Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"spyware Toolbar" Installed On Its Own


  • This topic is locked This topic is locked
16 replies to this topic

#1 elmongo2

elmongo2

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 08 July 2008 - 06:28 AM

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 8, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 08, 2008 02:46:18
Records in database: 924412


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\El Mongo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows

Scan statistics
Files scanned 143716
Threat name 3
Infected objects 3
Suspicious objects 0
Duration of the scan 01:46:22

File name Threat name Threats count
C:\Program Files\PCHealthCenter\5.exe Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.h 1

C:\Windows\System32\beep.sys Infected: Rootkit.Win32.Clbd.dc 1

C:\Windows\System32\Setup_ver1.1351.25.exe Infected: Trojan-Downloader.Win32.Zlob.qvy 1

The selected area was scanned.





Deckard's System Scanner v20071014.68
Run by El Mongo on 2008-07-08 06:19:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as El Mongo.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:56 AM, on 7/8/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\lxddcoms.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\El Mongo\AppData\Local\Temp\jkos-El Mongo\binaries\ScanningProcess.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\El Mongo\Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\El Mongo.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: QXK Olive - {923C5BC4-222D-4765-8B05-1DA745853776} - C:\Windows\wbxdpgfekal.dll
O3 - Toolbar: sqvgnrpx - {6A25115D-10F0-4897-9866-A8350EEEB16A} - C:\Windows\sqvgnrpx.dll
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{02AEB1E3-5B03-413D-A1BF-DE65D470FE85}
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O21 - SSODL: fdxbameg - {037395CD-3B6B-44F7-8FCC-50FACD6F42E9} - C:\Windows\fdxbameg.dll
O21 - SSODL: fsrpknov - {452731EA-62B7-486C-B131-B34F9F88F9EF} - C:\Windows\fsrpknov.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: lxdd_device - - C:\Windows\system32\lxddcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8415 bytes

-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-07 19:46:22 10240 --a------ C:\Windows\system32\beep.sys
2008-07-07 19:42:29 94208 --a------ C:\Windows\ewkg.exe
2008-07-07 19:42:27 307200 --a------ C:\Windows\wbxdpgfekal.dll
2008-07-07 19:42:27 155648 --a------ C:\Windows\sqvgnrpx.dll
2008-07-07 19:42:27 86016 --a------ C:\Windows\gpefaowr.exe
2008-07-07 19:42:27 180224 --a------ C:\Windows\fsrpknov.dll
2008-07-07 19:42:27 229376 --a------ C:\Windows\fdxbameg.dll
2008-07-07 19:42:21 0 d-------- C:\Program Files\PCHealthCenter
2008-07-05 13:28:59 0 d-------- C:\Program Files\EA GAMES <EAGAME~1>
2008-06-28 12:23:58 0 d-------- C:\Windows\$regcmp$
2008-06-28 12:23:55 0 d-------- C:\Program Files\Registry Clean Expert
2008-06-27 18:00:51 0 d-------- C:\Program Files\Vstep
2008-06-26 09:27:33 118671 --a------ C:\Windows\Keyfinder Advanced 2007 (Trial Version) Uninstaller.exe
2008-06-26 09:27:31 0 d-------- C:\Program Files\Keyfinder Advanced 2007 (Trial Version)
2008-06-23 15:47:04 0 d-------- C:\Program Files\VDMSound
2008-06-22 21:29:10 0 d--h----- C:\Windows\PIF
2008-06-22 20:26:53 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-06-19 11:11:50 0 d-------- C:\Program Files\CCleaner
2008-06-15 10:27:58 0 d-------- C:\VundoFix Backups
2008-06-13 17:06:00 0 d-------- C:\Windows\system32\URTTEMP
2008-06-13 17:03:29 0 d-------- C:\Windows\San Andreas Mod Installer
2008-06-13 17:03:28 0 d-------- C:\Program Files\San Andreas Mod Installer
2008-06-13 09:07:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2008-07-07 22:05:27 0 d-------- C:\Users\El Mongo\AppData\Roaming\LimeWire
2008-07-07 19:27:44 0 d-------- C:\Users\El Mongo\AppData\Roaming\Azureus
2008-07-06 09:21:59 0 d-------- C:\Program Files\Lx_cats
2008-07-04 12:40:27 0 d-------- C:\Program Files\Azureus
2008-06-20 11:10:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 11:10:34 0 d-------- C:\Program Files\Cyberlink <CYBERL~1>
2008-06-10 12:37:38 0 d-------- C:\Users\El Mongo\AppData\Roaming\Webroot
2008-06-10 10:07:32 0 d-------- C:\Program Files\Webroot
2008-06-07 17:40:19 0 d-------- C:\Users\El Mongo\AppData\Roaming\CyberLink <CYBERL~1>
2008-06-04 22:32:42 0 d-------- C:\Program Files\Winamp
2008-06-04 13:42:18 131072 --a------ C:\Windows\gen_pictureboxid3lib.dll
2008-06-02 14:37:43 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-02 14:37:25 0 d-------- C:\Program Files\Symantec
2008-05-27 06:19:13 0 d-------- C:\Program Files\Google
2008-05-24 23:43:41 0 d-------- C:\Program Files\SpywareBlaster
2008-05-24 21:00:38 0 d-------- C:\Program Files\Java
2008-05-24 20:58:45 0 d-------- C:\Program Files\Common Files
2008-05-24 20:58:45 0 d-------- C:\Program Files\Common Files\Java
2008-05-24 20:24:37 0 d-------- C:\Program Files\Trend Micro
2008-05-24 10:12:13 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-24 10:12:04 0 d-------- C:\Program Files\Logitech
2008-05-24 09:51:36 0 d-------- C:\Users\El Mongo\AppData\Roaming\Apple Computer
2008-05-24 09:51:16 0 d-------- C:\Program Files\iTunes
2008-05-24 09:50:50 0 d-------- C:\Program Files\iPod
2008-05-24 09:49:41 0 d-------- C:\Program Files\Bonjour
2008-05-24 09:49:18 0 d-------- C:\Program Files\QuickTime
2008-05-24 09:47:38 0 d-------- C:\Program Files\Apple Software Update
2008-05-24 09:45:52 0 d-------- C:\Program Files\Common Files\Apple
2008-05-15 17:43:18 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-05-15 16:27:47 0 d-------- C:\Users\El Mongo\AppData\Roaming\DivX
2008-05-14 19:37:14 0 d-------- C:\Users\El Mongo\AppData\Roaming\Adobe
2008-05-14 19:34:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-14 17:21:31 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-14 15:45:40 0 d-------- C:\Program Files\DAEMON Tools
2008-05-13 19:16:54 0 d-------- C:\Program Files\nLite
2008-05-10 22:27:56 0 d-------- C:\Program Files\DivX
2008-05-10 22:27:44 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-05-10 13:03:18 0 d-------- C:\Users\El Mongo\AppData\Roaming\U3
2008-05-10 00:53:34 0 d-------- C:\Program Files\Sierra Entertainment
2008-05-10 00:40:43 0 d-------- C:\Users\El Mongo\AppData\Roaming\InstallShield
2008-05-09 16:36:35 0 dr-h----- C:\Users\El Mongo\AppData\Roaming\SecuROM
2008-05-09 16:05:12 0 d-------- C:\Program Files\Electronic Arts
2008-05-09 08:35:21 0 d-------- C:\Users\El Mongo\AppData\Roaming\Malwarebytes
2008-05-08 17:22:21 0 d-------- C:\Program Files\Valvesoftware
2008-05-05 21:24:06 240640 --a------ C:\Windows\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-05 21:24:06 615424 --a------ C:\Windows\system32\themeui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-03 15:25:37 174 --ahs---- C:\Program Files\desktop.ini
2008-05-02 17:15:24 0 -rahs---- C:\MSDOS.SYS
2008-05-02 17:15:24 0 -rahs---- C:\IO.SYS
2008-04-11 17:23:54 38400 --a------ C:\Windows\system32\SoundSchemes.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{923C5BC4-222D-4765-8B05-1DA745853776}]
07/07/2008 07:46 PM 307200 --a------ C:\Windows\wbxdpgfekal.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"LXDDCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [01/22/2007 05:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [04/26/2008 06:53 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:34 AM]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [11/02/2006 04:45 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fdxbameg"= {037395CD-3B6B-44F7-8FCC-50FACD6F42E9} - C:\Windows\fdxbameg.dll [07/07/2008 04:10 PM 229376]
"fsrpknov"= {452731EA-62B7-486C-B131-B34F9F88F9EF} - C:\Windows\fsrpknov.dll [07/07/2008 04:10 PM 180224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\Windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
"C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXDDCATS]
rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
AutoRun\command- M:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02fbed92-21f6-11dd-9edc-0016171b32cd}]
AutoRun\command- J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72252d4f-13ed-11dd-a437-0016171b32cd}]
AutoRun\command- F:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-07-08 06:20:59 ------------
People do dumb things. And I'm not talking about paying too much for car insurance either.

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:56 PM

Posted 08 July 2008 - 06:55 PM

Hi, elmongo2 :thumbsup:

Welcome back. This seems to be another computer, isn't?

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: QXK Olive - {923C5BC4-222D-4765-8B05-1DA745853776} - C:\Windows\wbxdpgfekal.dll
O3 - Toolbar: sqvgnrpx - {6A25115D-10F0-4897-9866-A8350EEEB16A} - C:\Windows\sqvgnrpx.dll
O21 - SSODL: fdxbameg - {037395CD-3B6B-44F7-8FCC-50FACD6F42E9} - C:\Windows\fdxbameg.dll
O21 - SSODL: fsrpknov - {452731EA-62B7-486C-B131-B34F9F88F9EF} - C:\Windows\fsrpknov.dll


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the entire contents of the codebox below to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]C:\Windows\ewkg.exe  C:\Windows\wbxdpgfekal.dll  C:\Windows\sqvgnrpx.dll  C:\Windows\gpefaowr.exe  C:\Windows\fsrpknov.dll  C:\Windows\fdxbameg.dllEmptyTemp[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • In addition a .zip folder will be created in the same form.
  • Follow these steps to submit these files for review:

    Please go here:
    The Spy Killer Forum

    • Click on "New Topic"
    • Put your name, e-mail address, and this as the title: "OTMoveIt zip"
    • Put a link to this thread in the description box.
    • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
      • c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.zip
    • Click Open.
    • Click Post.

  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 08 July 2008 - 09:31 PM

Hello! :thumbsup:

Here's my Combofix log followed by the hijack this log...

ComboFix 08-07-08.3 - El Mongo 2008-07-08 21:09:40.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1610 [GMT -5:00]
Running from: C:\Users\El Mongo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\sc.html
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-08 20:43 . 2008-07-08 20:43 <DIR> d-------- C:\_OTMoveIt
2008-07-08 06:19 . 2008-07-08 06:19 <DIR> d-------- C:\Deckard
2008-07-07 19:46 . 2008-07-07 19:46 10,240 --a------ C:\Windows\System32\beep.sys
2008-07-07 19:42 . 2008-07-07 19:47 65,536 --a------ C:\Windows\System32\Setup_ver1.1351.25.exe
2008-07-05 13:28 . 2008-07-07 10:25 <DIR> d-------- C:\Program Files\EA GAMES
2008-07-02 18:29 . 2008-07-02 18:29 <DIR> d-------- C:\Program Files\ERUNT
2008-06-28 12:23 . 2008-06-28 12:25 <DIR> d-------- C:\Windows\$regcmp$
2008-06-28 12:23 . 2008-06-28 12:23 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-06-27 18:00 . 2008-06-27 18:00 <DIR> d-------- C:\Program Files\Vstep
2008-06-26 09:27 . 2008-06-26 09:27 <DIR> d-------- C:\Program Files\Keyfinder Advanced 2007 (Trial Version)
2008-06-26 09:27 . 2008-06-26 09:27 118,671 --a------ C:\Windows\Keyfinder Advanced 2007 (Trial Version) Uninstaller.exe
2008-06-23 15:47 . 2008-06-23 15:47 <DIR> d-------- C:\Program Files\VDMSound
2008-06-22 21:29 . 2008-06-22 21:29 <DIR> d--h----- C:\Windows\PIF
2008-06-22 20:26 . 2008-06-22 20:27 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-06-21 16:01 . 2008-06-21 16:01 331 --a------ C:\Windows\ARCADE2.INI
2008-06-19 11:11 . 2008-06-19 11:11 <DIR> d-------- C:\Program Files\CCleaner
2008-06-18 14:12 . 2008-07-08 11:17 54,156 --ah----- C:\Windows\QTFont.qfn
2008-06-18 14:12 . 2008-06-18 14:12 1,409 --a------ C:\Windows\QTFont.for
2008-06-15 10:27 . 2008-06-15 10:36 <DIR> d-------- C:\VundoFix Backups
2008-06-13 17:06 . 2008-06-13 17:06 <DIR> d-------- C:\Windows\System32\URTTEMP
2008-06-13 17:03 . 2008-06-13 17:03 <DIR> d-------- C:\Windows\San Andreas Mod Installer
2008-06-13 17:03 . 2008-06-13 17:05 <DIR> d-------- C:\Program Files\San Andreas Mod Installer
2008-06-13 09:07 . 2008-06-13 09:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 09:07 . 2008-06-10 19:02 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-06-13 09:07 . 2008-06-10 19:02 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-06-10 12:37 . 2008-06-10 12:37 <DIR> d-------- C:\Users\El Mongo\AppData\Roaming\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 02:20 --------- d-----w C:\Program Files\Lx_cats
2008-07-09 02:03 --------- d---a-w C:\ProgramData\TEMP
2008-07-08 03:05 --------- d-----w C:\Users\El Mongo\AppData\Roaming\LimeWire
2008-07-08 00:27 --------- d-----w C:\Users\El Mongo\AppData\Roaming\Azureus
2008-07-04 17:40 --------- d-----w C:\Program Files\Azureus
2008-06-20 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 16:10 --------- d-----w C:\Program Files\Cyberlink
2008-06-10 15:07 --------- d-----w C:\Program Files\Webroot
2008-06-10 15:05 --------- d-----w C:\ProgramData\Webroot
2008-06-07 22:40 --------- d-----w C:\Users\El Mongo\AppData\Roaming\CyberLink
2008-06-07 22:40 --------- d-----w C:\ProgramData\CyberLink
2008-06-05 03:32 --------- d-----w C:\Program Files\Winamp
2008-06-04 18:42 131,072 ----a-w C:\Windows\gen_pictureboxid3lib.dll
2008-06-02 19:38 --------- d-----w C:\ProgramData\Symantec
2008-06-02 19:37 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-02 19:37 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-02 19:37 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-02 19:37 --------- d-----w C:\Program Files\Symantec
2008-06-02 19:37 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-27 11:19 --------- d-----w C:\Program Files\Google
2008-05-25 04:43 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-25 02:00 --------- d-----w C:\Program Files\Java
2008-05-25 01:58 --------- d-----w C:\Program Files\Common Files\Java
2008-05-25 01:24 --------- d-----w C:\Program Files\Trend Micro
2008-05-24 15:18 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-05-24 15:18 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-24 15:18 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-05-24 15:12 --------- d-----w C:\Program Files\Logitech
2008-05-24 15:12 --------- d-----w C:\Program Files\Common Files\Logitech
2008-05-24 14:51 --------- d-----w C:\Users\El Mongo\AppData\Roaming\Apple Computer
2008-05-24 14:51 --------- d-----w C:\Program Files\iTunes
2008-05-24 14:50 --------- d-----w C:\ProgramData\Apple Computer
2008-05-24 14:50 --------- d-----w C:\Program Files\iPod
2008-05-24 14:49 --------- d-----w C:\Program Files\QuickTime
2008-05-24 14:49 --------- d-----w C:\Program Files\Bonjour
2008-05-24 14:47 --------- d-----w C:\Program Files\Apple Software Update
2008-05-24 14:45 --------- d-----w C:\ProgramData\Apple
2008-05-24 14:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-15 22:43 --------- d-----w C:\ProgramData\PC Drivers HeadQuarters
2008-05-15 22:43 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-05-15 21:27 --------- d-----w C:\Users\El Mongo\AppData\Roaming\DivX
2008-05-15 00:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-14 22:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-14 21:08 --------- d-----w C:\ProgramData\Symantec Temporary Files
2008-05-14 20:45 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-14 20:39 685,816 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-05-14 00:16 --------- d-----w C:\Program Files\nLite
2008-05-11 03:27 --------- d-----w C:\Program Files\DivX
2008-05-11 03:27 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-05-10 18:03 --------- d-----w C:\Users\El Mongo\AppData\Roaming\U3
2008-05-10 06:00 --------- d-----w C:\ProgramData\Media Center Programs
2008-05-10 05:53 --------- d-----w C:\Program Files\Sierra Entertainment
2008-05-10 05:40 --------- d-----w C:\Users\El Mongo\AppData\Roaming\InstallShield
2008-05-09 21:44 --------- d-----w C:\ProgramData\SimCity Societies
2008-05-09 21:36 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-05-09 21:36 --------- d--h--r C:\Users\El Mongo\AppData\Roaming\SecuROM
2008-05-09 21:05 --------- d-----w C:\Program Files\Electronic Arts
2008-05-09 13:35 --------- d-----w C:\Users\El Mongo\AppData\Roaming\Malwarebytes
2008-05-09 13:34 --------- d-----w C:\ProgramData\Malwarebytes
2008-05-06 02:24 615,424 ----a-w C:\Windows\System32\themeui.dll
2008-05-06 02:24 240,640 ----a-w C:\Windows\System32\uxtheme.dll
2008-05-03 20:25 174 --sha-w C:\Program Files\desktop.ini
2008-05-03 13:53 1,066,544 ----a-w C:\Windows\System32\mfc71.dll
2008-04-27 00:01 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-04-27 00:01 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-04-27 00:01 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-04-27 00:00 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-04-27 00:00 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-04-27 00:00 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-04-26 23:59 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-04-26 23:58 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-04-26 23:58 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-04-26 23:58 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-04-26 23:58 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-04-26 23:58 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-04-26 23:58 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-04-26 23:58 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-04-26 23:57 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-04-26 23:57 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-04-26 23:56 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-04-26 23:56 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-04-26 23:56 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-04-26 23:56 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-26 23:55 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-04-26 23:55 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-04-26 23:55 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-04-26 23:55 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-26 23:54 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-26 23:54 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-04-26 23:54 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-04-26 23:53 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-04-26 23:53 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-04-26 23:53 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-04-26 23:52 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-26 23:52 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-26 23:51 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-04-26 23:50 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-26 23:50 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-26 23:50 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-26 23:50 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-26 18:53 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [2006-11-02 04:45 12288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 05:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 05:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 05:28 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"LXDDCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [2007-01-22 17:05 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\Windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
--------- 2007-09-29 17:00 122880 C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 09:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2007-02-12 19:00 312240 C:\Program Files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-12-05 22:55 54832 C:\Program Files\Cyberlink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
--a------ 2007-02-05 18:32 20480 C:\Program Files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXDDCATS]
--a------ 2007-01-22 17:05 102400 C:\Windows\System32\spool\drivers\w32x86\3\lxddtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-02-12 18:58 291760 C:\Program Files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 19:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2006-11-23 15:10 56928 C:\Program Files\Cyberlink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 17:38 583048 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 13:49 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--a------ 2007-08-09 13:56 1261384 C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-01-16 22:02 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AB1153A9-EE68-495A-B00A-CB205E2E14A8}"= UDP:C:\Windows\System32\lxddcoms.exe:Lexmark Communications System
"{8F49B229-F66E-440B-A879-0439858C58AA}"= TCP:C:\Windows\System32\lxddcoms.exe:Lexmark Communications System
"{E0A54FC7-F40A-4306-A154-E6C29FD4BFDB}"= UDP:C:\Program Files\Lexmark 2500 Series\lxddmon.exe:Device Monitor
"{E25F9395-338A-4A7F-9C8C-162CEB1CD09B}"= TCP:C:\Program Files\Lexmark 2500 Series\lxddmon.exe:Device Monitor
"{28758E75-FE9B-4265-93C2-46D4E68DF004}"= UDP:C:\Program Files\Lexmark 2500 Series\lxddamon.exe:Lexmark Device Monitor
"{11AD49DA-A184-4AF8-814F-37022D3AA53C}"= TCP:C:\Program Files\Lexmark 2500 Series\lxddamon.exe:Lexmark Device Monitor
"{0CDD6077-E254-46A2-B29E-AB56BB7A54AC}"= UDP:C:\Program Files\Lexmark 2500 Series\App4R.exe:Lexmark Imaging Studio
"{E26EC984-D376-41F3-A7FC-2DF2B87CD0A1}"= TCP:C:\Program Files\Lexmark 2500 Series\App4R.exe:Lexmark Imaging Studio
"{44470937-4923-485E-ACA9-026373851DCA}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{3B84DFF7-A5C7-4847-9746-B6AD043C44CF}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic.exe:World in Conflict
"{5F7F6275-F469-4A3E-9C4F-6539E05EB7B5}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{5C0BC743-E438-4932-AD4A-5F8AB77060F6}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_online.exe:World in Conflict - Online Only
"{635B4320-B50E-4740-AEED-FF6030596117}"= UDP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"{BBD93879-F208-417D-863B-55812E7406FA}"= TCP:C:\Program Files\Sierra Entertainment\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server
"TCP Query User{2C68A172-001E-4329-A6D9-287CBFBC50CC}C:\\windows\\system32\\svchost32.exe"= UDP:C:\windows\system32\svchost32.exe:svchost32
"UDP Query User{F26DE9B5-5AF9-464D-9448-0B3FBED571A0}C:\\windows\\system32\\svchost32.exe"= TCP:C:\windows\system32\svchost32.exe:svchost32
"{25C254C5-5DA7-45B4-96B2-17D13061B838}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{DE82CE98-B19B-439B-A83F-65BF7F8430E3}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{74D77C1A-B3BB-4B4C-93FB-00CBA506521F}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0FCFD14A-65DC-4676-BD4C-67EDA30F936E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{845526FB-77AA-4E9F-B2CA-F5EF7509F999}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{7323A552-67BB-4861-B997-7867C7AEA4BF}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{21513571-1800-4D57-A7A3-303C23FD12F6}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2F5965D5-1C44-4A97-9685-E290FE7E4EF7}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20080707.002\IDSvix86.sys [2008-05-13 00:57]
R2 lxdd_device;lxdd_device;C:\Windows\system32\lxddcoms.exe [2007-02-12 18:59]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 13:56]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 17:32]
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2008-04-27 19:34]
S3 wrssweep;Webroots Volume Access Driver;C:\Program Files\Webroot\Washer\wrssweep.sys [2007-08-09 13:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\shell\AutoRun\command - L:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\shell\AutoRun\command - M:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02fbed92-21f6-11dd-9edc-0016171b32cd}]
\shell\AutoRun\command - J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72252d4f-13ed-11dd-a437-0016171b32cd}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73b817c8-34dd-11dd-9fe8-806e6f6e6963}]
\shell\AutoRun\command - E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2008-07-08 01:00:22 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - El Mongo.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeB/TASK:
"2008-07-09 01:02:13 C:\Windows\Tasks\User_Feed_Synchronization-{02AEB1E3-5B03-413D-A1BF-DE65D470FE85}.job"
- C:\Windows\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SpySweeper - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 21:20:43
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-08 21:26:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-09 02:25:49

Pre-Run: 314,995,470,336 bytes free
Post-Run: 315,625,791,488 bytes free

327

Deckard's System Scanner v20071014.68
Run by El Mongo on 2008-07-08 21:28:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as El Mongo.exe) --------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-08 21:28:24
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\explorer.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\El Mongo\Documents\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{02AEB1E3-5B03-413D-A1BF-DE65D470FE85}
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdd_device - Unknown owner - C:\Windows\System32\lxddcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\System32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe


--
End of file - 6410 bytes

-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-08 21:07:34 68096 --a------ C:\Windows\zip.exe
2008-07-08 21:07:34 49152 --a------ C:\Windows\VFind.exe
2008-07-08 21:07:34 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-08 21:07:34 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-08 21:07:34 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-08 21:07:34 98816 --a------ C:\Windows\sed.exe
2008-07-08 21:07:34 80412 --a------ C:\Windows\grep.exe
2008-07-08 21:07:34 89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-07 19:46:22 10240 --a------ C:\Windows\system32\beep.sys
2008-07-05 13:28:59 0 d-------- C:\Program Files\EA GAMES <EAGAME~1>
2008-06-28 12:23:58 0 d-------- C:\Windows\$regcmp$
2008-06-28 12:23:55 0 d-------- C:\Program Files\Registry Clean Expert
2008-06-27 18:00:51 0 d-------- C:\Program Files\Vstep
2008-06-26 09:27:33 118671 --a------ C:\Windows\Keyfinder Advanced 2007 (Trial Version) Uninstaller.exe
2008-06-26 09:27:31 0 d-------- C:\Program Files\Keyfinder Advanced 2007 (Trial Version)
2008-06-23 15:47:04 0 d-------- C:\Program Files\VDMSound
2008-06-22 21:29:10 0 d--h----- C:\Windows\PIF
2008-06-22 20:26:53 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-06-19 11:11:50 0 d-------- C:\Program Files\CCleaner
2008-06-15 10:27:58 0 d-------- C:\VundoFix Backups
2008-06-13 17:06:00 0 d-------- C:\Windows\system32\URTTEMP
2008-06-13 17:03:29 0 d-------- C:\Windows\San Andreas Mod Installer
2008-06-13 17:03:28 0 d-------- C:\Program Files\San Andreas Mod Installer
2008-06-13 09:07:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2008-07-08 21:20:55 0 d-------- C:\Program Files\Lx_cats
2008-07-07 22:05:27 0 d-------- C:\Users\El Mongo\AppData\Roaming\LimeWire
2008-07-07 19:27:44 0 d-------- C:\Users\El Mongo\AppData\Roaming\Azureus
2008-07-04 12:40:27 0 d-------- C:\Program Files\Azureus
2008-06-20 11:10:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 11:10:34 0 d-------- C:\Program Files\Cyberlink <CYBERL~1>
2008-06-10 12:37:38 0 d-------- C:\Users\El Mongo\AppData\Roaming\Webroot
2008-06-10 10:07:32 0 d-------- C:\Program Files\Webroot
2008-06-07 17:40:19 0 d-------- C:\Users\El Mongo\AppData\Roaming\CyberLink <CYBERL~1>
2008-06-04 22:32:42 0 d-------- C:\Program Files\Winamp
2008-06-04 13:42:18 131072 --a------ C:\Windows\gen_pictureboxid3lib.dll
2008-06-02 14:37:43 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-02 14:37:25 0 d-------- C:\Program Files\Symantec
2008-05-27 06:19:13 0 d-------- C:\Program Files\Google
2008-05-24 23:43:41 0 d-------- C:\Program Files\SpywareBlaster
2008-05-24 21:00:38 0 d-------- C:\Program Files\Java
2008-05-24 20:58:45 0 d-------- C:\Program Files\Common Files
2008-05-24 20:58:45 0 d-------- C:\Program Files\Common Files\Java
2008-05-24 20:24:37 0 d-------- C:\Program Files\Trend Micro
2008-05-24 10:12:13 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-24 10:12:04 0 d-------- C:\Program Files\Logitech
2008-05-24 09:51:36 0 d-------- C:\Users\El Mongo\AppData\Roaming\Apple Computer
2008-05-24 09:51:16 0 d-------- C:\Program Files\iTunes
2008-05-24 09:50:50 0 d-------- C:\Program Files\iPod
2008-05-24 09:49:41 0 d-------- C:\Program Files\Bonjour
2008-05-24 09:49:18 0 d-------- C:\Program Files\QuickTime
2008-05-24 09:47:38 0 d-------- C:\Program Files\Apple Software Update
2008-05-24 09:45:52 0 d-------- C:\Program Files\Common Files\Apple
2008-05-15 17:43:18 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-05-15 16:27:47 0 d-------- C:\Users\El Mongo\AppData\Roaming\DivX
2008-05-14 19:37:14 0 d-------- C:\Users\El Mongo\AppData\Roaming\Adobe
2008-05-14 19:34:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-14 17:21:31 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-14 15:45:40 0 d-------- C:\Program Files\DAEMON Tools
2008-05-13 19:16:54 0 d-------- C:\Program Files\nLite
2008-05-10 22:27:56 0 d-------- C:\Program Files\DivX
2008-05-10 22:27:44 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-05-10 13:03:18 0 d-------- C:\Users\El Mongo\AppData\Roaming\U3
2008-05-10 00:53:34 0 d-------- C:\Program Files\Sierra Entertainment
2008-05-10 00:40:43 0 d-------- C:\Users\El Mongo\AppData\Roaming\InstallShield
2008-05-09 16:36:35 0 dr-h----- C:\Users\El Mongo\AppData\Roaming\SecuROM
2008-05-09 16:05:12 0 d-------- C:\Program Files\Electronic Arts
2008-05-09 08:35:21 0 d-------- C:\Users\El Mongo\AppData\Roaming\Malwarebytes
2008-05-08 17:22:21 0 d-------- C:\Program Files\Valvesoftware
2008-05-05 21:24:06 240640 --a------ C:\Windows\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-05 21:24:06 615424 --a------ C:\Windows\system32\themeui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-03 15:25:37 174 --ahs---- C:\Program Files\desktop.ini
2008-05-02 17:15:24 0 -rahs---- C:\MSDOS.SYS
2008-05-02 17:15:24 0 -rahs---- C:\IO.SYS
2008-04-11 17:23:54 38400 --a------ C:\Windows\system32\SoundSchemes.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"LXDDCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [01/22/2007 05:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [04/26/2008 06:53 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:34 AM]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [11/02/2006 04:45 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\Windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
"C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXDDCATS]
rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
AutoRun\command- M:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02fbed92-21f6-11dd-9edc-0016171b32cd}]
AutoRun\command- J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72252d4f-13ed-11dd-a437-0016171b32cd}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73b817c8-34dd-11dd-9fe8-806e6f6e6963}]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-07-08 21:30:15 ------------
People do dumb things. And I'm not talking about paying too much for car insurance either.

#4 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 08 July 2008 - 10:48 PM

Also, here's a link to the post I made on Spy Killer....

http://thespykiller.co.uk/index.php/topic,...2.html#msg26662

Edited by elmongo2, 08 July 2008 - 11:53 PM.

People do dumb things. And I'm not talking about paying too much for car insurance either.

#5 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 09 July 2008 - 09:58 AM

Here's the OT Move it log after I used it. BTW The first time I used it the program crashed and I had to use it a second time to get anything out of it. :thumbsup:

Explorer killed successfully
File/Folder C:\Windows\ewkg.exe not found.
File/Folder C:\Windows\wbxdpgfekal.dll not found.
File/Folder C:\Windows\sqvgnrpx.dll not found.
File/Folder C:\Windows\gpefaowr.exe not found.
File/Folder C:\Windows\fsrpknov.dll not found.
File/Folder C:\Windows\fdxbameg.dll not found.
< EmptyTemp >
File delete failed. C:\Users\ELMONG~1\AppData\Local\Temp\~DF3680.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\ELMONG~1\AppData\Local\Temp\~DF3A7D.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07082008_205037

Files moved on Reboot...
File C:\Users\ELMONG~1\AppData\Local\Temp\~DF3680.tmp not found!
File C:\Users\ELMONG~1\AppData\Local\Temp\~DF3A7D.tmp not found!
People do dumb things. And I'm not talking about paying too much for car insurance either.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:56 PM

Posted 09 July 2008 - 05:32 PM

Hi, elmongo2 :thumbsup:

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file

C:\Windows\System32\Setup_ver1.1351.25.exe

Seems that the Beep.sys file is infected. Please run an online kaspersky scan once again and post its report.

In addition, download the enclosed folder. [attachment=6407:Search.zip]Save and extract its contents to the desktop. It is a folder containing a batch file, RunMe.bat, and VFind.exe. Once extracted rightclick on the RunMe.bat file and select "Run as an Administrator". Post the report it shall produce.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 09 July 2008 - 05:51 PM

All right I was able to delete the infected file. Problem was that I couldn't find it using Explorer, so I just used the "Start Search" thingy to find the file for me so that I could delete it directly that way. I now have Kasperky going.....
People do dumb things. And I'm not talking about paying too much for car insurance either.

#8 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 09 July 2008 - 10:54 PM

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 9, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 10, 2008 01:50:59
Records in database: 932603
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Program Files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\El Mongo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Windows
Scan statistics
Files scanned 153684
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:44:03

No malware has been detected. The scan area is clean.
The selected area was scanned.



------w 10,240 2008-07-08 03:13:22 C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6000.16386_none_c1e9df570ab23787\beep.sys

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 10,240 Blocks: 20
People do dumb things. And I'm not talking about paying too much for car insurance either.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:56 PM

Posted 10 July 2008 - 09:34 AM

Hi, elmongo2 :thumbsup:

Copy the C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6000.16386_none_c1e9df570ab23787\beep.sys file to the following folders:

C:\Windows\System32\Drivers folder.
C:\Windows\system32\dllcache
(If exists)

How is the computer doing?

Edited by JSntgRvr, 10 July 2008 - 09:39 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 10 July 2008 - 10:48 AM

Hello,

So far it's running faster and better. I did run my Spyware Doctor and it picked up a low-risk Trojan and some adware from Incredifind. I had it delete them but I dont think this thing catches it all, especially with what I've been dealing with. It still runs slow at times.

Also, I did a scan using Malwarebytes' Anti-Malware and it said that I was infected with a "Fake.Beep.Sys". This is the file that I copied and pasted like you said to do. :thumbsup:

Edited by elmongo2, 10 July 2008 - 11:17 AM.

People do dumb things. And I'm not talking about paying too much for car insurance either.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:56 PM

Posted 10 July 2008 - 07:54 PM

Run the RunMe.bat. This will give you the locations of these files. See if you can get a copy from another computer using VISTA and overwrite the existing ones with that copy.

It will be the easier way.

Is the system works OK without the Beep.sys?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 10 July 2008 - 07:59 PM

Right now the computer is running fine, just a little slow at times, especially at rebooting.
People do dumb things. And I'm not talking about paying too much for car insurance either.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:56 PM

Posted 10 July 2008 - 08:09 PM

Except for the beep.sys, no other malware is detected. Norton most definitely will slow you down as most files are checked prior to running. Test the computer offline without Norton. It wouldn't hurt.

Let me know what else I can do for you.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:06:56 PM

Posted 10 July 2008 - 08:37 PM

All right your fix worked. :thumbsup: The scan no longer identifies it as "fake". :)
Can you check my final log from hijackthis to make sure everything's fine???


Deckard's System Scanner v20071014.68
Run by El Mongo on 2008-07-10 20:34:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as El Mongo.exe) --------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-10 20:35:16
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\lxddcoms.exe
C:\Windows\System32\PnkBstrA.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\SearchIndexer.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\El Mongo\Documents\Malware Toolbox\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{02AEB1E3-5B03-413D-A1BF-DE65D470FE85}
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdd_device - Unknown owner - C:\Windows\System32\lxddcoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\System32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe


--
End of file - 8183 bytes

-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-10 20:15:54 6144 --a------ C:\Windows\system32\drivers\beep.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-10 12:33:59 0 d-------- C:\Users\All Users\Ludia
2008-07-10 12:33:50 0 d-------- C:\Users\All Users\Trymedia
2008-07-10 12:33:26 0 d-------- C:\Program Files\Trymedia
2008-07-10 12:33:25 0 d-------- C:\Program Files\Ludia
2008-07-09 13:53:04 0 --a------ C:\Windows\nsreg.dat
2008-07-08 21:07:34 68096 --a------ C:\Windows\zip.exe
2008-07-08 21:07:34 49152 --a------ C:\Windows\VFind.exe
2008-07-08 21:07:34 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-08 21:07:34 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-08 21:07:34 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-08 21:07:34 98816 --a------ C:\Windows\sed.exe
2008-07-08 21:07:34 80412 --a------ C:\Windows\grep.exe
2008-07-08 21:07:34 89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-05 13:28:59 0 d-------- C:\Program Files\EA GAMES
2008-06-28 12:23:58 0 d-------- C:\Windows\$regcmp$
2008-06-28 12:23:55 0 d-------- C:\Program Files\Registry Clean Expert
2008-06-27 18:00:51 0 d-------- C:\Program Files\Vstep
2008-06-26 09:27:33 118671 --a------ C:\Windows\Keyfinder Advanced 2007 (Trial Version) Uninstaller.exe
2008-06-26 09:27:31 0 d-------- C:\Program Files\Keyfinder Advanced 2007 (Trial Version)
2008-06-23 15:47:04 0 d-------- C:\Program Files\VDMSound
2008-06-22 21:29:10 0 d--h----- C:\Windows\PIF
2008-06-22 20:26:53 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-06-19 11:11:50 0 d-------- C:\Program Files\CCleaner
2008-06-15 10:27:58 0 d-------- C:\VundoFix Backups
2008-06-13 17:06:00 0 d-------- C:\Windows\system32\URTTEMP
2008-06-13 17:03:29 0 d-------- C:\Windows\San Andreas Mod Installer
2008-06-13 17:03:28 0 d-------- C:\Program Files\San Andreas Mod Installer
2008-06-13 09:07:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2008-07-10 20:10:59 0 d-------- C:\Program Files\Lx_cats
2008-07-10 13:39:06 0 d-------- C:\Users\El Mongo\AppData\Roaming\Azureus
2008-07-10 12:33:59 0 d-------- C:\Users\El Mongo\AppData\Roaming\Ludia
2008-07-10 12:30:15 0 d-------- C:\Users\El Mongo\AppData\Roaming\Move Networks
2008-07-09 13:53:00 0 d-------- C:\Users\El Mongo\AppData\Roaming\Mozilla
2008-07-09 10:23:08 174 --ahs---- C:\Program Files\desktop.ini
2008-07-07 22:05:27 0 d-------- C:\Users\El Mongo\AppData\Roaming\LimeWire
2008-07-04 12:40:27 0 d-------- C:\Program Files\Azureus
2008-06-20 11:10:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 11:10:34 0 d-------- C:\Program Files\Cyberlink
2008-06-10 12:37:38 0 d-------- C:\Users\El Mongo\AppData\Roaming\Webroot
2008-06-10 10:07:32 0 d-------- C:\Program Files\Webroot
2008-06-07 17:40:19 0 d-------- C:\Users\El Mongo\AppData\Roaming\CyberLink
2008-06-04 22:32:42 0 d-------- C:\Program Files\Winamp
2008-06-04 13:42:18 131072 --a------ C:\Windows\gen_pictureboxid3lib.dll
2008-06-02 14:37:43 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-02 14:37:25 0 d-------- C:\Program Files\Symantec
2008-05-27 06:19:13 0 d-------- C:\Program Files\Google
2008-05-24 23:43:41 0 d-------- C:\Program Files\SpywareBlaster
2008-05-24 21:00:38 0 d-------- C:\Program Files\Java
2008-05-24 20:58:45 0 d-------- C:\Program Files\Common Files
2008-05-24 20:58:45 0 d-------- C:\Program Files\Common Files\Java
2008-05-24 20:24:37 0 d-------- C:\Program Files\Trend Micro
2008-05-24 10:12:13 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-24 10:12:04 0 d-------- C:\Program Files\Logitech
2008-05-24 09:51:36 0 d-------- C:\Users\El Mongo\AppData\Roaming\Apple Computer
2008-05-24 09:51:16 0 d-------- C:\Program Files\iTunes
2008-05-24 09:50:50 0 d-------- C:\Program Files\iPod
2008-05-24 09:49:41 0 d-------- C:\Program Files\Bonjour
2008-05-24 09:49:18 0 d-------- C:\Program Files\QuickTime
2008-05-24 09:47:38 0 d-------- C:\Program Files\Apple Software Update
2008-05-24 09:45:52 0 d-------- C:\Program Files\Common Files\Apple
2008-05-15 17:43:18 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-05-15 16:27:47 0 d-------- C:\Users\El Mongo\AppData\Roaming\DivX
2008-05-14 19:37:14 0 d-------- C:\Users\El Mongo\AppData\Roaming\Adobe
2008-05-14 19:34:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-14 17:21:31 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-14 15:45:40 0 d-------- C:\Program Files\DAEMON Tools
2008-05-13 19:16:54 0 d-------- C:\Program Files\nLite
2008-05-10 22:27:56 0 d-------- C:\Program Files\DivX
2008-05-10 22:27:44 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-05-10 13:03:18 0 d-------- C:\Users\El Mongo\AppData\Roaming\U3
2008-05-10 00:53:34 0 d-------- C:\Program Files\Sierra Entertainment
2008-05-10 00:40:43 0 d-------- C:\Users\El Mongo\AppData\Roaming\InstallShield
2008-05-05 21:24:06 240640 --a------ C:\Windows\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-05 21:24:06 615424 --a------ C:\Windows\system32\themeui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-02 17:15:24 0 -rahs---- C:\MSDOS.SYS
2008-05-02 17:15:24 0 -rahs---- C:\IO.SYS
2008-04-11 17:23:54 38400 --a------ C:\Windows\system32\SoundSchemes.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [11/02/2006 04:45 AM C:\Windows\System32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"LXDDCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [01/22/2007 05:05 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [04/26/2008 06:53 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:34 AM]
"RunSpySweeperScheduleAtStartup"="C:\Windows\system32\msfeedssync.exe" [11/02/2006 04:45 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\Windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
"C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXDDCATS]
rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
AutoRun\command- M:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72252d4f-13ed-11dd-a437-0016171b32cd}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73b817c8-34dd-11dd-9fe8-806e6f6e6963}]
AutoRun\command- E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-07-10 20:36:05 ------------
People do dumb things. And I'm not talking about paying too much for car insurance either.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:56 PM

Posted 11 July 2008 - 02:29 PM

Hi, elmongo2 :thumbsup:

All seems clear. Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the search line and hit CTRL+SHIFT+ENTER. Note the space between the X and the U, it needs to be there.
Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users