Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Dler, Not-a-virus, Rootkit


  • This topic is locked This topic is locked
16 replies to this topic

#1 Patojo007

Patojo007

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 05 July 2008 - 09:12 PM

DSS
Deckard's System Scanner v20071014.68

Run by Walter on 2008-07-05 17:45:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
75: 2008-07-06 00:35:59 UTC - RP217 - Deckard's System Scanner Restore Point
74: 2008-07-05 22:40:16 UTC - RP216 - Last known good configuration
73: 2008-07-05 22:40:05 UTC - RP215 - System Checkpoint
72: 2008-07-05 22:40:04 UTC - RP214 - System Checkpoint
71: 2008-07-05 22:40:02 UTC - RP213 - System Checkpoint


-- First Restore Point --
1: 2008-07-05 22:37:51 UTC - RP143 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Walter.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:49 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Walter\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Walter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CableRouting module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\CableRouting\CableRouting.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B3F4FB17-3189-442B-DE2F-4AE678F203C7} - C:\WINDOWS\system32\ynqorjpk.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\d4ghggf4g.dll - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\system32\d4ghggf4g.dll (file missing)
O2 - BHO: QXK Olive - {C396242E-B6B6-4B05-A755-72938F31ACB0} - C:\WINDOWS\kgqfweltnfv.dll
O2 - BHO: (no name) - {C43E05B4-F123-4CBF-BBFA-C9493EB82A9B} - C:\WINDOWS\system32\geBrsQGY.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [4493b191] rundll32.exe "C:\WINDOWS\system32\tgvprnsi.dll",b
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun
O4 - HKUS\S-1-5-18\..\Run: [f94mggfhfghodftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [f94mggfhfghodftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - Winlogon Notify: cbxuspm - cbxuspm.dll (file missing)
O20 - Winlogon Notify: pmnOHWnl - C:\WINDOWS\SYSTEM32\pmnOHWnl.dll
O21 - SSODL: E404Helper - {6f1db34f-d427-4ae3-a448-f8a4b308764e} - e404d.dll (file missing)
O21 - SSODL: okmdepgb - {493CCECD-51D8-4896-B856-46332DE9E1F2} - C:\WINDOWS\okmdepgb.dll (file missing)
O21 - SSODL: axrfgvek - {CB8C35FA-2EA6-4505-8052-523AF7529418} - C:\WINDOWS\axrfgvek.dll
O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\system32\d4ghggf4g.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9076 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ITMRTSVC (CA Pest Patrol Realtime Protection Service) - "c:\program files\ca\pprt\bin\itmrtsvc.exe" <Not Verified; CA, Inc.; eTrust PestPatrol Realtime Protection>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Video Controller
Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_813D104D&REV_01\4&23C0B1C&0&00F0
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_813D104D&REV_01\4&23C0B1C&0&00F0
Service:

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&2D2D400&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&2D2D400&0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-07-05 13:47:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 17:37:04 0 d-------- C:\Program Files\Trend Micro
2008-07-05 17:32:19 0 d-------- C:\WINDOWS\privacy_danger
2008-07-05 16:32:35 0 d-------- C:\Program Files\CableRouting
2008-07-05 15:41:02 88576 --a------ C:\WINDOWS\system32\tgvprnsi.dll
2008-07-05 15:37:39 3951 --ahs---- C:\WINDOWS\system32\YGQsrBeg.ini2
2008-07-05 15:37:31 318720 --a------ C:\WINDOWS\system32\geBrsQGY.dll
2008-07-05 15:32:28 43008 --a------ C:\WINDOWS\system32\clbdll.dll
2008-07-05 15:32:24 28288 --a------ C:\WINDOWS\system32\pmnOHWnl.dll
2008-07-05 15:31:42 86016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-05 15:31:42 307200 --a------ C:\WINDOWS\kgqfweltnfv.dll
2008-07-05 15:31:42 94208 --a------ C:\WINDOWS\efbd.exe
2008-07-05 15:31:42 180224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-05 15:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-28 12:59:04 0 d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\DefaultScripts


-- Find3M Report ---------------------------------------------------------------

2008-06-10 22:20:25 0 d-------- C:\Program Files\World of Warcraft
2008-06-09 17:43:55 0 d-------- C:\Program Files\Ventrilo
2008-06-03 21:37:45 0 d-------- C:\Program Files\Xvid
2008-05-24 08:38:39 0 d-------- C:\Documents and Settings\Walter\Application Data\Adobe
2008-05-24 08:36:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-24 08:36:16 0 d-------- C:\Program Files\Common Files
2008-05-05 23:24:55 0 d-------- C:\Documents and Settings\Walter\Application Data\LimeWire
2008-05-05 23:00:01 0 d-------- C:\Program Files\CA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
03/27/2008 06:02 AM 247296 --a------ C:\Program Files\CableRouting\CableRouting.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8260C2B8-E0D1-448a-B062-33D12D468BF0}]
08/10/2007 02:38 PM 551208 --a------ C:\Program Files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3F4FB17-3189-442B-DE2F-4AE678F203C7}]
C:\WINDOWS\system32\ynqorjpk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C297D}]
C:\WINDOWS\system32\d4ghggf4g.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C396242E-B6B6-4B05-A755-72938F31ACB0}]
07/05/2008 01:00 PM 307200 --a------ C:\WINDOWS\kgqfweltnfv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C43E05B4-F123-4CBF-BBFA-C9493EB82A9B}]
07/05/2008 03:37 PM 318720 --a------ C:\WINDOWS\system32\geBrsQGY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 05:00 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 10:21 AM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [02/13/2008 01:03 PM]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [02/26/2008 05:10 PM]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [02/26/2008 05:11 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"4493b191"="C:\WINDOWS\system32\tgvprnsi.dll" [07/05/2008 03:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/13/2008 04:06 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"WinSpywareProtect"="C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" [07/05/2008 03:31 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"f94mggfhfghodftdf"=C:\WINDOWS\TEMP\winlogan.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [3/5/2008 4:39:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AF0562-94F3-42BD-F434-2604812C297D}"= C:\WINDOWS\system32\d4ghggf4g.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\cbxuspm.dll [ ]
"{1FE4BFC2-60DB-461C-B734-1D40F120299A}"= C:\WINDOWS\system32\pmnOHWnl.dll [07/05/2008 03:32 PM 28288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {6f1db34f-d427-4ae3-a448-f8a4b308764e} - e404d.dll [ ]
"okmdepgb"= {493CCECD-51D8-4896-B856-46332DE9E1F2} - C:\WINDOWS\okmdepgb.dll [ ]
"axrfgvek"= {CB8C35FA-2EA6-4505-8052-523AF7529418} - C:\WINDOWS\axrfgvek.dll [07/05/2008 01:00 PM 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuspm]
cbxuspm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnOHWnl]
pmnOHWnl.dll 07/05/2008 03:32 PM 28288 C:\WINDOWS\system32\pmnOHWnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 12/21/2001 12:34 AM 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBrsQGY

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dant]
"C:\DOCUME~1\Walter\MYDOCU~1\SSTEM~1\dexplore.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf]
C:\WINDOWS\TEMP\winlogan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fgtpsxjm]
"C:\Program Files\Common Files\??pPatch\s?ool32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack10]
"C:\Program Files\QdrPack\QdrPack10.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Rescue System]
C:\DOCUME~1\Walter\LOCALS~1\Temp\winsto.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-05 17:46:58 ------------




Deckard's System Scanner v20071014.68
Extra logfile
- please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1022.73 MiB / 604.59 MiB
Pagefile Memory (total/avail): 2459.6 MiB / 2048.23 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.78 MiB

C: is Fixed (NTFS) - 233.75 GiB total, 211.93 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 7L250S0 - 233.76 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 233.75 GiB - C:

\\.\PHYSICALDRIVE2 - Sony CF Reader USB Device

\\.\PHYSICALDRIVE1 - Sony MS Reader USB Device

\\.\PHYSICALDRIVE4 - Sony SD/MMC Reader USB Device

\\.\PHYSICALDRIVE3 - Sony SM/xD Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Verizon Internet Security Suite Firewall v6.0.3 (Verizon)
AV: Verizon Internet Security Suite Anti-Virus v6.0.3 (Verizon)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Walter\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WALTER-3B135DED
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Walter
LOGONSERVER=\\WALTER-3B135DED
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\CA\PPRT\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Walter\LOCALS~1\Temp
TMP=C:\DOCUME~1\Walter\LOCALS~1\Temp
USERDOMAIN=WALTER-3B135DED
USERNAME=Walter
USERPROFILE=C:\Documents and Settings\Walter
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Walter (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Agere Systems PCI Soft Modem --> agrsmdel
ALOT eMusic Toolbar --> "C:\Program Files\alot\alotUninst.exe"
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
Authentium AntiVirus SDK - 2 --> MsiExec.exe /I{C67DF120-4DD3-11D4-A3CA-005004AD2A5B}
BitComet 0.99 --> C:\Program Files\BitComet\uninst.exe
CableRouting --> "C:\Program Files\CableRouting\Uninstall.exe"
eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exe
eMusic Download Manager 3.0 --> C:\Program Files\eMusic Download Manager\uninst.exe
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
High Definition Audio Driver Package - KB835221 -->
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\Walter\Application Data\HouseCall 6.6\uninstaller.exe"
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PerfectDisk --> MsiExec.exe /I{212F5777-1190-4DEF-8E4D-6B2F313B45E7}
PPSDKRedistributables --> MsiExec.exe /I{C144C566-21EF-4F8C-9667-40CF19E6AED0}
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
RPS Ad Blocker --> MsiExec.exe /I{9AC29B2A-1E86-4CE8-BD05-E3429F244659}
RPS AntiFraud --> MsiExec.exe /I{6F857F57-0868-4333-801F-C6FD1C45D198}
RPS AntiSpyware --> MsiExec.exe /I{B8BD4864-420E-4E95-BBE4-DECE91A0F973}
RPS AntiVirus --> MsiExec.exe /I{769A4515-083E-4FDF-8060-1B6FA2A59D79}
RPS App Detector --> MsiExec.exe /I{CD45C967-BF03-406A-820E-8463B84D0FCD}
RPS AsRealtime --> MsiExec.exe /I{CE7496DD-84ED-4ACF-8713-7C78945C8D7F}
RPS Backup --> MsiExec.exe /I{64010327-8AE7-4D4B-A875-8A874862CD4C}
RPS Burn --> MsiExec.exe /I{92F669C7-4D0E-42A8-B7A0-768FFA19972B}
RPS Diagnostic Utility --> MsiExec.exe /I{0EAAC619-A730-4CBB-95D2-70C3ECAD1561}
RPS Firewall --> MsiExec.exe /I{386593CE-E6AF-48DE-B88A-083CB4781652}
RPS ParentalControl --> MsiExec.exe /I{0E0FF2EF-7866-45BE-99F0-475E0DE7733E}
RPS Performance Tool --> MsiExec.exe /I{8A61A0EC-D2F9-40C1-A290-73A80C2AFD68}
RPS PopupBlocker --> MsiExec.exe /I{DF204DA0-8C19-4EB2-AE78-683D2DE35B7B}
RPS Privacy Manager --> MsiExec.exe /I{3E11A4AA-09DC-414E-BE4C-1F615A235B9B}
RPS RpsCore --> MsiExec.exe /I{53BE7E78-A2E6-4986-89F3-F5C693570BD7}
RPS Security Cleanup --> MsiExec.exe /I{44629EAF-A233-4AAE-BBCC-26157DC9A40B}
RPS Zip --> MsiExec.exe /I{A1C82B18-A7B2-48EC-853D-5807C635531E}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Verizon Internet Security Suite --> C:\Program Files\InstallShield Installation Information\{13F8BD99-B753-4007-A060-7EAE3891756F}\setup.exe -runfromtemp -l0x0009 -removeonly
Verizon Servicepoint 1.5.20 --> "C:\Program Files\Verizon\VSP\unins000.exe"
WebVideo Support --> C:\WINDOWS\mrvtdpqe.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
World of Warcraft Desktop --> C:\PROGRA~1\Stardock\OBJECT~1\THEMEM~1\thememgr.exe /uninstallwise
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2170 / Error
Event Submitted/Written: 07/05/2008 05:44:13 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module tgvprnsi.dll, version 0.0.0.0, fault address 0x0000fe20.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type2169 / Error
Event Submitted/Written: 07/05/2008 05:43:55 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module tgvprnsi.dll, version 0.0.0.0, fault address 0x0000fe20.
Processing media-specific event for [hijackthis.exe!ws!]

Event Record #/Type2168 / Error
Event Submitted/Written: 07/05/2008 05:42:51 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type2167 / Error
Event Submitted/Written: 07/05/2008 05:38:32 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type2164 / Error
Event Submitted/Written: 07/05/2008 05:26:23 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.62306, faulting module cacheck.dll, version 1.1.0.32, fault address 0x0000fe20.
Processing media-specific event for [firefox.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8512 / Error
Event Submitted/Written: 07/05/2008 03:41:20 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.363_x-ww_3a00bc02\MFC80.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type8511 / Error
Event Submitted/Written: 07/05/2008 03:41:20 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type8510 / Error
Event Submitted/Written: 07/05/2008 03:41:20 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type8504 / Error
Event Submitted/Written: 07/05/2008 03:32:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.363_x-ww_3a00bc02\MFC80.DLL.
Reference error message: The operation completed successfully.
.

Event Record #/Type8503 / Error
Event Submitted/Written: 07/05/2008 03:32:09 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC.
Reference error message: The referenced assembly is not installed on your system.
.



-- End of Deckard's System Scanner: finished at 2008-07-05 17:46:58 ------------


KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 05, 2008 19:24:44
Records in database: 916362
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics
Files scanned 29448
Threat name 3
Infected objects 3
Suspicious objects 0
Duration of the scan 00:35:07

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe Infected: Trojan-Downloader.Win32.FraudLoad.gen 1
C:\Program Files\Common Files\ΑрpPatch\sрool32.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gq 1
C:\WINDOWS\system32\clbdll.dll Infected: Rootkit.Win32.Clbd.dc 1
The selected area was scanned.


Explanation
My desktop turns red with one of those signs used for toxic matterial or waste and the whole desktop becomes clickable. Underneath the toxic sign it says something lick a vulnerability has been spotted and I should download the free Anti-Virus. Also, I am not allowed access to my windows firewall ("Due to an unidentified problem, Windows cannot display Windows Firewall settings"). I also get a pop-up about every half hour or so telling me to download an Anti-virus. Obviously, I didn't download any of those "Anti-Viruses" haha

Thanks so much for your time and help!

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:46 PM

Posted 06 July 2008 - 06:57 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\privacy_danger
    C:\Program Files\CableRouting
    C:\WINDOWS\system32\tgvprnsi.dll
    C:\WINDOWS\system32\YGQsrBeg.ini2
    C:\WINDOWS\system32\geBrsQGY.dll
    C:\WINDOWS\system32\clbdll.dll
    C:\WINDOWS\system32\pmnOHWnl.dll
    C:\WINDOWS\mrvtdpqe.exe
    C:\WINDOWS\kgqfweltnfv.dll
    C:\WINDOWS\efbd.exe
    C:\WINDOWS\axrfgvek.dll
    C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Patojo007

Patojo007
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 July 2008 - 03:20 AM

Thanks for your help Sam!

Well, when I went to c:\_OTMoveIt\MovedFiles all that appeared was a folder with the date format as the title. There weren't any files that could be opened through Notepad, so here's a diagram of what was inside of that folder:

07072008_010002 (folder)
/ \
Program Files (folder) WINDOWS (folder)
/ / \
CableRouting(Folder) privacy_danger(folder) system32(folder)
l l \ l l l
CableRouting.dll uninstall.dat Uninstall.exe images(folder) index.htm geBrsQGY.dll
l
4 images of the "free anti-virus" that appear


And here's the DSS scan:



Deckard's System Scanner v20071014.68
Run by Walter on 2008-07-07 01:16:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Walter.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:51 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Walter\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Walter.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CableRouting module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\CableRouting\CableRouting.dll (file missing)
O2 - BHO: (no name) - {1FE4BFC2-60DB-461C-B734-1D40F120299A} - C:\WINDOWS\system32\pmnOHWnl.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B3F4FB17-3189-442B-DE2F-4AE678F203C7} - C:\WINDOWS\system32\ynqorjpk.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\d4ghggf4g.dll - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\system32\d4ghggf4g.dll (file missing)
O2 - BHO: QXK Olive - {C396242E-B6B6-4B05-A755-72938F31ACB0} - C:\WINDOWS\kgqfweltnfv.dll
O2 - BHO: (no name) - {C5ACADA1-3CB7-405A-AA1A-B7662362493A} - C:\WINDOWS\system32\geBrsQGY.dll (file missing)
O2 - BHO: (no name) - {EE8D31A2-A856-416E-9BFF-24A8771CC3BF} - C:\Program Files\Windows Media Player\Icons\hddatpi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4493b191] rundll32.exe "C:\WINDOWS\system32\dbcmunpq.dll",b
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [f94mggfhfghodftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [f94mggfhfghodftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - Winlogon Notify: cbxuspm - cbxuspm.dll (file missing)
O20 - Winlogon Notify: hddatpi - C:\Program Files\Windows Media Player\Icons\hddatpi.dll
O20 - Winlogon Notify: pmnOHWnl - C:\WINDOWS\SYSTEM32\pmnOHWnl.dll
O21 - SSODL: E404Helper - {6f1db34f-d427-4ae3-a448-f8a4b308764e} - e404d.dll (file missing)
O21 - SSODL: axrfgvek - {37A20597-E47A-4733-B619-A548F0585296} - C:\WINDOWS\axrfgvek.dll
O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - C:\WINDOWS\system32\d4ghggf4g.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9742 bytes

-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-07 01:05:21 238154 --ahs---- C:\WINDOWS\system32\YGQsrBeg.ini2
2008-07-06 21:45:51 89088 --a------ C:\WINDOWS\system32\dbcmunpq.dll
2008-07-06 21:42:51 294912 --a------ C:\WINDOWS\system32\nugkujdk.exe
2008-07-05 21:43:43 88576 --a------ C:\WINDOWS\system32\flbdwigh.dll
2008-07-05 17:37:04 0 d-------- C:\Program Files\Trend Micro
2008-07-05 15:32:28 43008 --a------ C:\WINDOWS\system32\clbdll.dll
2008-07-05 15:32:24 28288 --a------ C:\WINDOWS\system32\pmnOHWnl.dll
2008-07-05 15:31:42 86016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-07-05 15:31:42 307200 --a------ C:\WINDOWS\kgqfweltnfv.dll
2008-07-05 15:31:42 94208 --a------ C:\WINDOWS\efbd.exe
2008-07-05 15:31:42 180224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-05 15:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-28 12:59:04 0 d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\DefaultScripts


-- Find3M Report ---------------------------------------------------------------

2008-06-10 22:20:25 0 d-------- C:\Program Files\World of Warcraft
2008-06-09 17:43:55 0 d-------- C:\Program Files\Ventrilo
2008-06-03 21:37:45 0 d-------- C:\Program Files\Xvid
2008-05-24 08:38:39 0 d-------- C:\Documents and Settings\Walter\Application Data\Adobe
2008-05-24 08:36:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-24 08:36:16 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
C:\Program Files\CableRouting\CableRouting.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FE4BFC2-60DB-461C-B734-1D40F120299A}]
07/05/2008 03:32 PM 28288 --a------ C:\WINDOWS\system32\pmnOHWnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8260C2B8-E0D1-448a-B062-33D12D468BF0}]
08/10/2007 02:38 PM 551208 --a------ C:\Program Files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3F4FB17-3189-442B-DE2F-4AE678F203C7}]
C:\WINDOWS\system32\ynqorjpk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C297D}]
C:\WINDOWS\system32\d4ghggf4g.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C396242E-B6B6-4B05-A755-72938F31ACB0}]
07/05/2008 01:00 PM 307200 --a------ C:\WINDOWS\kgqfweltnfv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5ACADA1-3CB7-405A-AA1A-B7662362493A}]
C:\WINDOWS\system32\geBrsQGY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE8D31A2-A856-416E-9BFF-24A8771CC3BF}]
07/06/2008 09:43 PM 294912 --a------ C:\Program Files\Windows Media Player\Icons\hddatpi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 05:00 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 10:21 AM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [02/13/2008 01:03 PM]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [02/26/2008 05:10 PM]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [02/26/2008 05:11 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"4493b191"="C:\WINDOWS\system32\dbcmunpq.dll" [07/06/2008 09:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/13/2008 04:06 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"WinSpywareProtect"="C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" [07/05/2008 03:31 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"f94mggfhfghodftdf"=C:\WINDOWS\TEMP\winlogan.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [3/5/2008 4:39:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AF0562-94F3-42BD-F434-2604812C297D}"= C:\WINDOWS\system32\d4ghggf4g.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\cbxuspm.dll [ ]
"{1FE4BFC2-60DB-461C-B734-1D40F120299A}"= C:\WINDOWS\system32\pmnOHWnl.dll [07/05/2008 03:32 PM 28288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {6f1db34f-d427-4ae3-a448-f8a4b308764e} - e404d.dll [ ]
"axrfgvek"= {37A20597-E47A-4733-B619-A548F0585296} - C:\WINDOWS\axrfgvek.dll [07/05/2008 01:00 PM 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuspm]
cbxuspm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hddatpi]
C:\Program Files\Windows Media Player\Icons\hddatpi.dll 07/06/2008 09:43 PM 294912 C:\Program Files\Windows Media Player\Icons\hddatpi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnOHWnl]
pmnOHWnl.dll 07/05/2008 03:32 PM 28288 C:\WINDOWS\system32\pmnOHWnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 12/21/2001 12:34 AM 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBrsQGY

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dant]
"C:\DOCUME~1\Walter\MYDOCU~1\SSTEM~1\dexplore.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf]
C:\WINDOWS\TEMP\winlogan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fgtpsxjm]
"C:\Program Files\Common Files\??pPatch\s?ool32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack10]
"C:\Program Files\QdrPack\QdrPack10.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Rescue System]
C:\DOCUME~1\Walter\LOCALS~1\Temp\winsto.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-07 01:18:10 ------------

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:46 PM

Posted 07 July 2008 - 08:12 AM

That's unusual. Let's try something else.

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Patojo007

Patojo007
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 July 2008 - 02:56 PM

Okay here's the scan. Thank you for your patience =D


ComboFix 08-07-05.1 - Walter 2008-07-07 12:41:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT -7:00]
Running from: C:\Documents and Settings\Walter\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\Walter\My Documents\SSTEM~1
C:\Documents and Settings\Walter\My Documents\SSTEM~1\s?stem\
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\efbd.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\system32\awturQiF.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\Tmpt59.sys
C:\WINDOWS\system32\FiQrutwa.ini
C:\WINDOWS\system32\FiQrutwa.ini2
C:\WINDOWS\system32\hgiwdblf.ini
C:\WINDOWS\system32\isnrpvgt.ini
C:\WINDOWS\system32\qpnumcbd.ini
C:\WINDOWS\system32\RunOnce.tmp
C:\WINDOWS\system32\tpcivvkg.ini
C:\WINDOWS\system32\update252.exe
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\system32\YGQsrBeg.ini
C:\WINDOWS\system32\YGQsrBeg.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TMPT59
-------\Service_NdisWon
-------\Service_Tmpt59


((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-07 02:05 . 2008-07-07 02:05 196,608 --a------ C:\WINDOWS\SysNotifier.exe
2008-07-07 01:54 . 2008-07-07 01:54 88,576 --a------ C:\WINDOWS\system32\gkvvicpt.dll
2008-07-07 01:00 . 2008-07-07 01:00 <DIR> d-------- C:\_OTMoveIt
2008-07-06 21:42 . 2008-07-06 21:42 294,912 --a------ C:\WINDOWS\system32\nugkujdk.exe
2008-07-05 17:37 . 2008-07-05 17:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-05 17:35 . 2008-07-05 17:35 <DIR> d-------- C:\Deckard
2008-07-05 15:32 . 2008-07-05 15:32 28,288 --a------ C:\WINDOWS\system32\pmnOHWnl.dll
2008-07-05 15:32 . 2004-08-10 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-05 15:31 . 2008-07-05 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-07-05 15:31 . 2008-07-05 13:00 307,200 --a------ C:\WINDOWS\kgqfweltnfv.dll
2008-07-05 15:31 . 2008-07-05 13:00 180,224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-05 15:31 . 2008-07-05 13:00 86,016 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-06-28 13:00 . 2007-08-01 23:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-28 12:59 . 2008-06-28 15:54 <DIR> d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46 . 2008-06-25 14:46 <DIR> d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46 . 2008-06-25 14:46 <DIR> d-------- C:\Documents and Settings\Walter\DefaultScripts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:20 --------- d-----w C:\Program Files\World of Warcraft
2008-06-10 00:43 --------- d-----w C:\Program Files\Ventrilo
2008-06-04 04:37 --------- d-----w C:\Program Files\Xvid
2008-05-24 15:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FE4BFC2-60DB-461C-B734-1D40F120299A}]
2008-07-05 15:32 28288 --a------ C:\WINDOWS\system32\pmnOHWnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8260C2B8-E0D1-448a-B062-33D12D468BF0}]
2007-08-10 14:38 551208 --a------ C:\Program Files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C396242E-B6B6-4B05-A755-72938F31ACB0}]
2008-07-05 13:00 307200 --a------ C:\WINDOWS\kgqfweltnfv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE8D31A2-A856-416E-9BFF-24A8771CC3BF}]
2008-07-06 21:43 294912 --a------ C:\Program Files\Windows Media Player\Icons\hddatpi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8260C2B8-E0D1-448a-B062-33D12D468BF0}"= "C:\Program Files\alot\bin\alot.dll" [2007-08-10 14:38 551208]

[HKEY_CLASSES_ROOT\clsid\{8260c2b8-e0d1-448a-b062-33d12d468bf0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 16:06 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"WinSpywareProtect"="C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" [2008-07-05 15:31 1240576]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 17:10 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21 116224]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 17:10 318704]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 17:11 13552]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"4493b191"="C:\WINDOWS\system32\gkvvicpt.dll" [2008-07-07 01:54 88576]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 17:10 61168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-03-05 16:39:00 629248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1FE4BFC2-60DB-461C-B734-1D40F120299A}"= "C:\WINDOWS\system32\pmnOHWnl.dll" [2008-07-05 15:32 28288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"axrfgvek"= {37A20597-E47A-4733-B619-A548F0585296} - C:\WINDOWS\axrfgvek.dll [2008-07-05 13:00 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hddatpi]
2008-07-06 21:43 294912 C:\Program Files\Windows Media Player\Icons\hddatpi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnOHWnl]
2008-07-05 15:32 28288 C:\WINDOWS\system32\pmnOHWnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fgtpsxjm]
C:\Program Files\Common Files\??pPatch\s?ool32.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-07-17 22:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 05:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-10-08 11:50 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-10-13 18:00 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-11-29 16:00 2748928 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-08-12 18:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-11-02 16:53 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

S3 Radialpoint Security Services;Verizon Internet Security Suite;C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe [2008-02-26 17:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-05 20:47:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{B3F4FB17-3189-442B-DE2F-4AE678F203C7} - C:\WINDOWS\system32\ynqorjpk.dll
BHO-{C5ACADA1-3CB7-405A-AA1A-B7662362493A} - C:\WINDOWS\system32\geBrsQGY.dll
SSODL-E404Helper-{6f1db34f-d427-4ae3-a448-f8a4b308764e} - e404d.dll
Notify-cbxuspm - cbxuspm.dll
MSConfigStartUp-Dant - C:\DOCUME~1\Walter\MYDOCU~1\SSTEM~1\dexplore.exe
MSConfigStartUp-f94mggfhfghodftdf - C:\WINDOWS\TEMP\winlogan.exe
MSConfigStartUp-QdrPack10 - C:\Program Files\QdrPack\QdrPack10.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-Windows Rescue System - C:\DOCUME~1\Walter\LOCALS~1\Temp\winsto.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 12:47:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\Program Files\Windows Media Player\Icons\hddatpi.dll
-> C:\WINDOWS\system32\pmnOHWnl.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\gkvvicpt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-07-07 12:50:54 - machine was rebooted [Walter]
ComboFix-quarantined-files.txt 2008-07-07 19:50:32

Pre-Run: 227,386,728,448 bytes free
Post-Run: 227,610,152,960 bytes free

207 --- E O F --- 2008-06-20 10:05:15

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:46 PM

Posted 07 July 2008 - 03:05 PM

That cleaned up some, but not all of it.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new DSS log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Patojo007

Patojo007
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 07 July 2008 - 05:57 PM

SDFix: Version 1.203
Run by Walter on Mon 07/07/2008 at 03:38 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Missing SharedAccess Service

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\pmnOHWnl.dll - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\kgqfweltnfv.dll - Deleted
C:\WINDOWS\system32\RunOnce.t__ - Deleted
C:\WINDOWS\axrfgvek.dll - Deleted
C:\WINDOWS\mrvtdpqe.exe - Deleted



Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 15:48:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d3aa5cdfc]
"000d3aa5025b"=hex:19,91,75,25,b0,54,9e,fc,2f,89,13,77,81,d1,29,31
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000d3aa5cdfc]
"000d3aa5025b"=hex:19,91,75,25,b0,54,9e,fc,2f,89,13,77,81,d1,29,31

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000006c
"TracesSuccessful"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 15 Dec 2007 26,624 ...H. --- "C:\Documents and Settings\Walter\My Documents\~WRL0047.tmp"

Finished!



Deckard's System Scanner v20071014.68
Run by Walter on 2008-07-07 15:53:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Walter.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:48 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Walter\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Walter.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: (no name) - {8A97D85F-5E6A-4222-8E17-1F2B28848517} - C:\WINDOWS\system32\iifecaBt.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {EE8D31A2-A856-416E-9BFF-24A8771CC3BF} - C:\Program Files\Windows Media Player\Icons\hddatpi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4493b191] rundll32.exe "C:\WINDOWS\system32\teguqmni.dll",b
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinSpywareProtect] "C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" /autorun
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - Winlogon Notify: hddatpi - C:\Program Files\Windows Media Player\Icons\hddatpi.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

--
End of file - 8366 bytes

-- Files created between 2008-06-07 and 2008-07-07 -----------------------------

2008-07-07 15:32:10 0 d-------- C:\WINDOWS\ERUNT
2008-07-07 15:16:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-07 15:16:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-07 15:16:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-07 15:16:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-07 15:16:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-07 15:16:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-07 15:16:34 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-07 13:52:44 89088 --a------ C:\WINDOWS\system32\teguqmni.dll
2008-07-07 13:51:31 3049 --ahs---- C:\WINDOWS\system32\tBacefii.ini2
2008-07-07 13:51:25 318720 --a------ C:\WINDOWS\system32\iifecaBt.dll
2008-07-07 12:39:42 68096 --a------ C:\WINDOWS\zip.exe
2008-07-07 12:39:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-07 12:39:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-07 12:39:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-07 12:39:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-07 12:39:42 98816 --a------ C:\WINDOWS\sed.exe
2008-07-07 12:39:42 80412 --a------ C:\WINDOWS\grep.exe
2008-07-07 12:39:42 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-07 02:05:17 196608 --a------ C:\WINDOWS\SysNotifier.exe
2008-07-06 21:42:51 294912 --a------ C:\WINDOWS\system32\nugkujdk.exe
2008-07-05 17:37:04 0 d-------- C:\Program Files\Trend Micro
2008-07-05 15:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
2008-06-28 12:59:04 0 d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\DefaultScripts


-- Find3M Report ---------------------------------------------------------------

2008-07-07 12:44:12 0 d-------- C:\Program Files\Common Files
2008-06-10 22:20:25 0 d-------- C:\Program Files\World of Warcraft
2008-06-09 17:43:55 0 d-------- C:\Program Files\Ventrilo
2008-06-03 21:37:45 0 d-------- C:\Program Files\Xvid
2008-05-24 08:38:39 0 d-------- C:\Documents and Settings\Walter\Application Data\Adobe
2008-05-24 08:36:33 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8260C2B8-E0D1-448a-B062-33D12D468BF0}]
08/10/2007 02:38 PM 551208 --a------ C:\Program Files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A97D85F-5E6A-4222-8E17-1F2B28848517}]
07/07/2008 01:51 PM 318720 --a------ C:\WINDOWS\system32\iifecaBt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE8D31A2-A856-416E-9BFF-24A8771CC3BF}]
07/06/2008 09:43 PM 294912 --a------ C:\Program Files\Windows Media Player\Icons\hddatpi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 05:00 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 10:21 AM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [02/13/2008 01:03 PM]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [02/26/2008 05:10 PM]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [02/26/2008 05:11 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"4493b191"="C:\WINDOWS\system32\teguqmni.dll" [07/07/2008 01:52 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/13/2008 04:06 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"WinSpywareProtect"="C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe" [07/05/2008 03:31 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [3/5/2008 4:39:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hddatpi]
C:\Program Files\Windows Media Player\Icons\hddatpi.dll 07/06/2008 09:43 PM 294912 C:\Program Files\Windows Media Player\Icons\hddatpi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 12/21/2001 12:34 AM 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifecaBt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fgtpsxjm]
"C:\Program Files\Common Files\??pPatch\s?ool32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-07 15:55:42 ------------

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:46 PM

Posted 08 July 2008 - 07:35 AM

Click Start -> Control Panel -> Add Remove Programs and uninstall these programs:

ALOT eMusic Toolbar
WebVideo Support



================


You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

===============


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd

File::
C:\WINDOWS\system32\teguqmni.dll
C:\WINDOWS\system32\tBacefii.ini2
C:\WINDOWS\system32\iifecaBt.dll
C:\WINDOWS\system32\nugkujdk.exe
C:\Program Files\Windows Media Player\Icons\hddatpi.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8260C2B8-E0D1-448a-B062-33D12D468BF0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A97D85F-5E6A-4222-8E17-1F2B28848517}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE8D31A2-A856-416E-9BFF-24A8771CC3BF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4493b191"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSpywareProtect"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hddatpi] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fgtpsxjm]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Patojo007

Patojo007
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 09 July 2008 - 12:05 AM

ComboFix 08-07-05.1 - Walter 2008-07-08 21:53:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.661 [GMT -7:00]
Running from: C:\Documents and Settings\Walter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Walter\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Windows Media Player\Icons\hddatpi.dll
C:\WINDOWS\system32\iifecaBt.dll
C:\WINDOWS\system32\nugkujdk.exe
C:\WINDOWS\system32\tBacefii.ini2
C:\WINDOWS\system32\teguqmni.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080705163227734.log
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080706203112734.log
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080707014852640.log
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080707124809656.log
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080707152443265.log
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080707155046078.log
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080708213744671.log
C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe
C:\Program Files\Windows Media Player\Icons\hddatpi.dll
C:\WINDOWS\system32\ffgjfsve.ini
C:\WINDOWS\system32\iifecaBt.dll
C:\WINDOWS\system32\inmquget.ini
C:\WINDOWS\system32\nugkujdk.exe
C:\WINDOWS\system32\nwigrnyk.ini
C:\WINDOWS\system32\tBacefii.ini
C:\WINDOWS\system32\tBacefii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-08 21:40 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-08 21:39 . 2008-07-08 21:40 <DIR> d-------- C:\Program Files\Java
2008-07-08 21:38 . 2008-07-08 21:38 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-08 19:48 . 2008-07-08 19:48 88,576 --a------ C:\WINDOWS\system32\evsfjgff.dll
2008-07-07 15:32 . 2008-07-07 15:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-07 15:16 . 2008-07-07 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-07 15:13 . 2008-07-07 15:50 <DIR> d-------- C:\SDFix
2008-07-07 12:48 . 2008-07-07 12:50 354 --ahs---- C:\WINDOWS\system32\tpcivvkg.ini
2008-07-07 02:05 . 2008-07-08 21:53 196,608 --a------ C:\WINDOWS\SysNotifier.exe
2008-07-07 01:00 . 2008-07-07 01:00 <DIR> d-------- C:\_OTMoveIt
2008-07-05 17:37 . 2008-07-05 17:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-05 17:35 . 2008-07-05 17:35 <DIR> d-------- C:\Deckard
2008-07-05 15:32 . 2004-08-10 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-28 13:00 . 2007-08-01 23:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-28 12:59 . 2008-06-28 15:54 <DIR> d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46 . 2008-06-25 14:46 <DIR> d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46 . 2008-06-25 14:46 <DIR> d-------- C:\Documents and Settings\Walter\DefaultScripts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:20 --------- d-----w C:\Program Files\World of Warcraft
2008-06-10 00:43 --------- d-----w C:\Program Files\Ventrilo
2008-06-04 04:37 --------- d-----w C:\Program Files\Xvid
2008-05-24 15:36 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((( snapshot@2008-07-07_12.49.45.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-07 19:46:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 04:59:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-08 03:44:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-07 22:32:29 2,289,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-07 22:32:29 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-08 03:44:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-07 22:32:19 2,289,664 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-07 22:32:20 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-07-12 09:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 09:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 10:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-07-07 08:52:43 60,886 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-09 04:41:41 60,886 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-07 08:52:43 401,234 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-09 04:41:41 401,234 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 16:06 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 17:10 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21 116224]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 17:10 318704]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 17:11 13552]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 17:10 61168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-03-05 16:39:00 629248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-07-17 22:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 05:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-10-08 11:50 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-11-29 16:00 2748928 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-08-12 18:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-11-02 16:53 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

S3 Radialpoint Security Services;Verizon Internet Security Suite;C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe [2008-02-26 17:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-05 20:47:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 21:59:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
.
**************************************************************************
.
Completion time: 2008-07-08 22:02:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-09 05:01:57
ComboFix2.txt 2008-07-07 19:51:00

Pre-Run: 227,420,553,216 bytes free
Post-Run: 227,405,475,840 bytes free

177 --- E O F --- 2008-06-20 10:05:15

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:46 PM

Posted 09 July 2008 - 09:51 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\evsfjgff.dll
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


================


Please visit the online Jotti Virus Scanner
  • Click on Posted Image button.
  • Copy and paste the following filepath in the box:


    C:\WINDOWS\SysNotifier.exe


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Patojo007

Patojo007
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 11 July 2008 - 11:31 PM

ComboFix 08-07-05.1 - Walter 2008-07-11 21:23:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.737 [GMT -7:00]
Running from: C:\Documents and Settings\Walter\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Walter\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\evsfjgff.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\evsfjgff.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-10 01:28 . 2008-07-10 01:28 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-07-08 21:40 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-08 21:39 . 2008-07-08 21:40 <DIR> d-------- C:\Program Files\Java
2008-07-08 21:38 . 2008-07-08 21:38 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-07 15:32 . 2008-07-07 15:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-07 15:16 . 2008-07-07 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-07 15:13 . 2008-07-07 15:50 <DIR> d-------- C:\SDFix
2008-07-07 12:48 . 2008-07-07 12:50 354 --ahs---- C:\WINDOWS\system32\tpcivvkg.ini
2008-07-07 02:05 . 2008-07-08 21:53 196,608 --a------ C:\WINDOWS\SysNotifier.exe
2008-07-07 01:00 . 2008-07-07 01:00 <DIR> d-------- C:\_OTMoveIt
2008-07-05 17:37 . 2008-07-05 17:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-05 17:35 . 2008-07-05 17:35 <DIR> d-------- C:\Deckard
2008-07-05 15:32 . 2004-08-10 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-28 13:00 . 2007-08-01 23:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-28 12:59 . 2008-06-28 15:54 <DIR> d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46 . 2008-06-25 14:46 <DIR> d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46 . 2008-06-25 14:46 <DIR> d-------- C:\Documents and Settings\Walter\DefaultScripts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:20 --------- d-----w C:\Program Files\World of Warcraft
2008-06-10 00:43 --------- d-----w C:\Program Files\Ventrilo
2008-06-04 04:37 --------- d-----w C:\Program Files\Xvid
2008-05-24 15:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-07_12.49.45.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-07 19:46:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 19:22:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-08 03:44:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-07 22:32:29 2,289,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-07 22:32:29 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-08 03:44:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-07 22:32:19 2,289,664 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-07 22:32:20 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-03-23 01:07:56 91,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL
+ 2007-04-19 19:53:52 127,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL
+ 2007-04-19 19:53:44 106,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL
+ 2007-03-23 01:07:10 41,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RECALL.DLL
+ 2007-03-23 01:07:54 78,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\RM.DLL
+ 2007-03-23 01:22:02 103,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL
- 2008-06-14 10:02:48 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-09 10:43:36 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-06-14 10:02:49 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-07-09 10:43:36 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-06-14 10:02:49 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-07-09 10:43:36 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-06-14 10:02:48 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-09 10:43:35 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-06-14 10:02:49 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-09 10:43:36 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-06-14 10:02:49 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-09 10:43:36 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-06-14 10:02:49 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-09 10:43:36 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-06-14 10:02:49 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-07-09 10:43:36 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-06-14 10:02:48 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-09 10:43:35 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-06-14 10:02:48 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-09 10:43:35 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-06-14 10:02:49 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-07-09 10:43:36 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-06-14 10:02:48 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-07-09 10:43:35 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-06-14 10:02:48 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-09 10:43:35 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2004-08-10 12:00:00 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2004-08-10 12:00:00 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2007-07-12 09:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 08:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 09:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 08:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 10:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 09:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-07-07 08:52:43 60,886 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-09 19:26:22 60,886 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-07 08:52:43 401,234 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-09 19:26:22 401,234 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-13 16:06 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 17:10 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 10:21 116224]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 17:10 318704]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 17:11 13552]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-03-05 16:39:00 629248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 00:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-07-17 22:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 05:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-10-08 11:50 88363 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-11-29 16:00 2748928 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-08-12 18:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-11-02 16:53 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7992:TCP"= 7992:TCP:BitComet 7992 TCP
"7992:UDP"= 7992:UDP:BitComet 7992 UDP

S3 Radialpoint Security Services;Verizon Internet Security Suite;C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe [2008-02-26 17:10]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-05 20:47:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 21:24:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-07-11 21:25:04
ComboFix-quarantined-files.txt 2008-07-12 04:25:00
ComboFix2.txt 2008-07-09 05:02:06
ComboFix3.txt 2008-07-07 19:51:00

Pre-Run: 227,212,537,856 bytes free
Post-Run: 227,203,858,432 bytes free

195 --- E O F --- 2008-07-09 10:43:41


Scanner Malware name
A-Squared Trojan-Downloader.Win32.Agent.keg
AntiVir TR/Dldr.Agent.keg
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus X
BitDefender X
ClamAV Trojan.Downloader-38314
CPsecure Troj.W32.Agent.eaq
Dr.Web X
F-Prot Antivirus W32/Downldr2.BBSL
F-Secure Anti-Virus Trojan-Downloader.Win32.Agent.keg
Fortinet X
Ikarus Trojan-Downloader.Win32.Agent.keg
Kaspersky Anti-Virus Trojan-Downloader.Win32.Agent.keg
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster Trojan.DL.Agent.EPGF
VBA32 X

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:46 PM

Posted 12 July 2008 - 09:14 AM

Once more. :thumbsup:

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::

C:\WINDOWS\SysNotifier.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new log from DSS.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Patojo007

Patojo007
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 15 July 2008 - 05:20 PM

Deckard's System Scanner v20071014.68
Run by Walter on 2008-07-15 13:46:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Walter.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:06 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Walter\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Walter.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8102 bytes

-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-14 00:37:37 0 d-------- C:\Documents and Settings\Walter\Application Data\acccore
2008-07-14 00:36:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-14 00:36:51 0 d-------- C:\Program Files\Viewpoint
2008-07-14 00:36:50 0 d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-14 00:35:39 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-14 00:35:39 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-14 00:35:20 0 d-------- C:\Program Files\Common Files\AOL
2008-07-14 00:35:11 0 d-------- C:\Program Files\AIM6
2008-07-10 01:28:11 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-07-08 21:39:01 0 d-------- C:\Program Files\Java
2008-07-08 21:38:59 0 d-------- C:\Program Files\Common Files\Java
2008-07-08 21:34:41 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-07 15:32:10 0 d-------- C:\WINDOWS\ERUNT
2008-07-07 15:16:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-07 15:16:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-07 15:16:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-07 15:16:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-07 15:16:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-07 15:16:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-07 15:16:34 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-07 12:39:42 68096 --a------ C:\WINDOWS\zip.exe
2008-07-07 12:39:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-07 12:39:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-07 12:39:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-07 12:39:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-07 12:39:42 98816 --a------ C:\WINDOWS\sed.exe
2008-07-07 12:39:42 80412 --a------ C:\WINDOWS\grep.exe
2008-07-07 12:39:42 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-05 17:37:04 0 d-------- C:\Program Files\Trend Micro
2008-06-28 12:59:04 0 d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\DefaultScripts


-- Find3M Report ---------------------------------------------------------------

2008-07-14 00:35:20 0 d-------- C:\Program Files\Common Files
2008-06-10 22:20:25 0 d-------- C:\Program Files\World of Warcraft
2008-06-09 17:43:55 0 d-------- C:\Program Files\Ventrilo
2008-06-03 21:37:45 0 d-------- C:\Program Files\Xvid
2008-05-24 08:38:39 0 d-------- C:\Documents and Settings\Walter\Application Data\Adobe
2008-05-24 08:36:33 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 10:21 AM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [02/13/2008 01:03 PM]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [02/26/2008 05:10 PM]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [02/26/2008 05:11 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/13/2008 04:06 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [06/19/2008 10:51 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [3/5/2008 4:39:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 12/21/2001 12:34 AM 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-15 13:46:23 ------------




KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 15, 2008 20:18:26
Records in database: 957114
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics
Files scanned 31556
Threat name 8
Infected objects 12
Suspicious objects 0
Duration of the scan 00:23:50

File name Threat name Threats count
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.gen 1
C:\QooBox\Quarantine\C\WINDOWS\efbd.exe.vir Infected: Trojan.Win32.Vapsup.hvc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\awturQiF.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\clbdll.dll.vir Infected: Rootkit.Win32.Clbd.dc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Tmpt59.sys.vir Infected: Rootkit.Win32.Agent.abf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\evsfjgff.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iifecaBt.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Vapsup.hve 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Vapsup.hva 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Vapsup.huz 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Monderb.gen 1
C:\_OTMoveIt\MovedFiles\07072008_010002\WINDOWS\system32\geBrsQGY.dll Infected: Trojan.Win32.Monderb.gen 1
The selected area was scanned.




Deckard's System Scanner v20071014.68
Run by Walter on 2008-07-15 13:46:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Walter.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:06 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Walter\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Walter.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8102 bytes

-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-14 00:37:37 0 d-------- C:\Documents and Settings\Walter\Application Data\acccore
2008-07-14 00:36:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-14 00:36:51 0 d-------- C:\Program Files\Viewpoint
2008-07-14 00:36:50 0 d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-14 00:35:39 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-14 00:35:39 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-14 00:35:20 0 d-------- C:\Program Files\Common Files\AOL
2008-07-14 00:35:11 0 d-------- C:\Program Files\AIM6
2008-07-10 01:28:11 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-07-08 21:39:01 0 d-------- C:\Program Files\Java
2008-07-08 21:38:59 0 d-------- C:\Program Files\Common Files\Java
2008-07-08 21:34:41 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-07 15:32:10 0 d-------- C:\WINDOWS\ERUNT
2008-07-07 15:16:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-07 15:16:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-07 15:16:35 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-07 15:16:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-07 15:16:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-07 15:16:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-07 15:16:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-07 15:16:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-07 15:16:34 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-07 12:39:42 68096 --a------ C:\WINDOWS\zip.exe
2008-07-07 12:39:42 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-07 12:39:42 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-07 12:39:42 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-07 12:39:42 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-07 12:39:42 98816 --a------ C:\WINDOWS\sed.exe
2008-07-07 12:39:42 80412 --a------ C:\WINDOWS\grep.exe
2008-07-07 12:39:42 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-05 17:37:04 0 d-------- C:\Program Files\Trend Micro
2008-06-28 12:59:04 0 d-------- C:\Documents and Settings\Walter\Application Data\HouseCall 6.6
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\Scripts
2008-06-25 14:46:07 0 d-------- C:\Documents and Settings\Walter\DefaultScripts


-- Find3M Report ---------------------------------------------------------------

2008-07-14 00:35:20 0 d-------- C:\Program Files\Common Files
2008-06-10 22:20:25 0 d-------- C:\Program Files\World of Warcraft
2008-06-09 17:43:55 0 d-------- C:\Program Files\Ventrilo
2008-06-03 21:37:45 0 d-------- C:\Program Files\Xvid
2008-05-24 08:38:39 0 d-------- C:\Documents and Settings\Walter\Application Data\Adobe
2008-05-24 08:36:33 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/10/2004 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 10:21 AM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [02/13/2008 01:03 PM]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [02/26/2008 05:10 PM]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [02/26/2008 05:11 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/13/2008 04:06 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [06/19/2008 10:51 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [3/5/2008 4:39:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 12/21/2001 12:34 AM 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-15 13:46:23 ------------

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:46 PM

Posted 15 July 2008 - 05:26 PM

Looks pretty good to me.
How are things on your end? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Patojo007

Patojo007
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 19 July 2008 - 03:58 AM

Sorry Sam for the late responses, been busy and out of the house a lot lately. Yeah, no more pop ups or any of that stuff anymore. My pc seems a little laggy though, but I don't know whether it's jsut me or there may be some traces or something. Your thoughts?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users