe]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 14:39 7323648]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2006-06-15 01:40 124656]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 21:13 1695744]

C:\Documents and Settings\Debby Day\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-10 11:00:28 24576]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 05:10:26 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ehshell.exe]
Debugger="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" -MceShellRedirect

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe"
"Corel Photo Downloader"=C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 03:00]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 02:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-09 23:04:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-05 00:46:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16
"2008-05-10 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DAY-Debby Day).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 10:57:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-16 11:01:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 18:00:59

Pre-Run: 123,523,682,304 bytes free
Post-Run: 124,077,473,792 bytes free

243 --- E O F --- 2008-05-16 17:08:49



**************************************HJT LOG******************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:48 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061110
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://winsecuritysolutions.com/?aid=444.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jwqvtlbb] C:\WINDOWS\system32\idqrkxsd.exe
O4 - HKCU\..\Run: [gsgdnaje] C:\WINDOWS\system32\nklylode.exe
O4 - HKCU\..\Run: [ptvlafvs] C:\WINDOWS\system32\xqvopktu.exe
O4 - HKCU\..\Run: [nsxmtofu] C:\WINDOWS\system32\wjaxqvwn.exe
O4 - HKCU\..\Run: [gnxuywjs] C:\WINDOWS\system32\vibsvmxk.exe
O4 - HKUS\S-1-5-21-2455963964-3395364074-987033648-1011\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'LogMeInRemoteUser')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163995300396
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10238 bytes
************************************************************************************

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 16 May 2008 - 03:43 PM

Hello,

Uh oh.....another infection revealed itself. :thumbsup:

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run option 1.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 May 2008 - 12:25 PM

Hi Tea,

Here's the scan results for Find AWF. Thanks for your continuing support.



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 05/21/2008
The current time is: 10:15:19.93


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 03:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 08:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/16/2006 08:29 PM 389,120 DSAgnt.exe
1 File(s) 389,120 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/26/2007 02:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

06/15/2006 02:40 AM 124,656 VPTray.exe
1 File(s) 124,656 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 01:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 04:00 AM 15,360 ctfmon.exe
07/21/2006 10:50 PM 86,016 hkcmd.exe
07/21/2006 10:47 PM 81,920 igfxpers.exe
07/21/2006 10:48 PM 98,304 igfxtray.exe
4 File(s) 281,600 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/24/2006 06:14 PM 53,408 ccApp.exe
1 File(s) 53,408 bytes

Directory of C:\PROGRA~1\COREL\CORELS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

10/05/2005 02:12 AM 94,208 DMXLauncher.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\ELECTR~1\EADM\BAK

12/04/2007 06:57 AM 2,494,464 Core.exe
1 File(s) 2,494,464 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

06/24/2007 05:36 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

07/06/2006 06:15 AM 151,552 Iaanotif.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\MCAFEE\SPAMKI~1\BAK

07/12/2005 06:05 PM 1,117,184 MSKDetct.exe
1 File(s) 1,117,184 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/08/2005 04:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 05:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

07/27/2004 03:50 PM 81,920 issch.exe
07/27/2004 03:50 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

03/08/2005 10:13 PM 1,695,744 DrgToDsc.exe
1 File(s) 1,695,744 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\116961~1\EE\BAK

09/25/2006 05:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\DRIVERS\SM1\SM1bg.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
389120 Jul 16 2006 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
267048 Mar 30 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 13 2008 "C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe"
75048 Apr 13 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunesSetupAdmin.exe"
413696 Mar 28 2008 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
124656 Jun 15 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
124656 Jun 15 2006 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
86016 Jul 21 2006 "C:\drivers\video\onboard\hkcmd.exe"
86016 Jul 21 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
86016 Jul 21 2006 "C:\WINDOWS\system32\DRVSTORE\igxp32_A726C85783054D38E97E6D12E45405EC24C2C75A\hkcmd.exe"
81920 Jul 21 2006 "C:\drivers\video\onboard\igfxpers.exe"
81920 Jul 21 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
81920 Jul 21 2006 "C:\WINDOWS\system32\DRVSTORE\igxp32_A726C85783054D38E97E6D12E45405EC24C2C75A\igfxpers.exe"
98304 Jul 21 2006 "C:\drivers\video\onboard\igfxtray.exe"
98304 Jul 21 2006 "C:\WINDOWS\system32\bak\igfxtray.exe"
98304 Jul 21 2006 "C:\WINDOWS\system32\DRVSTORE\igxp32_A726C85783054D38E97E6D12E45405EC24C2C75A\igfxtray.exe"
53408 Mar 24 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
53408 Mar 24 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
94208 Oct 5 2005 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
2494464 Dec 4 2007 "C:\Program Files\Electronic Arts\EADM\bak\Core.exe"
52272 Jan 27 2007 "C:\Program Files\Google\googletoolbar2user.exe"
138168 Jan 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jun 24 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
151552 Jul 6 2006 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\Iaanotif.exe"
1117184 Jul 12 2005 "C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
122940 Sep 8 2005 "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
1695744 Mar 8 2005 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
1695744 Mar 8 2005 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1169617523\ee\bak\AOLSoftware.exe"


end of report

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 23 May 2008 - 09:33 AM

Hello,

You're welcome. :thumbsup:

There are some files that are probably okay, but I'm going to send you through al the steps anyway, just to be sure. :)

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\AIM6\bak\aim6.exe"
"C:\Program Files\Dell Support\bak\DSAgnt.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
"C:\Program Files\Electronic Arts\EADM\bak\Core.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Intel\Intel Matrix Storage Manager\bak\Iaanotif.exe"
"C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
"C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
"C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
"C:\Program Files\Common Files\AOL\1169617523\ee\bak\AOLSoftware.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 23 May 2008 - 12:48 PM

Hi Tea,

I copied, pasted, and saved the strings you posted into files.txt. After it ran, a dialog box popped up saying:

"Windows File Protection

Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files.

Insert your Windows XP Professional CD 2 now."

I'll leave the message alone until I hear from you about what to do. Do I need to find my Windows CD?

Also, here's the awf.txt log. Thanks again.

--------------------------------------------------------------------------------------------
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 05/23/2008
The current time is: 10:41:46.67


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 03:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 08:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/16/2006 08:29 PM 389,120 DSAgnt.exe
1 File(s) 389,120 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/26/2007 02:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

06/15/2006 02:40 AM 124,656 VPTray.exe
1 File(s) 124,656 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 01:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 04:00 AM 15,360 ctfmon.exe
07/21/2006 10:50 PM 86,016 hkcmd.exe
07/21/2006 10:47 PM 81,920 igfxpers.exe
07/21/2006 10:48 PM 98,304 igfxtray.exe
4 File(s) 281,600 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/24/2006 06:14 PM 53,408 ccApp.exe
1 File(s) 53,408 bytes

Directory of C:\PROGRA~1\COREL\CORELS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

10/05/2005 02:12 AM 94,208 DMXLauncher.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\ELECTR~1\EADM\BAK

12/04/2007 06:57 AM 2,494,464 Core.exe
1 File(s) 2,494,464 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

06/24/2007 05:36 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\INTEL\INTELM~1\BAK

07/06/2006 06:15 AM 151,552 Iaanotif.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\MCAFEE\SPAMKI~1\BAK

07/12/2005 06:05 PM 1,117,184 MSKDetct.exe
1 File(s) 1,117,184 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

09/08/2005 04:20 AM 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 05:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

07/27/2004 03:50 PM 81,920 issch.exe
07/27/2004 03:50 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

03/08/2005 10:13 PM 1,695,744 DrgToDsc.exe
1 File(s) 1,695,744 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\116961~1\EE\BAK

09/25/2006 05:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\DRIVERS\SM1\SM1bg.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\aim6.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
389120 Jul 16 2006 "C:\Program Files\Dell Support\DSAgnt.exe"
389120 Jul 16 2006 "C:\Program Files\Dell Support\bak\DSAgnt.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 13 2008 "C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe"
75048 Apr 13 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
124656 Jun 15 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
124656 Jun 15 2006 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
86016 Jul 21 2006 "C:\WINDOWS\system32\hkcmd.exe"
86016 Jul 21 2006 "C:\drivers\video\onboard\hkcmd.exe"
86016 Jul 21 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
86016 Jul 21 2006 "C:\WINDOWS\system32\DRVSTORE\igxp32_A726C85783054D38E97E6D12E45405EC24C2C75A\hkcmd.exe"
81920 Jul 21 2006 "C:\WINDOWS\system32\igfxpers.exe"
81920 Jul 21 2006 "C:\drivers\video\onboard\igfxpers.exe"
81920 Jul 21 2006 "C:\WINDOWS\system32\bak\igfxpers.exe"
81920 Jul 21 2006 "C:\WINDOWS\system32\DRVSTORE\igxp32_A726C85783054D38E97E6D12E45405EC24C2C75A\igfxpers.exe"
98304 Jul 21 2006 "C:\WINDOWS\system32\igfxtray.exe"
98304 Jul 21 2006 "C:\drivers\video\onboard\igfxtray.exe"
98304 Jul 21 2006 "C:\WINDOWS\system32\bak\igfxtray.exe"
98304 Jul 21 2006 "C:\WINDOWS\system32\DRVSTORE\igxp32_A726C85783054D38E97E6D12E45405EC24C2C75A\igfxtray.exe"
53408 Mar 24 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
53408 Mar 24 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
94208 Oct 5 2005 "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
94208 Oct 5 2005 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
2494464 Dec 4 2007 "C:\Program Files\Electronic Arts\EADM\Core.exe"
2494464 Dec 4 2007 "C:\Program Files\Electronic Arts\EADM\bak\Core.exe"
52272 Jan 27 2007 "C:\Program Files\Google\googletoolbar2user.exe"
68856 Jun 24 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138168 Jan 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jun 24 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
151552 Jul 6 2006 "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
151552 Jul 6 2006 "C:\Program Files\Intel\Intel Matrix Storage Manager\bak\Iaanotif.exe"
1117184 Jul 12 2005 "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe"
1117184 Jul 12 2005 "C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\Program Files\Roxio\DLA\install\dlactrlw.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
1695744 Mar 8 2005 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
1695744 Mar 8 2005 "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1169617523\ee\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1169617523\ee\bak\AOLSoftware.exe"


end of report
-----------------------------------------------------------------------------------------

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 23 May 2008 - 01:48 PM

Hello,

Thanks for telling me, and it's all right. :)

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak
C:\Program Files\AIM6\bak
C:\Program Files\Dell Support\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Symantec AntiVirus\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Electronic Arts\EADM\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Intel\Intel Matrix Storage Manager\bak
C:\Program Files\McAfee\SpamKiller\bak
C:\WINDOWS\system32\DLA\bak
C:\Program Files\Common Files\AOL\ACS\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak
C:\Program Files\Common Files\AOL\1169617523\ee\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

Almost done with this. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 23 May 2008 - 01:56 PM

Hi Tea...here it is:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Fri 05/23/2008
The current time is: 11:57:10.85


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

08/27/2003 03:20 PM 94,208 SM1BG.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COREL\CORELS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 05:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

94208 Aug 27 2003 "C:\WINDOWS\bak\SM1BG.EXE"
94208 Aug 27 2003 "C:\WINDOWS\DRIVERS\SM1\SM1bg.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"


end of report

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 23 May 2008 - 02:07 PM

Hello,

Good. :thumbsup: Delete this bak folder : C:\Program Files\Common Files\AOL\ACS\bak

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT.

Now please post a new HijackThis log and we'll address the other issues you have. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 23 May 2008 - 02:17 PM

Here's the new HJT scan log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:04 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061110
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://winsecuritysolutions.com/?aid=444.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jwqvtlbb] C:\WINDOWS\system32\idqrkxsd.exe
O4 - HKCU\..\Run: [gsgdnaje] C:\WINDOWS\system32\nklylode.exe
O4 - HKCU\..\Run: [ptvlafvs] C:\WINDOWS\system32\xqvopktu.exe
O4 - HKCU\..\Run: [nsxmtofu] C:\WINDOWS\system32\wjaxqvwn.exe
O4 - HKCU\..\Run: [gnxuywjs] C:\WINDOWS\system32\vibsvmxk.exe
O4 - HKUS\S-1-5-21-2455963964-3395364074-987033648-1011\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'LogMeInRemoteUser')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163995300396
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10117 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 PM

Posted 23 May 2008 - 02:29 PM

Hi,

Thanks. :thumbsup:

I see leftovers from McAfee. Let's get rid of those :

Download and run the McAfee Consumer Products Removal tool (MCPR.exe).
Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, and 2007 versions of McAfee consumer products.
  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware
Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

Please delete your old version of ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Mike R. D.

Mike R. D.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 23 May 2008 - 03:23 PM

Here's the ComboFix log:

---------------------------------------------------------------------------------------------
ComboFix 08-05-21.3 - Administrator 2008-05-23 13:21:21.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.475 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\Spyware_Removal_Tools-KEEP\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-23 10:41 . 2006-07-21 22:48 98,304 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-05-23 10:41 . 2006-07-21 22:50 86,016 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-05-23 10:41 . 2006-07-21 22:47 81,920 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-05-16 09:30 . 2008-05-16 09:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 09:30 . 2008-05-16 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 09:30 . 2008-05-16 09:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-16 09:30 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 09:30 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-29 13:15 . 2008-04-29 15:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Roxio
2008-04-28 16:52 . 2008-03-01 06:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-28 16:52 . 2007-04-17 02:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-28 16:52 . 2007-03-07 22:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-28 16:52 . 2008-03-01 06:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-28 16:52 . 2008-03-01 06:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-28 16:52 . 2008-03-01 06:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-28 16:52 . 2008-03-01 06:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-28 16:52 . 2008-03-01 06:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-28 16:52 . 2008-02-22 03:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-28 15:47 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2008-04-28 15:43 . 2008-04-28 15:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-26 00:15 . 2008-04-26 00:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 00:11 . 2008-04-26 00:11 <DIR> d-------- C:\Deckard
2008-04-25 22:05 . 2008-04-25 22:05 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-04-25 21:54 . 2008-04-25 21:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-25 21:54 . 2008-04-25 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 17:44 . 2008-04-25 17:44 134,184,778 --a------ C:\Windows_Registry_Backup_4-25-08.reg
2008-04-25 17:30 . 2008-04-25 17:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-04-24 20:03 . 2008-04-24 20:03 5,959 --a------ C:\WINDOWS\Instlog.lyt
2008-04-24 19:56 . 2008-04-24 19:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-23 21:26 . 2008-04-23 21:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-23 10:19 . 2008-04-23 10:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-04-23 10:18 . 2008-04-23 10:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AIMPro
2008-04-23 10:06 . 2008-04-23 10:06 <DIR> d-------- C:\41ca95805cf65078822f
2008-04-23 10:01 . 2006-11-12 23:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-04-23 10:01 . 2006-11-12 23:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-04-23 10:01 . 2006-11-12 23:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 20:02 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-23 18:57 --------- d-----w C:\Program Files\QuickTime
2008-05-23 18:57 --------- d-----w C:\Program Files\iTunes
2008-05-23 18:57 --------- d-----w C:\Program Files\Dell Support
2008-05-23 18:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-23 18:57 --------- d-----w C:\Program Files\AIM6
2008-05-23 17:37 --------- d-----w C:\Program Files\LogMeIn
2008-05-22 00:14 --------- d-----w C:\Program Files\Greetings Workshop
2008-05-16 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Common
2008-04-28 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\svuzctgp
2008-04-25 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 03:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-20 03:16 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-16 02:58 --------- d-----w C:\Documents and Settings\visitor\Application Data\Corel
2008-04-13 20:45 --------- d-----w C:\Program Files\Safari
2008-04-13 20:38 --------- d-----w C:\Program Files\iPod
2008-04-03 14:44 --------- d-----w C:\Documents and Settings\Admin\Application Data\AIMPro
2008-04-03 14:44 --------- d-----w C:\Documents and Settings\Admin\Application Data\acccore
2008-03-30 02:24 --------- d-----w C:\Documents and Settings\visitor\Application Data\AIMPro
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-02 01:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"jwqvtlbb"="C:\WINDOWS\system32\idqrkxsd.exe" [ ]
"gsgdnaje"="C:\WINDOWS\system32\nklylode.exe" [ ]
"ptvlafvs"="C:\WINDOWS\system32\xqvopktu.exe" [ ]
"nsxmtofu"="C:\WINDOWS\system32\wjaxqvwn.exe" [ ]
"gnxuywjs"="C:\WINDOWS\system32\vibsvmxk.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 16:20 282624 C:\WINDOWS\stsystra.exe]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 14:39 7323648]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2006-06-15 01:40 124656]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 22:13 1695744]

C:\Documents and Settings\Debby Day\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-10 11:00:28 24576]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe"
"Corel Photo Downloader"=C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 03:00]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 02:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 23:04:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-19 00:46:01 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16
"2008-05-19 16:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 13:22:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-23 13:23:11
ComboFix-quarantined-files.txt 2008-05-23 20:22:57
ComboFix2.txt 2008-05-23 20:12:18

Pre-Run: 123,812,732,928 bytes free
Post-Run: 123,799,707,648 bytes free

162 --- E O F --- 2008-05-16 17:08:49
-------------------------------------------------------------------------------------------------------------

And the HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:16 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061110
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://winsecuritysolutions.com/?aid=444.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jwqvtlbb] C:\WINDOWS\system32\idqrkxsd.exe
O4 - HKCU\..\Run: [gsgdnaje] C:\WINDOWS\system32\nklylode.exe
O4 - HKCU\..\Run: [ptvlafvs] C:\WINDOWS\system32\xqvopktu.exe
O4 - HKCU\..\Run: [nsxmtofu] C:\WINDOWS\system32\wjaxqvwn.exe
O4 - HKCU\..\Run: [gnxuywjs] C:\WINDOWS\system32\vibsvmxk.exe
O4 - HKUS\S-1-5-21-2455963964-3395364074-987033648-1011\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'LogMeInRemoteUser')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163995300396
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9948 bytes
--------------------------------------------------------------------------------------------

Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users