Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • This topic is locked This topic is locked
4 replies to this topic

#1 merach

merach

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 01 June 2008 - 12:21 PM

Interestingly enough, at this very moment the symptoms have stopped, which is odd, but I know it's not gone. I remember dealing with VX2 back in the day, but I'm far less interested in dealing with this at the moment, so i'm looking for help :thumbsup:



Deckard's System Scanner v20071014.68
Run by Ray on 2008-06-01 11:10:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2008-06-01 17:10:10 UTC - RP131 - Deckard's System Scanner Restore Point
12: 2008-06-01 01:03:50 UTC - RP130 - Last known good configuration
11: 2008-06-01 01:03:47 UTC - RP129 - Installed Google Earth Pro.
10: 2008-06-01 01:03:47 UTC - RP128 - System Checkpoint
9: 2008-06-01 01:03:46 UTC - RP127 - System Checkpoint


-- First Restore Point --
1: 2008-06-01 01:03:45 UTC - RP119 - Installed SmartFTP Client


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ray.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-01 11:11:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MozyPro\mozyprostat.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ray\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E080326-E561-46B0-82B0-496FDD6A5993} - C:\WINDOWS\system32\khfCttRk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {da15d82a-bc31-4e39-ae84-923cf65ec35f} - {f53ce56f-c329-48ea-93e4-13cba28d51ad} - C:\WINDOWS\system32\mhopbahi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [28c20455] rundll32.exe "C:\WINDOWS\system32\fbdudryo.dll",b
O4 - HKLM\..\Run: [BM2bf137c9] Rundll32.exe "C:\WINDOWS\system32\jqvbiwwc.dll",s

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: MozyPro Status.lnk = C:\Program Files\MozyPro\mozyprostat.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://193.138.213.145/cgi-bin/SysCamInst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://domecam.uridium.ch/kxhcm10.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197969990062
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198313094812
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://216.62.222.101/activex/AMC.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://62.2.213.157/cgi-bin/bl_camera.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://java.sun.com/update/1.6.0/jinstall-...ows-i586-jc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://163.17.85.249/activex/AxisCamControl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} (pmjpegcam Class) - http://193.138.213.169/cgi-bin/JpegInst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\vso\%VSINS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\vso\%VSINS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\vso\%VSINS~1\mcsysmon.exe
O23 - Service: MozyPro Backup Service (mozyprobackup) - Unknown owner - C:\Program Files\MozyPro\mozyprobackup.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe


--
End of file - 10653 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080517-192837-147 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
backup-20080517-192837-649 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080517-192837-681 O4 - Startup: Highspeeddownloader.lnk = C:\WINDOWS\system32\SetupClickHere.EXE
backup-20080517-192837-812 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080517-192837-858 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20080517-192837-869 O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
backup-20080517-192837-948 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
backup-20080517-192837-952 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.turbo-search101.com
backup-20080601-082720-235 O2 - BHO: (no name) - {AE75AA22-5349-4D0A-933C-B9EE1A8E767A} - C:\WINDOWS\system32\yayyATmN.dll (file missing)
backup-20080601-082720-246 O2 - BHO: (no name) - {166BCB27-FCFD-4588-9BDB-44FC6A02EF35} - C:\WINDOWS\system32\awturOFx.dll
backup-20080601-082720-324 O4 - HKLM\..\Run: [28c20455] rundll32.exe "C:\WINDOWS\system32\uldnmwbl.dll",b
backup-20080601-082720-328 O2 - BHO: (no name) - {068A2643-FE0B-4188-A8EB-D701829891FB} - C:\WINDOWS\system32\urqQkjgf.dll (file missing)
backup-20080601-082720-420 O2 - BHO: {2755e0b2-5011-4da8-8c44-dd7ecf9bce3a} - {a3ecb9fc-e7dd-44c8-8ad4-11052b0e5572} - C:\WINDOWS\system32\qgrnessg.dll
backup-20080601-082720-566 O20 - Winlogon Notify: awturOFx - C:\WINDOWS\SYSTEM32\awturOFx.dll
backup-20080601-082720-897 O4 - HKLM\..\Run: [BM2bf137c9] Rundll32.exe "C:\WINDOWS\system32\femkbxdy.dll",s

-- File Associations -----------------------------------------------------------

.ini - Notepad++_file - DefaultIcon - unable to read value
.ini - Notepad++_file - shell\open\command - "C:\Program Files\Notepad++\notepad++.exe" "%1"
.vbs - Notepad++_file - DefaultIcon - unable to read value
.vbs - Notepad++_file - shell\open\command - "C:\Program Files\Notepad++\notepad++.exe" "%1"
.vbs - Notepad++_file - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S3 dump_wmimmc - c:\games\gunbound\gunbound revolution\gameguard\dump_wmimmc.sys (file missing)
S3 Revolution1 - c:\documents and settings\ray\my documents\my received files\gb\gb\revolution_engine_8.3_shak3\shak3.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>

S4 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper ™ Disk Defragmenter>
S4 McNASvc (McAfee Network Agent) - "c:\progra~1\common~1\mcafee\mna\mcnasvc.exe" (file missing)
S4 McODS (McAfee Scanner) - c:\docume~1\alluse~1\applic~1\mcafee\msc\updates\installs\1\vso\%vsins~1\mcods.exe (file missing)
S4 mcpromgr (McAfee Protection Manager) - c:\progra~1\mcafee\msc\mcpromgr.exe (file missing)
S4 McProxy (McAfee Proxy Service) - c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe (file missing)
S4 McShield (McAfee Real-time Scanner) - c:\docume~1\alluse~1\applic~1\mcafee\msc\updates\installs\1\vso\%vsins~1\mcshield.exe (file missing)
S4 McSysmon (McAfee SystemGuards) - c:\docume~1\alluse~1\applic~1\mcafee\msc\updates\installs\1\vso\%vsins~1\mcsysmon.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&26102690&0&01
Manufacturer: Nvidia
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&26102690&0&01
Service: NVENETFD


-- Files created between 2008-05-01 and 2008-06-01 -----------------------------

2008-06-01 09:14:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 09:14:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 09:14:31 0 d-------- C:\WINDOWS\LastGood
2008-06-01 08:54:40 132096 --a------ C:\WINDOWS\system32\mhopbahi.dll
2008-06-01 08:52:26 114176 --a------ C:\WINDOWS\system32\fbdudryo.dll
2008-06-01 08:52:25 2560 --a------ C:\WINDOWS\system32\qeoairql.exe
2008-06-01 08:52:15 126464 --a------ C:\WINDOWS\system32\jqvbiwwc.dll
2008-06-01 08:51:32 808880 --ahs---- C:\WINDOWS\system32\kRttCfhk.ini2
2008-06-01 08:51:20 373248 --a------ C:\WINDOWS\system32\khfCttRk.dll
2008-06-01 08:42:30 0 d-------- C:\VundoFix Backups
2008-06-01 08:26:13 114176 --a------ C:\WINDOWS\system32\lfocpfta.dll
2008-06-01 08:23:25 132096 --a------ C:\WINDOWS\system32\ppdyebke.dll
2008-06-01 08:23:13 126464 --a------ C:\WINDOWS\system32\yxflfcww.dll
2008-06-01 07:50:12 800380 --ahs---- C:\WINDOWS\system32\fgjkQqru.ini2
2008-06-01 07:06:58 132096 --a------ C:\WINDOWS\system32\qgrnessg.dll
2008-06-01 07:06:46 126464 --a------ C:\WINDOWS\system32\femkbxdy.dll
2008-05-31 19:04:20 114176 --a------ C:\WINDOWS\system32\rwrdclxi.dll
2008-05-31 19:03:35 802046 --ahs---- C:\WINDOWS\system32\NmTAyyay.ini2
2008-05-31 18:55:53 0 d-------- C:\Program Files\MagicISO
2008-05-29 08:15:56 114 --a------ C:\WINDOWS\system32\'
2008-05-29 08:15:49 5760 --a------ C:\WINDOWS\system32\vnchelp.dll <Not Verified; RDV Soft; UltraVnc Kernel>
2008-05-29 08:15:48 0 d-------- C:\Program Files\UltraVNC
2008-05-24 15:11:55 0 d-------- C:\Program Files\Octoshape Streaming Services
2008-05-21 19:04:17 0 d-------- C:\KillerJohn's TurboT v6.95
2008-05-21 14:13:02 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-21 14:13:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-21 14:13:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-21 14:13:02 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-21 14:13:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-21 14:13:02 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-21 14:13:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-21 14:13:02 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-21 14:13:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-21 14:13:02 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-21 14:13:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-21 14:13:02 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-21 14:13:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-21 14:13:02 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-19 19:45:32 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-05-19 18:08:56 0 d-------- C:\Program Files\7-Zip
2008-05-19 16:37:32 0 d-------- C:\Documents and Settings\Ray\Application Data\VMware
2008-05-19 16:31:45 0 d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-19 16:30:47 0 d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-05-19 16:30:33 0 d-------- C:\Program Files\VMware
2008-05-19 16:30:32 0 d-------- C:\Program Files\Common Files\VMware
2008-05-18 16:46:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 18:33:37 0 d-------- C:\Program Files\Alcohol Soft
2008-05-17 15:39:54 0 d-------- C:\Program Files\hkSFV
2008-05-17 15:35:07 49152 --a------ C:\WINDOWS\md5sum.exe
2008-05-13 18:55:50 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-05-13 18:53:16 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-05-13 18:53:01 0 d-------- C:\Program Files\ATI Technologies
2008-05-13 16:58:32 0 d-------- C:\Logs
2008-05-13 16:55:53 0 d-------- C:\Documents and Settings\Ray\Application Data\IDM
2008-05-13 16:55:53 0 d-------- C:\Documents and Settings\Ray\Application Data\DMCache
2008-05-13 16:55:50 0 d-------- C:\Program Files\Internet Download Manager
2008-05-10 02:05:43 0 d-------- C:\Program Files\TaskSwitchXP
2008-05-10 02:05:32 2790400 --a------ C:\WINDOWS\system32\XPize_Logon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-10 02:03:41 0 d--h----- C:\WINDOWS\XPize Darkside
2008-05-08 20:21:50 6935 --a------ C:\Documents and Settings\Ray\_viminfo
2008-05-08 18:49:33 0 d-------- C:\Program Files\Vim
2008-05-06 14:18:52 0 d-------- C:\Program Files\Notepad++
2008-05-06 14:18:52 0 d-------- C:\Documents and Settings\Ray\Application Data\Notepad++
2008-05-04 11:21:39 0 d-------- C:\Program Files\MozyPro


-- Find3M Report ---------------------------------------------------------------

2008-06-01 11:11:14 0 d-------- C:\Documents and Settings\Ray\Application Data\uTorrent
2008-06-01 08:44:52 0 d-------- C:\Program Files\PowerISO
2008-05-31 18:59:06 0 d-------- C:\Documents and Settings\Ray\Application Data\Google
2008-05-31 18:58:46 0 d-------- C:\Program Files\Google
2008-05-31 18:07:21 0 d-------- C:\Documents and Settings\Ray\Application Data\mIRC
2008-05-31 17:46:58 0 d-------- C:\Program Files\mIRC
2008-05-31 05:12:34 0 d-------- C:\Program Files\Trillian
2008-05-25 17:30:54 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-25 07:45:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 15:12:32 0 d-------- C:\Documents and Settings\Ray\Application Data\Mozilla
2008-05-20 09:14:00 33316 --a------ C:\WINDOWS\DIIUnin.dat
2008-05-19 19:46:32 0 d-------- C:\Program Files\SmartFTP Client
2008-05-19 16:30:32 0 d-------- C:\Program Files\Common Files
2008-05-13 12:51:48 0 d-------- C:\Program Files\Folding@Home
2008-05-11 22:37:32 0 d-------- C:\Documents and Settings\Ray\Application Data\Xfire
2008-05-10 02:03:45 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-29 05:19:21 0 d-------- C:\Program Files\Citrix
2008-04-28 23:47:12 0 d-------- C:\Program Files\Debugging Tools for Windows
2008-04-17 22:43:32 0 d-------- C:\Program Files\Western Digital Technologies
2008-04-17 22:39:08 0 d-------- C:\Program Files\Western Digital
2008-04-11 22:27:49 0 d-------- C:\Program Files\mm.BOT
2008-04-10 20:07:26 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-09 05:26:42 0 d-------- C:\Program Files\MAXBrowse
2008-04-08 00:00:31 0 d-------- C:\Program Files\Hero Editor
2008-04-07 23:58:15 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-07 01:29:41 2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-04-07 01:29:41 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-04-06 19:01:08 0 d-------- C:\Program Files\r2 studios
2008-04-05 19:13:55 0 d-------- C:\Program Files\Q3E Minimizer v1.51
2008-04-05 19:10:18 0 d-------- C:\Program Files\Mplayer
2008-04-01 10:24:59 0 d-------- C:\Program Files\Xvid
2008-03-13 16:46:25 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-13 16:46:25 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-03-13 16:46:25 31278 --a------ C:\WINDOWS\scunin.dat
2008-03-04 17:55:10 38612 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E080326-E561-46B0-82B0-496FDD6A5993}]
06/01/2008 08:51 AM 373248 --a------ C:\WINDOWS\system32\khfCttRk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f53ce56f-c329-48ea-93e4-13cba28d51ad}]
06/01/2008 08:54 AM 132096 --a------ C:\WINDOWS\system32\mhopbahi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [07/23/2007 12:06 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 06:08 PM]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [06/20/2007 11:09 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [03/03/2008 08:05 PM]
"28c20455"="C:\WINDOWS\system32\fbdudryo.dll" [06/01/2008 08:52 AM]
"BM2bf137c9"="C:\WINDOWS\system32\jqvbiwwc.dll" [06/01/2008 08:52 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 01:54 PM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [12/19/2007 02:13 PM]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [08/04/2006 04:29 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/20/2008 10:47 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 06/20/2007 11:09 AM 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfCttRk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=C:\WINDOWS\pss\MozyHome Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Diskeeper 10 Professional Edition Registration.lnk
backup=C:\WINDOWS\pss\Diskeeper 10 Professional Edition Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=C:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
"C:\Program Files\Octoshape Streaming Services\Ray\OctoshapeClient.exe" -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\games\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Diskeeper"=3 (0x3)
"McNASvc"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{343446de-ad00-11dc-8eb5-806d6172696f}]
AutoRun\command- D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34fe62bf-0376-11dd-8a80-001109cba532}]
AutoRun\command- I:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{929ab7ae-ad65-11dc-89f2-001109cba532}]
AutoRun\command- G:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bebc9abf-b0c9-11dc-89fd-001109cba532}]
AutoRun\command- G:\SETUP.EXE




-- Hosts -----------------------------------------------------------------------

127.0.0.1 q4master.idsoftware.com #block q4server
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

8555 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-01 11:11:56 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 3800+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 2047.48 MiB / 1396.46 MiB
Pagefile Memory (total/avail): 3939.78 MiB / 3317.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1908.49 MiB

C: is Fixed (NTFS) - 69.23 GiB total, 22.85 GiB free.
E: is Fixed (NTFS) - 596.17 GiB total, 412.74 GiB free.
F: is Fixed (NTFS) - 74.53 GiB total, 41.32 GiB free.
G: is CDROM (CDFS)
H: is CDROM (CDFS)
I: is CDROM (CDFS)
L: is CDROM (CDFS)

\\.\PHYSICALDRIVE2 - WDC WD6400AAKS-75A7B0 - 596.17 GiB - 1 partition
\PARTITION0 - Installable File System - 596.17 GiB - E:

\\.\PHYSICALDRIVE1 - WDC WD740GD-00FLA0 - 69.24 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 69.23 GiB - C:

\\.\PHYSICALDRIVE0 - WDC WD800JB-00JJC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\NETAMIN\\UBO_2007\\game\\ubo.exe"="C:\\Program Files\\NETAMIN\\UBO_2007\\game\\ubo.exe:*:Enabled:UBOnline"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Games\\Steam\\steamapps\\disbelief666\\counter-strike\\hl.exe"="C:\\Games\\Steam\\steamapps\\disbelief666\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Games\\Warcraft III\\Frozen Throne.exe"="C:\\Games\\Warcraft III\\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Games\\Quake III Arena\\quake3.exe"="C:\\Games\\Quake III Arena\\quake3.exe:*:Enabled:quake3"
"C:\\Documents and Settings\\Ray\\Desktop\\mirc.exe"="C:\\Documents and Settings\\Ray\\Desktop\\mirc.exe:*:Enabled:mIRC"
"C:\\Games\\Steam\\steamapps\\disbelief666\\team fortress 2\\hl2.exe"="C:\\Games\\Steam\\steamapps\\disbelief666\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
"C:\\Program Files\\Octoshape Streaming Services\\Ray\\OctoshapeClient.exe"="C:\\Program Files\\Octoshape Streaming Services\\Ray\\OctoshapeClient.exe:*:Enabled:OctoshapeClient"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ray\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MERACH
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ray
LOGONSERVER=\\MERACH
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Diskeeper Corporation\Diskeeper\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 43 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
USERDOMAIN=MERACH
USERNAME=Ray
USERPROFILE=C:\Documents and Settings\Ray
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ray (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AMD Power Monitor --> MsiExec.exe /X{5EE721AA-5619-4016-908D-84DCAAFA336F}
AMD Processor Driver --> C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AXIS Media Control --> rundll32 "C:\Program Files\Axis Communications\AXIS Media Control\AxisMediaControl.dll",UninstallMe
Battle.net --> C:\WINDOWS\bnetunin.exe
Cain & Abel v4.9.14 --> C:\PROGRA~1\Cain\UNINSTAL.EXE C:\PROGRA~1\Cain\Install.log
Condition Zero --> "C:\Games\Steam\steam.exe" steam://uninstall/80
Condition Zero Deleted Scenes --> "C:\Games\Steam\steam.exe" steam://uninstall/100
Counter-Strike --> "C:\Games\Steam\steam.exe" steam://uninstall/10
Counter-Strike: Source --> "C:\Games\Steam\steam.exe" steam://uninstall/240
Data Lifeguard Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}\Setup.exe"
Debugging Tools for Windows --> MsiExec.exe /I{F3ECED46-91CC-4F44-9917-9A20085D5D26}
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Diskeeper Professional Edition --> MsiExec.exe /X{DE4847A9-E86B-4BBB-B991-58C5ACA4FA04}
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dual-Core Optimizer --> MsiExec.exe /X{FF3D660E-E5CC-47FD-8050-1B4DE3BA81A9}
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
Folding@Home --> C:\WINDOWS\system32\GKSUI18.EXE C:\Program Files\Folding@Home\Uninstall9F66.DAT
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
Google Earth Pro --> MsiExec.exe /X{9578C0CD-8108-4379-9026-4601F59859A0}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
Half-Life --> "C:\Games\Steam\steam.exe" steam://uninstall/70
Hero Editor V0.96 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Hero Editor\ST6UNST.LOG"
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
hkSFV (remove only) --> "C:\Program Files\hkSFV\uninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ijji --> C:\ijji\ENGLISH\ijjiUninstall.exe
ijji Auto Installer --> "C:\Program Files\InstallShield Installation Information\{1DCC7418-2089-4BDD-B321-3771956160FC}\setup.exe" -runfromtemp -l0x0009 -removeonly
Immortal Defense 1.0 --> C:\Program Files\Immortal Defense\uninst.exe
Internet Download Manager --> C:\Program Files\Internet Download Manager\Uninstall.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MAXBrowse --> MsiExec.exe /I{D6B1DBAE-25E3-4706-B95A-13717F9C64A3}
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Project MUI (English) 2007 --> MsiExec.exe /X{90120000-00B4-0409-0000-0000000FF1CE}
Microsoft Office Project Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PRJPRO /dll OSETUP.DLL
Microsoft Office Project Professional 2007 --> MsiExec.exe /X{90120000-003B-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
mm.BOT --> "C:\WINDOWS\mm.BOT\uninstall.exe" "/U:C:\WINDOWS\mm.BOT\uninstall.xml"
Motorola Driver Installation --> MsiExec.exe /I{8F4507EF-C5F3-46CE-9718-9D3698821333}
Motorola Phone Tools --> C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe -runfromtemp -l0x0009 -removeonly
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MozyPro 1.8.8.0 --> "C:\Program Files\MozyPro\uninstall\unins000.exe"
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Natural Selection 3.2 --> c:\games\steam\steamapps\disbelief666\half-life\unins000.exe
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
NVIDIA Drivers --> C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
Octoshape Streaming Services --> C:\Program Files\Octoshape Streaming Services\Ray\uninst.exe
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
PDF Password Cracker v3.0 --> "C:\Program Files\PDF Password Cracker v3.0\unins000.exe"
PDF Password Remover v2.5 --> "C:\Program Files\PDF Password Remover v2.5\unins000.exe"
Portal --> "C:\Games\Steam\steam.exe" steam://uninstall/400
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Q3E Minimizer v1.51 --> "C:\Program Files\Q3E Minimizer v1.51\unins000.exe"
Quake 3 Name Changer v1.2 (build 16) --> C:\Program Files\r2 studios\Quake 3 Name Changer\Uninstall.exe
Quake III Arena --> C:\WINDOWS\IsUninst.exe -f"C:\Games\Quake III Arena\QIII.isu"
Quake III Arena Point Release 1.32 --> C:\WINDOWS\unvise32.exe c:\games\quake iii arena\uninstal5.log
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
QuickTime Alternative 2.4.0 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SmartFTP Client --> MsiExec.exe /I{6F23C1A3-9F62-470C-BD12-B83F04E67865}
SmartFTP Client 2.5 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 2.5 Setup Files\uninst-sftp.exe
SmartFTP Client 3.0 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 3.0 Setup Files\uninst-sftp.exe
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
TaskSwitchXP --> C:\Program Files\TaskSwitchXP\uninst.exe
Team Fortress 2 --> "C:\Games\Steam\steam.exe" steam://uninstall/440
Team Fortress Classic --> "C:\Games\Steam\steam.exe" steam://uninstall/20
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
UltraVNC v1.0.2 --> "C:\Program Files\UltraVNC\unins000.exe"
Update for Outlook 2007 Junk Email Filter (kb943597) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Vim 7.1 (self-installing) --> C:\Program Files\Vim\vim71\uninstall-gui.exe
Visual C++ 8 Merge Module Installer --> MsiExec.exe /I{172EF666-D1C9-43D7-B484-F19EF59709C4}
VMware Player --> MsiExec.exe /I{A53A11EA-0095-493F-86FA-A15E8A86A405}
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe"
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Winfingerprint 0.6.2 --> C:\Program Files\Winfingerprint\uninst.exe
WinPcap 4.0.2 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wireshark 0.99.8 --> "C:\Program Files\Wireshark\uninstall.exe"
WMPTagSupportExtender --> MsiExec.exe /I{D5526193-241E-47EB-B358-60DA0820A35A}
Words That Follow --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://sqgames.110mb.com/wtf/wtf.jnlp"
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
XPize Darkside 2.1 --> C:\WINDOWS\XPize Darkside\uninst.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3433 / Error
Event Submitted/Written: 06/01/2008 10:16:13 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: E:\XPSP2_11IN1\XPSP2_11IN1\XPSP2_11IN1.vmx

Event Record #/Type3428 / Success
Event Submitted/Written: 06/01/2008 08:57:29 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3422 / Success
Event Submitted/Written: 06/01/2008 08:46:28 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3414 / Success
Event Submitted/Written: 06/01/2008 07:45:19 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3411 / Error
Event Submitted/Written: 06/01/2008 06:41:15 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: E:\XPSP2_11IN1\XPSP2_11IN1\XPSP2_11IN1.vmx



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7701 / Warning
Event Submitted/Written: 06/01/2008 10:45:06 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type7700 / Warning
Event Submitted/Written: 06/01/2008 10:31:26 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type7683 / Warning
Event Submitted/Written: 06/01/2008 08:57:28 AM
Event ID/Source: 8 / Print
Event Description:
Printer GoToMyPC Printer was purged.

Event Record #/Type7682 / Warning
Event Submitted/Written: 06/01/2008 08:57:16 AM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share Play Disc because the directory E:\Images\Diablo 2 ISO\Play Disc no longer exists. Please run "net share Play Disc /delete" to delete the share, or recreate the directory E:\Images\Diablo 2 ISO\Play Disc.

Event Record #/Type7681 / Warning
Event Submitted/Written: 06/01/2008 08:57:16 AM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share Install Disc because the directory E:\Images\Diablo 2 ISO\Install Disc no longer exists. Please run "net share Install Disc /delete" to delete the share, or recreate the directory E:\Images\Diablo 2 ISO\Install Disc.



-- End of Deckard's System Scanner: finished at 2008-06-01 11:11:56 ------------

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:38 AM

Posted 01 June 2008 - 05:49 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\mhopbahi.dll
    C:\WINDOWS\system32\fbdudryo.dll
    C:\WINDOWS\system32\qeoairql.exe
    C:\WINDOWS\system32\jqvbiwwc.dll
    C:\WINDOWS\system32\kRttCfhk.ini2
    C:\WINDOWS\system32\khfCttRk.dll
    C:\VundoFix Backups
    C:\WINDOWS\system32\lfocpfta.dll
    C:\WINDOWS\system32\ppdyebke.dll
    C:\WINDOWS\system32\yxflfcww.dll
    C:\WINDOWS\system32\fgjkQqru.ini2
    C:\WINDOWS\system32\qgrnessg.dll
    C:\WINDOWS\system32\femkbxdy.dll
    C:\WINDOWS\system32\rwrdclxi.dll
    C:\WINDOWS\system32\NmTAyyay.ini2
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please post a new log from DSS after rebooting.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 merach

merach
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 01 June 2008 - 06:27 PM

First and foremost, thanks for your help. Normally I'd be all over this, but this didn't seem to have a pattern to it, and although I doubt I could killbox anything important, I'm more curious as to how I got this (I never run anti-spyware or anti-virus, this installation of windows was installed 4/07 and this is only my 2nd malware infection :thumbsup: ) I should probably keep better track of the little things I've done before coming here, but since my initial post, I used process explorer to kill both of the rundll instances that were running, expecting them to come back immediately, but they didn't. Odd.

OTMoveIt2 Log

DllUnregisterServer procedure not found in C:\WINDOWS\system32\mhopbahi.dll
C:\WINDOWS\system32\mhopbahi.dll NOT unregistered.
C:\WINDOWS\system32\mhopbahi.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fbdudryo.dll
C:\WINDOWS\system32\fbdudryo.dll NOT unregistered.
C:\WINDOWS\system32\fbdudryo.dll moved successfully.
C:\WINDOWS\system32\qeoairql.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jqvbiwwc.dll
C:\WINDOWS\system32\jqvbiwwc.dll NOT unregistered.
C:\WINDOWS\system32\jqvbiwwc.dll moved successfully.
C:\WINDOWS\system32\kRttCfhk.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\khfCttRk.dll
C:\WINDOWS\system32\khfCttRk.dll NOT unregistered.
C:\WINDOWS\system32\khfCttRk.dll moved successfully.
C:\VundoFix Backups moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lfocpfta.dll
C:\WINDOWS\system32\lfocpfta.dll NOT unregistered.
C:\WINDOWS\system32\lfocpfta.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ppdyebke.dll
C:\WINDOWS\system32\ppdyebke.dll NOT unregistered.
C:\WINDOWS\system32\ppdyebke.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\yxflfcww.dll
C:\WINDOWS\system32\yxflfcww.dll NOT unregistered.
C:\WINDOWS\system32\yxflfcww.dll moved successfully.
C:\WINDOWS\system32\fgjkQqru.ini2 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\qgrnessg.dll
C:\WINDOWS\system32\qgrnessg.dll NOT unregistered.
C:\WINDOWS\system32\qgrnessg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\femkbxdy.dll
C:\WINDOWS\system32\femkbxdy.dll NOT unregistered.
C:\WINDOWS\system32\femkbxdy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\rwrdclxi.dll
C:\WINDOWS\system32\rwrdclxi.dll NOT unregistered.
C:\WINDOWS\system32\rwrdclxi.dll moved successfully.
C:\WINDOWS\system32\NmTAyyay.ini2 moved successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06012008_171410

Haha, I had typed all this and noticed it did specify to restart after running this, and firefox saved what I had typed when I hit restore session. Beautiful.

Note: Windows complained twice that it couldn't load a certain rundll32 file, which my guess would be the offending files.

DSS Log


Deckard's System Scanner v20071014.68
Run by Ray on 2008-06-01 17:24:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Ray.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-01 17:24:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MozyPro\mozyprostat.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MozyPro\mozyprobackup.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Ray\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9928AC0B-9EC3-4856-A8B9-E3C4748C4502} - C:\WINDOWS\system32\khfCttRk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {da15d82a-bc31-4e39-ae84-923cf65ec35f} - {f53ce56f-c329-48ea-93e4-13cba28d51ad} - C:\WINDOWS\system32\mhopbahi.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [28c20455] rundll32.exe "C:\WINDOWS\system32\fbdudryo.dll",b
O4 - HKLM\..\Run: [BM2bf137c9] Rundll32.exe "C:\WINDOWS\system32\jqvbiwwc.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: MozyPro Status.lnk = C:\Program Files\MozyPro\mozyprostat.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://193.138.213.145/cgi-bin/SysCamInst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://domecam.uridium.ch/kxhcm10.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197969990062
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198313094812
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://216.62.222.101/activex/AMC.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://62.2.213.157/cgi-bin/bl_camera.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://163.17.85.249/activex/AxisCamControl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} (pmjpegcam Class) - http://193.138.213.169/cgi-bin/JpegInst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\vso\%VSINS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\vso\%VSINS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\vso\%VSINS~1\mcsysmon.exe
O23 - Service: MozyPro Backup Service (mozyprobackup) - Unknown owner - C:\Program Files\MozyPro\mozyprobackup.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe


--
End of file - 10081 bytes

-- Files created between 2008-05-01 and 2008-06-01 -----------------------------

2008-06-01 09:14:32		 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 09:14:31		 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 08:51:32	819128 --ahs---- C:\WINDOWS\system32\kRttCfhk.ini2
2008-05-31 18:55:53		 0 d-------- C:\Program Files\MagicISO
2008-05-29 08:15:56	   114 --a------ C:\WINDOWS\system32\'
2008-05-29 08:15:49	  5760 --a------ C:\WINDOWS\system32\vnchelp.dll <Not Verified; RDV Soft; UltraVnc Kernel>
2008-05-29 08:15:48		 0 d-------- C:\Program Files\UltraVNC
2008-05-24 15:11:55		 0 d-------- C:\Program Files\Octoshape Streaming Services
2008-05-21 19:04:17		 0 d-------- C:\KillerJohn's TurboT v6.95
2008-05-21 14:13:02		 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-21 14:13:02		 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-21 14:13:02		 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-21 14:13:02		 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-21 14:13:02		 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-21 14:13:02   1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-21 14:13:02		 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-21 14:13:02		 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-21 14:13:02		 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-21 14:13:02		 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-21 14:13:02		 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-21 14:13:02		 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-21 14:13:02		 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-21 14:13:02		 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-19 19:45:32		 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-05-19 18:08:56		 0 d-------- C:\Program Files\7-Zip
2008-05-19 16:37:32		 0 d-------- C:\Documents and Settings\Ray\Application Data\VMware
2008-05-19 16:31:45		 0 d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-05-19 16:30:47		 0 d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-05-19 16:30:33		 0 d-------- C:\Program Files\VMware
2008-05-19 16:30:32		 0 d-------- C:\Program Files\Common Files\VMware
2008-05-18 16:46:39		 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 18:33:37		 0 d-------- C:\Program Files\Alcohol Soft
2008-05-17 15:39:54		 0 d-------- C:\Program Files\hkSFV
2008-05-17 15:35:07	 49152 --a------ C:\WINDOWS\md5sum.exe
2008-05-13 18:55:50		 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-05-13 18:53:16	593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified;; ATI Smart>
2008-05-13 18:53:01		 0 d-------- C:\Program Files\ATI Technologies
2008-05-13 16:58:32		 0 d-------- C:\Logs
2008-05-13 16:55:53		 0 d-------- C:\Documents and Settings\Ray\Application Data\IDM
2008-05-13 16:55:53		 0 d-------- C:\Documents and Settings\Ray\Application Data\DMCache
2008-05-13 16:55:50		 0 d-------- C:\Program Files\Internet Download Manager
2008-05-10 02:05:43		 0 d-------- C:\Program Files\TaskSwitchXP
2008-05-10 02:05:32   2790400 --a------ C:\WINDOWS\system32\XPize_Logon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-10 02:03:41		 0 d--h----- C:\WINDOWS\XPize Darkside
2008-05-08 20:21:50	  6935 --a------ C:\Documents and Settings\Ray\_viminfo
2008-05-08 18:49:33		 0 d-------- C:\Program Files\Vim
2008-05-06 14:18:52		 0 d-------- C:\Program Files\Notepad++
2008-05-06 14:18:52		 0 d-------- C:\Documents and Settings\Ray\Application Data\Notepad++
2008-05-04 11:21:39		 0 d-------- C:\Program Files\MozyPro


-- Find3M Report ---------------------------------------------------------------

2008-06-01 17:21:56		 0 d-------- C:\Documents and Settings\Ray\Application Data\uTorrent
2008-06-01 08:44:52		 0 d-------- C:\Program Files\PowerISO
2008-05-31 18:59:06		 0 d-------- C:\Documents and Settings\Ray\Application Data\Google
2008-05-31 18:58:46		 0 d-------- C:\Program Files\Google
2008-05-31 18:07:21		 0 d-------- C:\Documents and Settings\Ray\Application Data\mIRC
2008-05-31 17:46:58		 0 d-------- C:\Program Files\mIRC
2008-05-31 05:12:34		 0 d-------- C:\Program Files\Trillian
2008-05-25 17:30:54	 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-25 07:45:07		 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 15:12:32		 0 d-------- C:\Documents and Settings\Ray\Application Data\Mozilla
2008-05-20 09:14:00	 33316 --a------ C:\WINDOWS\DIIUnin.dat
2008-05-19 19:46:32		 0 d-------- C:\Program Files\SmartFTP Client
2008-05-19 16:30:32		 0 d-------- C:\Program Files\Common Files
2008-05-13 12:51:48		 0 d-------- C:\Program Files\Folding@Home
2008-05-11 22:37:32		 0 d-------- C:\Documents and Settings\Ray\Application Data\Xfire
2008-05-10 02:03:45	218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-29 05:19:21		 0 d-------- C:\Program Files\Citrix
2008-04-28 23:47:12		 0 d-------- C:\Program Files\Debugging Tools for Windows
2008-04-17 22:43:32		 0 d-------- C:\Program Files\Western Digital Technologies
2008-04-17 22:39:08		 0 d-------- C:\Program Files\Western Digital
2008-04-11 22:27:49		 0 d-------- C:\Program Files\mm.BOT
2008-04-10 20:07:26		 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-09 05:26:42		 0 d-------- C:\Program Files\MAXBrowse
2008-04-08 00:00:31		 0 d-------- C:\Program Files\Hero Editor
2008-04-07 23:58:15	 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-07 01:29:41	  2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-04-07 01:29:41	 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-04-06 19:01:08		 0 d-------- C:\Program Files\r2 studios
2008-04-05 19:13:55		 0 d-------- C:\Program Files\Q3E Minimizer v1.51
2008-04-05 19:10:18		 0 d-------- C:\Program Files\Mplayer
2008-04-01 10:24:59		 0 d-------- C:\Program Files\Xvid
2008-03-13 16:46:25	   967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-13 16:46:25	 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2008-03-13 16:46:25	 31278 --a------ C:\WINDOWS\scunin.dat
2008-03-04 17:55:10	 38612 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9928AC0B-9EC3-4856-A8B9-E3C4748C4502}]
			C:\WINDOWS\system32\khfCttRk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f53ce56f-c329-48ea-93e4-13cba28d51ad}]
			C:\WINDOWS\system32\mhopbahi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [07/23/2007 12:06 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 06:08 PM]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [06/20/2007 11:09 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [03/03/2008 08:05 PM]
"28c20455"="C:\WINDOWS\system32\fbdudryo.dll" []
"BM2bf137c9"="C:\WINDOWS\system32\jqvbiwwc.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 01:54 PM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [12/19/2007 02:13 PM]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [08/04/2006 04:29 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/20/2008 10:47 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MozyPro Status.lnk - C:\Program Files\MozyPro\mozyprostat.exe [5/4/2008 11:21:40 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC] 
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 06/20/2007 11:09 AM 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfCttRk

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MozyHome Status.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
backup=C:\WINDOWS\pss\MozyHome Status.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Diskeeper 10 Professional Edition Registration.lnk
backup=C:\WINDOWS\pss\Diskeeper 10 Professional Edition Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=C:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Ray\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
C:\Program Files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
"C:\Program Files\Octoshape Streaming Services\Ray\OctoshapeClient.exe" -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\games\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Diskeeper"=3 (0x3)
"McNASvc"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"mcpromgr"=2 (0x2)
"McODS"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{343446de-ad00-11dc-8eb5-806d6172696f}]
AutoRun\command- D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34fe62bf-0376-11dd-8a80-001109cba532}]
AutoRun\command- I:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{929ab7ae-ad65-11dc-89f2-001109cba532}]
AutoRun\command- G:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bebc9abf-b0c9-11dc-89fd-001109cba532}]
AutoRun\command- G:\SETUP.EXE




-- End of Deckard's System Scanner: finished at 2008-06-01 17:24:35 ------------

Edited by merach, 01 June 2008 - 06:28 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:38 AM

Posted 02 June 2008 - 08:37 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {9928AC0B-9EC3-4856-A8B9-E3C4748C4502} - C:\WINDOWS\system32\khfCttRk.dll (file missing)
O2 - BHO: {da15d82a-bc31-4e39-ae84-923cf65ec35f} - {f53ce56f-c329-48ea-93e4-13cba28d51ad} - C:\WINDOWS\system32\mhopbahi.dll (file missing)
O4 - HKLM\..\Run: [28c20455] rundll32.exe "C:\WINDOWS\system32\fbdudryo.dll",b
O4 - HKLM\..\Run: [BM2bf137c9] Rundll32.exe "C:\WINDOWS\system32\jqvbiwwc.dll",s



Reboot your computer.





Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:38 AM

Posted 15 June 2008 - 08:18 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users