Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 luis123

luis123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 July 2008 - 11:32 AM

On june 24, I downloaded a file that infected my computer and would make Internet Explorer load slowly, or it would not let it load at all. It would also say that Automatic Updates was turned off, but when i would go check in the control panel, it would say that they are on. I downloaded a program called Spybot - Search and Destroy, to look for spyware and adware. It found some and deleted them, except that everytime i run it, I find that a Virtumonde file keeps on popping up even though it was supposed to be deleted. I remember that on june 30, I denied access to some files(I can't remember which ones though), and since then i have been able to use the internet without any problems, except that now, the start menu will not come up and i cannot use some programs.

Deckard's System Scanner v20071014.68
Run by Luis on 2008-07-02 09:14:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Luis.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:42 AM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Limewire\Limewire\LimeWire.exe
C:\Documents and Settings\Luis\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Luis.exe
C:\Program Files\Yahoo!\Antivirus\autodown.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/launch?.rand=7dj6l81uhnrk9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {15736C11-C6AD-4FF5-8D43-910D196B7318} - C:\WINDOWS\system32\ddcyvVmK.dll (file missing)
O2 - BHO: (no name) - {1F729F51-CC87-4DDF-AB15-59984357866B} - C:\WINDOWS\system32\efcARkjG.dll (file missing)
O2 - BHO: (no name) - {25DEF282-4462-4D79-9F04-883C058515A5} - (no file)
O2 - BHO: (no name) - {430A604F-70B2-43B7-8F55-E15C3D8455BC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7e73e324-203b-48ee-9ffa-4ea212073da3} - (no file)
O2 - BHO: (no name) - {D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2} - C:\WINDOWS\system32\qoMdDusT.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM1f2cf044] Rundll32.exe "C:\WINDOWS\system32\hrgluqij.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1606980848-484763869-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1606980848-484763869-682003330-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1606980848-484763869-682003330-1005 Startup: LimeWire On Startup.lnk = E:\Limewire\Limewire\LimeWire.exe (User '?')
O4 - S-1-5-21-1606980848-484763869-682003330-1005 Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe (User '?')
O4 - Startup: LimeWire On Startup.lnk = E:\Limewire\Limewire\LimeWire.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/29.55/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} (Microsoft Office Live Workspace Upload Tool) - http://workspace.office.live.com/Misc/Micr....RichUpload.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: qoMdDusT - C:\WINDOWS\SYSTEM32\qoMdDusT.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 8963 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 09:05:00 0 d-------- C:\Program Files\Trend Micro
2008-06-30 21:16:32 0 d-------- C:\Documents and Settings\Erika\Application Data\Mozilla
2008-06-29 22:30:27 104448 --a------ C:\WINDOWS\system32\tztpfa.dll
2008-06-29 22:30:24 104448 --a------ C:\WINDOWS\system32\vsduvliw.dll
2008-06-29 22:27:24 87040 --a------ C:\WINDOWS\system32\cdbibalq.dll
2008-06-29 22:25:05 95232 --a------ C:\WINDOWS\system32\hrgluqij.dll
2008-06-29 22:24:23 649063 --ahs---- C:\WINDOWS\system32\mSsYJRqr.ini2
2008-06-29 12:47:31 104448 --a------ C:\WINDOWS\system32\uxoxas.dll
2008-06-29 12:47:27 104448 --a------ C:\WINDOWS\system32\pihawewe.dll
2008-06-29 12:44:27 87040 --a------ C:\WINDOWS\system32\afdimwbi.dll
2008-06-29 12:41:24 95232 --a------ C:\WINDOWS\system32\mkkmykop.dll
2008-06-28 15:02:58 0 d-------- C:\Documents and Settings\Administrator Guest\Application Data\Mozilla
2008-06-28 12:53:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-28 12:53:10 0 d-------- C:\Documents and Settings\Luis\Application Data\Mozilla
2008-06-28 12:44:04 86528 --a------ C:\WINDOWS\system32\rkvgalux.dll
2008-06-28 12:41:50 104960 --a------ C:\WINDOWS\system32\wropqe.dll
2008-06-28 12:41:44 104960 --a------ C:\WINDOWS\system32\urvkvhxh.dll
2008-06-28 12:41:10 94208 --a------ C:\WINDOWS\system32\xwgpttmr.dll
2008-06-28 12:37:51 662180 --ahs---- C:\WINDOWS\system32\xaGiPqss.ini2
2008-06-27 18:30:13 87040 --a------ C:\WINDOWS\system32\tiycvngp.dll
2008-06-27 18:29:54 104960 --a------ C:\WINDOWS\system32\rmvxux.dll
2008-06-27 18:29:46 104960 --a------ C:\WINDOWS\system32\tolwkcux.dll
2008-06-27 18:29:23 94208 --a------ C:\WINDOWS\system32\faskgbvu.dll
2008-06-27 18:27:09 653097 --ahs---- C:\WINDOWS\system32\bdNXHkkj.ini2
2008-06-27 12:46:50 104960 --a------ C:\WINDOWS\system32\zlwejc.dll
2008-06-27 12:46:44 104960 --a------ C:\WINDOWS\system32\ckiqgoee.dll
2008-06-27 12:40:52 94208 --a------ C:\WINDOWS\system32\ghwpowhn.dll
2008-06-27 11:28:42 649722 --ahs---- C:\WINDOWS\system32\KmVvycdd.ini2
2008-06-27 10:42:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-27 10:16:24 34304 --a------ C:\WINDOWS\system32\mlJYooMd.dll
2008-06-27 10:16:12 104448 --a------ C:\WINDOWS\system32\oxxzlx.dll
2008-06-27 10:16:06 104448 --a------ C:\WINDOWS\system32\agmdjdwh.dll
2008-06-27 10:15:38 94720 --a------ C:\WINDOWS\system32\gpmjccqd.dll
2008-06-24 22:53:01 649502 --ahs---- C:\WINDOWS\system32\GjkRAcfe.ini2
2008-06-24 22:51:44 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-06-24 22:48:04 0 d-------- C:\WINDOWS\system32\f10
2008-06-24 22:48:04 0 d-------- C:\WINDOWS\system32\bam
2008-06-24 22:48:03 0 d-------- C:\WINDOWS\system32\vec3
2008-06-24 22:47:56 0 d-------- C:\WINDOWS\system32\modtrux18
2008-06-24 22:47:56 0 d-------- C:\Temp
2008-06-24 22:47:52 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll
2008-06-24 22:46:40 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 19:35:59 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 19:35:06 0 d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:31:49 0 dr-h----- C:\MSOCache
2008-06-16 18:34:26 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-06-09 16:05:45 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-06-09 16:00:00 0 d-------- C:\Program Files\Lexmark X74-X75
2008-06-09 15:59:46 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-09 15:59:38 0 d-------- C:\Documents and Settings\Luis\WINDOWS
2008-06-03 06:35:09 5632 --a------ C:\WINDOWS\system32\ptpusb.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-03 06:35:08 159232 --a------ C:\WINDOWS\system32\ptpusd.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:07:01 0 d-------- C:\Documents and Settings\Luis\Application Data\Apple Computer
2008-05-06 22:18:48 1287680 --a------ C:\WINDOWS\system32\quartz.dll
2008-05-03 21:43:51 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 20:56:47 0 d-------- C:\Program Files\iTunes
2008-05-03 20:55:52 0 d-------- C:\Program Files\iPod
2008-05-03 20:52:20 0 d-------- C:\Program Files\QuickTime
2008-05-02 10:22:36 0 d-------- C:\Program Files\M&Ms The Lost Formulas
2008-04-14 21:02:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15736C11-C6AD-4FF5-8D43-910D196B7318}]
C:\WINDOWS\system32\ddcyvVmK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F729F51-CC87-4DDF-AB15-59984357866B}]
C:\WINDOWS\system32\efcARkjG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25DEF282-4462-4D79-9F04-883C058515A5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{430A604F-70B2-43B7-8F55-E15C3D8455BC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7e73e324-203b-48ee-9ffa-4ea212073da3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}]
06/24/2008 10:47 PM 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/03/2005 12:25 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/03/2005 12:22 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/03/2005 12:26 AM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/10/2006 03:25 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 03:43 AM C:\WINDOWS\Alcmtr.exe]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [09/25/2004 01:37 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [04/28/2007 11:05 PM]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [04/28/2007 11:05 PM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [07/21/2006 10:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [10/14/2002 01:09 PM]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BM1f2cf044"="C:\WINDOWS\system32\hrgluqij.dll" [06/29/2008 10:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}"= C:\WINDOWS\system32\qoMdDusT.dll [06/24/2008 10:47 PM 90624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
qoMdDusT.dll 06/24/2008 10:47 PM 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDusT]
qoMdDusT.dll 06/24/2008 10:47 PM 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-02 09:16:09 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 32%
Physical Memory (total/avail): 2039.48 MiB / 1386.8 MiB
Pagefile Memory (total/avail): 3925.89 MiB / 3541.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1940.29 MiB

C: is Fixed (NTFS) - 111.78 GiB total, 68.88 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 232.88 GiB total, 216.13 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Luis\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ADMINIST-I8MQY6
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Luis
LOGONSERVER=\\ADMINIST-I8MQY6
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\Luis\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0605
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Luis\LOCALS~1\Temp
TMP=C:\DOCUME~1\Luis\LOCALS~1\Temp
USERDOMAIN=ADMINIST-I8MQY6
USERNAME=Luis
USERPROFILE=C:\Documents and Settings\Luis
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator Guest (admin)
Luis (admin)
Erika (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 Ebay! --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AT&T Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
BEHRINGER USB AUDIO DRIVER --> C:\WINDOWS\usb-audio.deBehringer2902\Setup.exe /l1
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Guitar Pro 5.0 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Indeo® Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel® PRO Network Connections Drivers --> Prounstl.exe
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark Skin: Machine1 --> C:\PROGRA~1\LEXMAR~2\Skin5\UNWISE.EXE C:\PROGRA~1\LEXMAR~2\Skin5\INSTALL.LOG
Lexmark X74-X75 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBBUN5C.EXE -dLexmark X74-X75
LimeWire PRO 4.12.3 --> "E:\Limewire\Limewire\uninstall.exe"
M&Ms The Lost Formulas --> C:\Program Files\M&Ms The Lost Formulas\Unwise.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Monsters, Inc. Scare Island --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\DISNEY~1\MONSTE~1\DeIsL1.isu
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Photo Viewer 2.3 --> "C:\Program Files\Photo Viewer\uninstall.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Power Tab Editor 1.7 --> MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Roxio Easy Media Creator 7 Basic DVD Edition --> MsiExec.exe /I{747D1B34-A1FC-4EF3-A6AE-E86F39CEFDE5}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Ulead DVD MovieFactory 2 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88F93347-0F9B-4FED-BA71-6C2A4CDFE61D}\Setup.exe" -l0x9
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Videora iPod Converter 3.07 --> C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Widgets --> C:\PROGRA~1\Yahoo!\Widgets\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5466 / Warning
Event Submitted/Written: 06/30/2008 01:47:01 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x800706BA

Event Record #/Type5435 / Error
Event Submitted/Written: 06/29/2008 00:51:45 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5434 / Error
Event Submitted/Written: 06/29/2008 10:54:30 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5425 / Error
Event Submitted/Written: 06/28/2008 00:43:58 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5424 / Error
Event Submitted/Written: 06/28/2008 00:43:52 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type45577 / Warning
Event Submitted/Written: 07/01/2008 06:15:56 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type45551 / Warning
Event Submitted/Written: 06/30/2008 08:54:13 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type45518 / Error
Event Submitted/Written: 06/29/2008 10:50:07 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type45513 / Error
Event Submitted/Written: 06/29/2008 10:20:22 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
cdudf_xp
Fips
intelppm
VET-FILT
VET-REC
VETEFILE
VETMONNT

Event Record #/Type45512 / Error
Event Submitted/Written: 06/29/2008 10:19:11 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-07-02 09:07:33 ------------

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 02 July 2008 - 12:29 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 luis123

luis123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 July 2008 - 02:31 PM

Thank you for your response, here are the reports:

ComboFix 08-07-01.5 - Luis 2008-07-02 12:13:43.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Luis\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BM1f2cf044.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afdimwbi.dll
C:\WINDOWS\system32\agmdjdwh.dll
C:\WINDOWS\system32\bdNXHkkj.ini
C:\WINDOWS\system32\bdNXHkkj.ini2
C:\WINDOWS\system32\cdbibalq.dll
C:\WINDOWS\system32\ckiqgoee.dll
C:\WINDOWS\system32\f10
C:\WINDOWS\system32\faskgbvu.dll
C:\WINDOWS\system32\fsihskmn.ini
C:\WINDOWS\system32\ghwpowhn.dll
C:\WINDOWS\system32\GjkRAcfe.ini
C:\WINDOWS\system32\GjkRAcfe.ini2
C:\WINDOWS\system32\gpmjccqd.dll
C:\WINDOWS\system32\hrgluqij.dll
C:\WINDOWS\system32\ibwmidfa.ini
C:\WINDOWS\system32\KmVvycdd.ini
C:\WINDOWS\system32\KmVvycdd.ini2
C:\WINDOWS\system32\mkkmykop.dll
C:\WINDOWS\system32\mlJYooMd.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mSsYJRqr.ini
C:\WINDOWS\system32\mSsYJRqr.ini2
C:\WINDOWS\system32\oxxzlx.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pgnvcyit.ini
C:\WINDOWS\system32\pihawewe.dll
C:\WINDOWS\system32\qlabibdc.ini
C:\WINDOWS\system32\rkvgalux.dll
C:\WINDOWS\system32\rmvxux.dll
C:\WINDOWS\system32\tiycvngp.dll
C:\WINDOWS\system32\tolwkcux.dll
C:\WINDOWS\system32\tztpfa.dll
C:\WINDOWS\system32\urvkvhxh.dll
C:\WINDOWS\system32\uxoxas.dll
C:\WINDOWS\system32\vlxurxrq.ini
C:\WINDOWS\system32\vsduvliw.dll
C:\WINDOWS\system32\wropqe.dll
C:\WINDOWS\system32\xaGiPqss.ini
C:\WINDOWS\system32\xaGiPqss.ini2
C:\WINDOWS\system32\xulagvkr.ini
C:\WINDOWS\system32\xwgpttmr.dll
C:\WINDOWS\system32\zlwejc.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 09:05 . 2008-07-02 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-02 09:02 . 2008-07-02 09:02 <DIR> d-------- C:\Deckard
2008-06-28 12:56 . 2008-06-28 12:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-06-28 12:53 . 2008-06-28 12:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-27 11:20 . 2008-06-30 09:44 507 --a------ C:\WINDOWS\wininit.ini
2008-06-27 10:42 . 2008-06-27 10:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-27 10:42 . 2008-06-27 11:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 21:20 . 2008-06-29 23:22 110,461 --a------ C:\WINDOWS\BM1f2cf044.xml
2008-06-24 22:51 . 2008-06-24 22:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-06-24 22:48 . 2008-06-24 22:48 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-06-24 22:48 . 2008-06-24 22:48 <DIR> d-------- C:\WINDOWS\system32\bam
2008-06-24 22:47 . 2008-06-28 11:41 <DIR> d-------- C:\WINDOWS\system32\modtrux18
2008-06-24 22:47 . 2008-06-24 22:48 <DIR> d-------- C:\Temp\syschk3
2008-06-24 22:47 . 2008-07-02 12:13 <DIR> d-------- C:\Temp
2008-06-24 22:47 . 2008-06-24 22:47 90,624 --a------ C:\WINDOWS\system32\qoMdDusT.dll
2008-06-24 22:46 . 2008-06-27 10:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 19:35 . 2008-06-16 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:35 . 2008-06-16 19:35 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-16 19:31 . 2008-06-16 19:31 <DIR> dr-h----- C:\MSOCache
2008-06-16 18:34 . 2008-06-16 18:34 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-06-10 15:19 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 16:05 . 2008-06-09 16:06 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-06-09 16:00 . 2008-06-09 16:00 <DIR> d-------- C:\Program Files\Lexmark X74-X75
2008-06-09 15:59 . 2008-06-09 15:59 <DIR> d-------- C:\Documents and Settings\Luis\WINDOWS
2008-06-09 15:59 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-03 06:35 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-03 06:35 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 03:15 --------- d-----w C:\Documents and Settings\Administrator Guest\Application Data\LimeWire
2008-06-17 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 04:07 --------- d-----w C:\Documents and Settings\Luis\Application Data\Apple Computer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 05:08 --------- d-----w C:\Documents and Settings\Erika\Application Data\Snapfish
2008-05-04 04:43 --------- d-----w C:\Program Files\Apple Software Update
2008-05-04 03:56 --------- d-----w C:\Program Files\iTunes
2008-05-04 03:55 --------- d-----w C:\Program Files\iPod
2008-05-04 03:52 --------- d-----w C:\Program Files\QuickTime
2008-05-02 17:22 --------- d-----w C:\Program Files\M&Ms The Lost Formulas
2008-04-21 03:47 44,400 ----a-w C:\Documents and Settings\Erika\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 03:22 44,400 ----a-w C:\Documents and Settings\Administrator Guest\Application Data\GDIPFONTCACHEV1.DAT
2008-02-07 14:50 44,400 ----a-w C:\Documents and Settings\Luis\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}]
2008-06-24 22:47 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26 118784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-09-25 01:37 1691648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-04-28 23:05 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-04-28 23:05 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43 407032]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 13:09 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-10 03:25 15969280 C:\WINDOWS\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}"= "C:\WINDOWS\system32\qoMdDusT.dll" [2008-06-24 22:47 90624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2008-06-24 22:47 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDusT]
2008-06-24 22:47 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"E:\\Limewire\\Limewire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 03:32:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{15736C11-C6AD-4FF5-8D43-910D196B7318} - C:\WINDOWS\system32\ddcyvVmK.dll
BHO-{1F729F51-CC87-4DDF-AB15-59984357866B} - C:\WINDOWS\system32\efcARkjG.dll
BHO-{29BEF6E9-EC70-4480-9D43-1BB47E671387} - C:\WINDOWS\system32\jkkHXNdb.dll
BHO-{37236621-6408-4989-98E1-0EDE636CBC0C} - C:\WINDOWS\system32\ssqPiGax.dll
HKLM-Run-BM1f2cf044 - C:\WINDOWS\system32\hrgluqij.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 12:19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-02 12:20:11
ComboFix-quarantined-files.txt 2008-07-02 19:20:02

Pre-Run: 73,906,638,848 bytes free
Post-Run: 74,733,826,048 bytes free

178 --- E O F --- 2008-06-20 06:10:59



And here is the new Hijack This log:

Deckard's System Scanner v20071014.68
Run by Luis on 2008-07-02 12:25:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Luis.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:53 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Limewire\Limewire\LimeWire.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\Luis\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Luis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/launch?.rand=7dj6l81uhnrk9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {15736C11-C6AD-4FF5-8D43-910D196B7318} - (no file)
O2 - BHO: (no name) - {1F729F51-CC87-4DDF-AB15-59984357866B} - (no file)
O2 - BHO: (no name) - {25DEF282-4462-4D79-9F04-883C058515A5} - (no file)
O2 - BHO: (no name) - {29BEF6E9-EC70-4480-9D43-1BB47E671387} - (no file)
O2 - BHO: (no name) - {37236621-6408-4989-98E1-0EDE636CBC0C} - (no file)
O2 - BHO: (no name) - {430A604F-70B2-43B7-8F55-E15C3D8455BC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7e73e324-203b-48ee-9ffa-4ea212073da3} - (no file)
O2 - BHO: (no name) - {D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2} - C:\WINDOWS\system32\qoMdDusT.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = E:\Limewire\Limewire\LimeWire.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/29.55/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} (Microsoft Office Live Workspace Upload Tool) - http://workspace.office.live.com/Misc/Micr....RichUpload.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: qoMdDusT - C:\WINDOWS\SYSTEM32\qoMdDusT.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 8576 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 12:13:09 68096 --a------ C:\WINDOWS\zip.exe
2008-07-02 12:13:09 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-02 12:13:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-02 12:13:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-02 12:13:09 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-02 12:13:09 98816 --a------ C:\WINDOWS\sed.exe
2008-07-02 12:13:09 80412 --a------ C:\WINDOWS\grep.exe
2008-07-02 12:13:09 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-02 09:05:00 0 d-------- C:\Program Files\Trend Micro
2008-06-30 21:16:32 0 d-------- C:\Documents and Settings\Erika\Application Data\Mozilla
2008-06-28 15:02:58 0 d-------- C:\Documents and Settings\Administrator Guest\Application Data\Mozilla
2008-06-28 12:53:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-28 12:53:10 0 d-------- C:\Documents and Settings\Luis\Application Data\Mozilla
2008-06-27 10:42:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 22:51:44 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-06-24 22:48:04 0 d-------- C:\WINDOWS\system32\bam
2008-06-24 22:48:03 0 d-------- C:\WINDOWS\system32\vec3
2008-06-24 22:47:56 0 d-------- C:\WINDOWS\system32\modtrux18
2008-06-24 22:47:56 0 d-------- C:\Temp
2008-06-24 22:47:52 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll
2008-06-24 22:46:40 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 19:35:59 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 19:35:06 0 d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:31:49 0 dr-h----- C:\MSOCache
2008-06-16 18:34:26 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-06-09 16:05:45 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-06-09 16:00:00 0 d-------- C:\Program Files\Lexmark X74-X75
2008-06-09 15:59:46 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-09 15:59:38 0 d-------- C:\Documents and Settings\Luis\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:07:01 0 d-------- C:\Documents and Settings\Luis\Application Data\Apple Computer
2008-05-03 21:43:51 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 20:56:47 0 d-------- C:\Program Files\iTunes
2008-05-03 20:55:52 0 d-------- C:\Program Files\iPod
2008-05-03 20:52:20 0 d-------- C:\Program Files\QuickTime
2008-05-02 10:22:36 0 d-------- C:\Program Files\M&Ms The Lost Formulas
2008-04-14 21:02:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15736C11-C6AD-4FF5-8D43-910D196B7318}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F729F51-CC87-4DDF-AB15-59984357866B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25DEF282-4462-4D79-9F04-883C058515A5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29BEF6E9-EC70-4480-9D43-1BB47E671387}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37236621-6408-4989-98E1-0EDE636CBC0C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{430A604F-70B2-43B7-8F55-E15C3D8455BC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7e73e324-203b-48ee-9ffa-4ea212073da3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}]
06/24/2008 10:47 PM 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/03/2005 12:25 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/03/2005 12:22 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/03/2005 12:26 AM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/10/2006 03:25 AM C:\WINDOWS\RTHDCPL.exe]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [09/25/2004 01:37 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [04/28/2007 11:05 PM]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [04/28/2007 11:05 PM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [07/21/2006 10:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [10/14/2002 01:09 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\Luis\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - E:\Limewire\Limewire\LimeWire.exe [6/21/2006 7:58:33 AM]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [4/13/2007 4:31:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [4/4/2007 12:19:25 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}"= C:\WINDOWS\system32\qoMdDusT.dll [06/24/2008 10:47 PM 90624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
qoMdDusT.dll 06/24/2008 10:47 PM 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDusT]
qoMdDusT.dll 06/24/2008 10:47 PM 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-02 12:27:59 ------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 02 July 2008 - 02:43 PM

Hi,

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


The first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\BM1f2cf044.xml
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\qoMdDusT.dll
Folder::
C:\WINDOWS\system32\vec3
C:\WINDOWS\system32\bam
C:\WINDOWS\system32\modtrux18
C:\Temp\syschk3
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15736C11-C6AD-4FF5-8D43-910D196B7318}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F729F51-CC87-4DDF-AB15-59984357866B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25DEF282-4462-4D79-9F04-883C058515A5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29BEF6E9-EC70-4480-9D43-1BB47E671387}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37236621-6408-4989-98E1-0EDE636CBC0C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{430A604F-70B2-43B7-8F55-E15C3D8455BC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7e73e324-203b-48ee-9ffa-4ea212073da3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDusT]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 luis123

luis123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 July 2008 - 03:05 PM

alright, thank you, here are the logs:

ComboFix 08-07-01.5 - Luis 2008-07-02 13:00:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1498 [GMT -7:00]
Running from: C:\Documents and Settings\Luis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Luis\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1f2cf044.xml

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 12:24 . 2008-07-02 12:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-02 12:24 . 2008-07-02 12:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-02 09:05 . 2008-07-02 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-02 09:02 . 2008-07-02 09:02 <DIR> d-------- C:\Deckard
2008-06-28 12:56 . 2008-06-28 12:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-06-28 12:53 . 2008-06-28 12:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-27 11:20 . 2008-06-30 09:44 507 --a------ C:\WINDOWS\wininit.ini
2008-06-27 10:42 . 2008-06-27 10:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-27 10:42 . 2008-06-27 11:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 22:51 . 2008-06-24 22:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-06-24 22:48 . 2008-06-24 22:48 <DIR> d-------- C:\WINDOWS\system32\vec3
2008-06-24 22:48 . 2008-06-24 22:48 <DIR> d-------- C:\WINDOWS\system32\bam
2008-06-24 22:47 . 2008-06-28 11:41 <DIR> d-------- C:\WINDOWS\system32\modtrux18
2008-06-24 22:47 . 2008-06-24 22:48 <DIR> d-------- C:\Temp\syschk3
2008-06-24 22:47 . 2008-07-02 12:13 <DIR> d-------- C:\Temp
2008-06-24 22:47 . 2008-06-24 22:47 90,624 --a------ C:\WINDOWS\system32\qoMdDusT.dll
2008-06-24 22:46 . 2008-06-27 10:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 19:35 . 2008-06-16 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:35 . 2008-06-16 19:35 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-16 19:31 . 2008-06-16 19:31 <DIR> dr-h----- C:\MSOCache
2008-06-16 18:34 . 2008-06-16 18:34 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-06-10 15:19 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 16:05 . 2008-06-09 16:06 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-06-09 16:00 . 2008-06-09 16:00 <DIR> d-------- C:\Program Files\Lexmark X74-X75
2008-06-09 15:59 . 2008-06-09 15:59 <DIR> d-------- C:\Documents and Settings\Luis\WINDOWS
2008-06-09 15:59 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-03 06:35 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-03 06:35 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 03:15 --------- d-----w C:\Documents and Settings\Administrator Guest\Application Data\LimeWire
2008-06-17 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 04:07 --------- d-----w C:\Documents and Settings\Luis\Application Data\Apple Computer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 05:08 --------- d-----w C:\Documents and Settings\Erika\Application Data\Snapfish
2008-05-04 04:43 --------- d-----w C:\Program Files\Apple Software Update
2008-05-04 03:56 --------- d-----w C:\Program Files\iTunes
2008-05-04 03:55 --------- d-----w C:\Program Files\iPod
2008-05-04 03:52 --------- d-----w C:\Program Files\QuickTime
2008-05-02 17:22 --------- d-----w C:\Program Files\M&Ms The Lost Formulas
2008-04-21 03:47 44,400 ----a-w C:\Documents and Settings\Erika\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 03:22 44,400 ----a-w C:\Documents and Settings\Administrator Guest\Application Data\GDIPFONTCACHEV1.DAT
2008-02-07 14:50 44,400 ----a-w C:\Documents and Settings\Luis\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-07-02_12.19.55.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 19:07:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 19:57:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}]
2008-06-24 22:47 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26 118784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-09-25 01:37 1691648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-04-28 23:05 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-04-28 23:05 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43 407032]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 13:09 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-10 03:25 15969280 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Erika\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-04-13 16:31:12 2885168]

C:\Documents and Settings\Luis\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - E:\Limewire\Limewire\LimeWire.exe [2006-06-21 07:58:33 159744]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-04-13 16:31:12 2885168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-04-04 12:19:25 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}"= "C:\WINDOWS\system32\qoMdDusT.dll" [2008-06-24 22:47 90624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2008-06-24 22:47 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDusT]
2008-06-24 22:47 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"E:\\Limewire\\Limewire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

S1 nwrdrr;nwrdrr;C:\WINDOWS\system32\drivers\nwrdrr.sys []
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;C:\WINDOWS\system32\Drivers\BUSB2902.sys [2006-07-03 04:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 03:32:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{15736C11-C6AD-4FF5-8D43-910D196B7318} - (no file)
BHO-{1F729F51-CC87-4DDF-AB15-59984357866B} - (no file)
BHO-{25DEF282-4462-4D79-9F04-883C058515A5} - (no file)
BHO-{29BEF6E9-EC70-4480-9D43-1BB47E671387} - (no file)
BHO-{37236621-6408-4989-98E1-0EDE636CBC0C} - (no file)
BHO-{430A604F-70B2-43B7-8F55-E15C3D8455BC} - (no file)
BHO-{7e73e324-203b-48ee-9ffa-4ea212073da3} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 13:01:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-02 13:02:47
ComboFix-quarantined-files.txt 2008-07-02 20:02:35
ComboFix2.txt 2008-07-02 19:20:12

Pre-Run: 74,652,315,648 bytes free
Post-Run: 74,617,106,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

153 --- E O F --- 2008-06-20 06:10:59


And here's the Hijack This log:

Deckard's System Scanner v20071014.68
Run by Luis on 2008-07-02 13:03:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Luis.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:35 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
E:\Limewire\Limewire\LimeWire.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Luis\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Luis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/launch?.rand=7dj6l81uhnrk9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2} - C:\WINDOWS\system32\qoMdDusT.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = E:\Limewire\Limewire\LimeWire.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/29.55/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} (Microsoft Office Live Workspace Upload Tool) - http://workspace.office.live.com/Misc/Micr....RichUpload.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: qoMdDusT - C:\WINDOWS\SYSTEM32\qoMdDusT.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7405 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 12:59:49 0 d-------- C:\cmdcons
2008-07-02 12:13:09 68096 --a------ C:\WINDOWS\zip.exe
2008-07-02 12:13:09 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-02 12:13:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-02 12:13:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-02 12:13:09 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-02 12:13:09 98816 --a------ C:\WINDOWS\sed.exe
2008-07-02 12:13:09 80412 --a------ C:\WINDOWS\grep.exe
2008-07-02 12:13:09 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-02 09:05:00 0 d-------- C:\Program Files\Trend Micro
2008-06-30 21:16:32 0 d-------- C:\Documents and Settings\Erika\Application Data\Mozilla
2008-06-28 15:02:58 0 d-------- C:\Documents and Settings\Administrator Guest\Application Data\Mozilla
2008-06-28 12:53:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-28 12:53:10 0 d-------- C:\Documents and Settings\Luis\Application Data\Mozilla
2008-06-27 10:42:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 22:51:44 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-06-24 22:48:04 0 d-------- C:\WINDOWS\system32\bam
2008-06-24 22:48:03 0 d-------- C:\WINDOWS\system32\vec3
2008-06-24 22:47:56 0 d-------- C:\WINDOWS\system32\modtrux18
2008-06-24 22:47:56 0 d-------- C:\Temp
2008-06-24 22:47:52 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll
2008-06-24 22:46:40 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 19:35:59 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 19:35:06 0 d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:31:49 0 dr-h----- C:\MSOCache
2008-06-16 18:34:26 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-06-09 16:05:45 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-06-09 16:00:00 0 d-------- C:\Program Files\Lexmark X74-X75
2008-06-09 15:59:46 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-09 15:59:38 0 d-------- C:\Documents and Settings\Luis\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:07:01 0 d-------- C:\Documents and Settings\Luis\Application Data\Apple Computer
2008-05-03 21:43:51 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 20:56:47 0 d-------- C:\Program Files\iTunes
2008-05-03 20:55:52 0 d-------- C:\Program Files\iPod
2008-05-03 20:52:20 0 d-------- C:\Program Files\QuickTime
2008-05-02 10:22:36 0 d-------- C:\Program Files\M&Ms The Lost Formulas
2008-04-14 21:02:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}]
06/24/2008 10:47 PM 90624 --a------ C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/03/2005 12:25 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/03/2005 12:22 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/03/2005 12:26 AM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/10/2006 03:25 AM C:\WINDOWS\RTHDCPL.exe]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [09/25/2004 01:37 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [04/28/2007 11:05 PM]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [04/28/2007 11:05 PM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [07/21/2006 10:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [10/14/2002 01:09 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

C:\Documents and Settings\Luis\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - E:\Limewire\Limewire\LimeWire.exe [6/21/2006 7:58:33 AM]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [4/13/2007 4:31:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [4/4/2007 12:19:25 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{D3F901B9-7C4B-4B7D-9836-F21F8E68FDC2}"= C:\WINDOWS\system32\qoMdDusT.dll [06/24/2008 10:47 PM 90624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
qoMdDusT.dll 06/24/2008 10:47 PM 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdDusT]
qoMdDusT.dll 06/24/2008 10:47 PM 90624 C:\WINDOWS\system32\qoMdDusT.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-02 13:03:52 ------------

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 02 July 2008 - 03:15 PM

Hi,

Can you perform the step with CFScript please? Because I see you didn't perform that step yet. Then post the new logs in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 luis123

luis123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 July 2008 - 03:23 PM

Ok, here are the new logs:

ComboFix 08-07-01.5 - Luis 2008-07-02 13:19:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1489 [GMT -7:00]
Running from: C:\Documents and Settings\Luis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Luis\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM1f2cf044.xml
C:\WINDOWS\system32\qoMdDusT.dll
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Luis\Application Data\urlredir.cfg
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Temp\syschk3
C:\Temp\syschk3\tdirp5.log
C:\WINDOWS\system32\bam
C:\WINDOWS\system32\bam\covmarNV.exe
C:\WINDOWS\system32\modtrux18
C:\WINDOWS\system32\qoMdDusT.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vec3

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 12:24 . 2008-07-02 12:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-02 12:24 . 2008-07-02 12:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-02 09:05 . 2008-07-02 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-02 09:02 . 2008-07-02 09:02 <DIR> d-------- C:\Deckard
2008-06-28 12:56 . 2008-06-28 12:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-06-28 12:53 . 2008-06-28 12:53 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-27 11:20 . 2008-06-30 09:44 507 --a------ C:\WINDOWS\wininit.ini
2008-06-27 10:42 . 2008-06-27 10:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-27 10:42 . 2008-06-27 11:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 22:47 . 2008-07-02 13:19 <DIR> d-------- C:\Temp
2008-06-24 22:46 . 2008-06-27 10:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 19:35 . 2008-06-16 19:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:35 . 2008-06-16 19:35 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-16 19:31 . 2008-06-16 19:31 <DIR> dr-h----- C:\MSOCache
2008-06-16 18:34 . 2008-06-16 18:34 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-06-10 15:19 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 16:05 . 2008-06-09 16:06 <DIR> d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-06-09 16:00 . 2008-06-09 16:00 <DIR> d-------- C:\Program Files\Lexmark X74-X75
2008-06-09 15:59 . 2008-06-09 15:59 <DIR> d-------- C:\Documents and Settings\Luis\WINDOWS
2008-06-09 15:59 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-03 06:35 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-03 06:35 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 03:15 --------- d-----w C:\Documents and Settings\Administrator Guest\Application Data\LimeWire
2008-06-17 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 04:07 --------- d-----w C:\Documents and Settings\Luis\Application Data\Apple Computer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 05:08 --------- d-----w C:\Documents and Settings\Erika\Application Data\Snapfish
2008-05-04 04:43 --------- d-----w C:\Program Files\Apple Software Update
2008-05-04 03:56 --------- d-----w C:\Program Files\iTunes
2008-05-04 03:55 --------- d-----w C:\Program Files\iPod
2008-05-04 03:52 --------- d-----w C:\Program Files\QuickTime
2008-05-02 17:22 --------- d-----w C:\Program Files\M&Ms The Lost Formulas
2008-04-21 03:47 44,400 ----a-w C:\Documents and Settings\Erika\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 03:22 44,400 ----a-w C:\Documents and Settings\Administrator Guest\Application Data\GDIPFONTCACHEV1.DAT
2008-02-07 14:50 44,400 ----a-w C:\Documents and Settings\Luis\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-07-02_12.19.55.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 19:07:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 19:57:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-03 00:25 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-03 00:22 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-03 00:26 118784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-09-25 01:37 1691648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-04-28 23:05 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-04-28 23:05 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43 407032]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 13:09 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-10 03:25 15969280 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Erika\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-04-13 16:31:12 2885168]

C:\Documents and Settings\Luis\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - E:\Limewire\Limewire\LimeWire.exe [2006-06-21 07:58:33 159744]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-04-13 16:31:12 2885168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-04-04 12:19:25 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"E:\\Limewire\\Limewire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

S1 nwrdrr;nwrdrr;C:\WINDOWS\system32\drivers\nwrdrr.sys []
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;C:\WINDOWS\system32\Drivers\BUSB2902.sys [2006-07-03 04:34]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-04 03:32:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 13:20:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-02 13:21:02
ComboFix-quarantined-files.txt 2008-07-02 20:20:45
ComboFix2.txt 2008-07-02 20:02:48
ComboFix3.txt 2008-07-02 19:20:12

Pre-Run: 74,607,304,704 bytes free
Post-Run: 74,590,601,216 bytes free

138 --- E O F --- 2008-06-20 06:10:59


And the Hijack This log:

Deckard's System Scanner v20071014.68
Run by Luis on 2008-07-02 13:21:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Luis.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:46 PM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\svchost.exe
E:\Limewire\Limewire\LimeWire.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Luis\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Luis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg1.mail.yahoo.com/dc/launch?.rand=7dj6l81uhnrk9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = E:\Limewire\Limewire\LimeWire.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/29.55/uploader2.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} (Microsoft Office Live Workspace Upload Tool) - http://workspace.office.live.com/Misc/Micr....RichUpload.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7152 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 12:59:49 0 d-------- C:\cmdcons
2008-07-02 12:13:09 68096 --a------ C:\WINDOWS\zip.exe
2008-07-02 12:13:09 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-02 12:13:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-02 12:13:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-02 12:13:09 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-02 12:13:09 98816 --a------ C:\WINDOWS\sed.exe
2008-07-02 12:13:09 80412 --a------ C:\WINDOWS\grep.exe
2008-07-02 12:13:09 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-02 09:05:00 0 d-------- C:\Program Files\Trend Micro
2008-06-30 21:16:32 0 d-------- C:\Documents and Settings\Erika\Application Data\Mozilla
2008-06-28 15:02:58 0 d-------- C:\Documents and Settings\Administrator Guest\Application Data\Mozilla
2008-06-28 12:53:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-28 12:53:10 0 d-------- C:\Documents and Settings\Luis\Application Data\Mozilla
2008-06-27 10:42:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 22:47:56 0 d-------- C:\Temp
2008-06-24 22:46:40 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-16 19:35:59 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 19:35:06 0 d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:31:49 0 dr-h----- C:\MSOCache
2008-06-16 18:34:26 0 d-------- C:\WINDOWS\.jagex_cache_32
2008-06-09 16:05:45 0 d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-06-09 16:00:00 0 d-------- C:\Program Files\Lexmark X74-X75
2008-06-09 15:59:46 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-09 15:59:38 0 d-------- C:\Documents and Settings\Luis\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-06-02 21:07:01 0 d-------- C:\Documents and Settings\Luis\Application Data\Apple Computer
2008-05-03 21:43:51 0 d-------- C:\Program Files\Apple Software Update
2008-05-03 20:56:47 0 d-------- C:\Program Files\iTunes
2008-05-03 20:55:52 0 d-------- C:\Program Files\iPod
2008-05-03 20:52:20 0 d-------- C:\Program Files\QuickTime
2008-05-02 10:22:36 0 d-------- C:\Program Files\M&Ms The Lost Formulas
2008-04-14 21:02:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/03/2005 12:25 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/03/2005 12:22 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/03/2005 12:26 AM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [02/10/2006 03:25 AM C:\WINDOWS\RTHDCPL.exe]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [09/25/2004 01:37 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [04/28/2007 11:05 PM]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [04/28/2007 11:05 PM]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [07/21/2006 10:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [10/14/2002 01:09 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]

C:\Documents and Settings\Luis\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - E:\Limewire\Limewire\LimeWire.exe [6/21/2006 7:58:33 AM]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [4/13/2007 4:31:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [4/4/2007 12:19:25 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-02 13:22:02 ------------

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 02 July 2008 - 03:31 PM

Hi,

Almost done. :thumbsup:

Go to start > run and copy and paste next command in the field:

sc delete nwrdrr


Hit enter.
A black dosbox will open and close immediately again. This is normal.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
<== this is a resource hog
O8 - Extra context menu item: &Search - ?p=ZJ

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Also, I see your DNS is set to OpenDNS. Not sure if you have set it. Spybot S&D may have set it to OpenDNS or other tools.
Read here for more info what OpenDNS is: http://www.opendns.com/start/
Read here how OpenDNS is manually set: http://www.opendns.com/start/windows_xp.php

In case you don't want to use this OpenDNS service, check and fix next entry in HijackThis:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

In case you want to use this service, then leave it as it is.


Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 luis123

luis123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 July 2008 - 03:43 PM

Thank you for all of your help, I did everything you asked and so far there are no problems, I greatly appreciate your help and for helping me fix my computer. :thumbsup: :)

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 02 July 2008 - 03:46 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:58 AM

Posted 04 July 2008 - 07:30 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users