Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty, Nasty Computer


  • This topic is locked This topic is locked
12 replies to this topic

#1 SineQuaNon

SineQuaNon

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 10 July 2008 - 03:36 PM

Returning visitor here in need of help.

A co-worker has just given me her computer in the hopes that I can rid it of a major spyware problem. In a week's time, though, I've yet to make any noticable progress whatsoever.

It's a rather macabre case if ever I've seen one. AntiSpy Spider is the most obtrusive of the problems, causing popups ever few minutes. I noticed OuterInfo in the Add/Remove Programs list, but it's linked to the online uninstaller, which brings me to the next point.

I can't, for the life of me, get an internet connection up. I'm fairly certain that the problem there lies with the spyware as well, which is why I'm having to use another computer to help. And to boot, I can't even get the Task Manager up (also associated with the infections, I believe). In any case, here are the necessary logs:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-10 13:39:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
27: 2008-07-10 19:40:00 UTC - RP250 - Deckard's System Scanner Restore Point
26: 2008-06-06 02:00:59 UTC - RP249 - Last known good configuration
25: 2008-06-06 02:00:49 UTC - RP248 - Restore Operation
24: 2008-06-06 02:00:48 UTC - RP247 - Last known good configuration
23: 2008-06-06 02:00:48 UTC - RP246 - Restore Operation


-- First Restore Point --
1: 2008-06-06 02:00:44 UTC - RP224 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:47 PM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\b2new.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Support.com\bin\jobcheck.exe
C:\Program Files\Support.com\bin\jobcheck.exe
C:\Program Files\Support.com\bin\tgshell.exe
C:\Program Files\Support.com\bin\tgshell.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
C:\Program Files\Support.com\Qwest\QuickCare.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: {a5bb3fdb-e327-334b-1d74-03fe1e0aaa57} - {75aaa0e1-ef30-47d1-b433-723ebdf3bb5a} - C:\WINDOWS\system32\haquma.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8334B247-C961-4907-B005-B3FB1ACCE1AF} - C:\WINDOWS\system32\urqrsQig.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\fccawVNg.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [BMd38e5e17] Rundll32.exe "C:\WINDOWS\system32\nppgrfxl.dll",s
O4 - HKLM\..\Run: [d0bd6d8b] rundll32.exe "C:\WINDOWS\system32\rtadwhck.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [A00F116464.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F116464.exe
O4 - HKCU\..\Run: [A00F9423D.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F9423D.exe
O4 - HKCU\..\Run: [A00FC9669.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00FC9669.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189007776402
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189007752482
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hprec.intranet
O17 - HKLM\Software\..\Telephony: DomainName = hprec.intranet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hprec.intranet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hprec.intranet
O20 - Winlogon Notify: fccawVNg - C:\WINDOWS\SYSTEM32\fccawVNg.dll
O20 - Winlogon Notify: __c00F80CB - C:\WINDOWS\system32\__c00F80CB.dat
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe

--
End of file - 12397 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\f-secure\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\f-secure\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\f-secure\anti-virus\win2k\fsrec.sys

S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 BackWeb Plug-in - 7681197 (F-Secure Automatic Update) - c:\progra~1\f-secure\backweb\7681197\program\servic~1.exe <Not Verified; F-Secure Automatic Update; RunnerEXE Application>
R2 fsbwsys - "c:\program files\f-secure\backweb\7681197\program\fsbwsys.exe" <Not Verified; F-Secure Corp.; F-Secure BackWeb>
R2 F-Secure Gatekeeper Handler Starter (FSGKHS) - "c:\program files\f-secure\anti-virus\fsgk32st.exe" <Not Verified; F-Secure Corp.; F-Secure Corp. Startup service>
R2 FSMA (F-Secure Management Agent) - "c:\program files\f-secure\common\fsma32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\b2new.exe service
R3 F-Secure Network Request Broker - "c:\program files\f-secure\common\fnrb32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>

S3 FSDFWD (F-Secure Anti-Virus Firewall Daemon) - "c:\program files\f-secure\fwes\program\fsdfwd.exe" <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
S3 KodakCCS (Kodak Camera Connection Software) - c:\windows\system32\drivers\kodakccs.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1002&DEV_5A62&SUBSYS_FF311179&REV_00\4&2C0D4F31&0&2808
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1002&DEV_5A62&SUBSYS_FF311179&REV_00\4&2C0D4F31&0&2808
Service:

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_FF311179&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_FF311179&REV_02\3&13C0B0C5&0&A6
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-27 11:51:00 364 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-10 13:38:48 105232 --a------ C:\WINDOWS\system32\haquma.dll
2008-07-10 13:38:47 105232 --a------ C:\WINDOWS\system32\fbcancyi.dll
2008-07-10 13:38:47 24576 --a------ C:\WINDOWS\system32\__c006E8F2.dat
2008-07-10 13:38:45 37888 --a------ C:\WINDOWS\system32\yoiihxjk.exe
2008-07-10 13:38:23 0 d-------- C:\Program Files\Trend Micro
2008-07-10 13:37:03 81120 --a------ C:\WINDOWS\system32\rtadwhck.dll
2008-07-10 13:36:50 90912 --a------ C:\WINDOWS\system32\nppgrfxl.dll
2008-07-10 13:35:10 24576 --a------ C:\WINDOWS\system32\__c005BE40.dat
2008-07-10 13:35:05 37888 --a------ C:\WINDOWS\system32\augsbaxn.exe
2008-07-10 13:32:20 81120 -----n--- C:\WINDOWS\system32\uibvjvfl.dll
2008-07-10 13:32:04 90912 --a------ C:\WINDOWS\system32\jjoeklsl.dll
2008-06-27 11:45:00 85024 -----n--- C:\WINDOWS\system32\mrkagipe.dll
2008-06-27 11:44:59 24576 --a------ C:\WINDOWS\system32\__c00A98BA.dat
2008-06-27 11:44:51 37888 --a------ C:\WINDOWS\system32\ycispafb.exe
2008-06-27 11:42:11 105904 --a------ C:\WINDOWS\system32\bzstym.dll
2008-06-27 11:41:50 105904 --a------ C:\WINDOWS\system32\hjhgxpgv.dll
2008-06-27 11:39:43 90528 --a------ C:\WINDOWS\system32\isnyfsqr.dll
2008-06-27 11:37:59 314832 -----n--- C:\WINDOWS\system32\urqQklIX.dll
2008-06-27 11:01:33 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-27 10:56:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-06-27 10:46:00 57 --a------ C:\xcrashdump.dat
2008-06-27 10:42:40 24576 --a------ C:\WINDOWS\system32\__c00F80CB.dat
2008-06-27 10:42:29 37888 --a------ C:\WINDOWS\system32\pevrashl.exe
2008-06-27 10:40:11 105856 --a------ C:\WINDOWS\system32\ozdukv.dll
2008-06-27 10:39:55 105856 --a------ C:\WINDOWS\system32\yweqifax.dll
2008-06-27 10:39:28 91536 --a------ C:\WINDOWS\system32\rqlypvlu.dll
2008-06-27 10:37:46 105856 --a------ C:\WINDOWS\system32\hvdmiv.dll
2008-06-27 10:37:34 105856 --a------ C:\WINDOWS\system32\cyrhyktq.dll
2008-06-27 10:37:11 91536 --a------ C:\WINDOWS\system32\msuncvcl.dll
2008-06-27 10:34:34 91536 --a------ C:\WINDOWS\system32\heflkacv.dll


-- Find3M Report ---------------------------------------------------------------

2008-07-10 13:42:01 703003 --ahs---- C:\WINDOWS\system32\giQsrqru.ini2
2008-07-10 13:37:24 204899 --a------ C:\logfile
2008-06-05 19:44:14 24576 --a------ C:\WINDOWS\system32\__c00FE0C4.dat
2008-06-05 19:40:24 24576 --a------ C:\WINDOWS\stcloader.exe
2008-06-05 19:40:23 26112 --a------ C:\WINDOWS\voiceip.dll
2008-06-05 19:40:22 18432 --a------ C:\WINDOWS\swin32.dll
2008-06-05 19:40:22 26880 --a------ C:\WINDOWS\cdsm32.dll
2008-06-05 19:40:21 30720 --a------ C:\WINDOWS\bokja.exe
2008-06-05 19:40:19 25600 --a------ C:\WINDOWS\mssvr.exe
2008-06-05 19:40:19 12288 --a------ C:\WINDOWS\mspphe.dll
2008-06-05 19:40:19 22784 --a------ C:\WINDOWS\bjam.dll
2008-06-05 19:40:18 25344 --a------ C:\WINDOWS\2020search2.dll
2008-06-05 19:40:18 14592 --a------ C:\WINDOWS\2020search.dll
2008-06-05 19:40:10 31488 --a------ C:\WINDOWS\saiemod.dll
2008-06-05 19:40:09 14336 --a------ C:\WINDOWS\msapasrc.dll
2008-06-05 19:40:09 11008 --a------ C:\WINDOWS\msa64chk.dll
2008-06-05 19:40:06 29184 --a------ C:\WINDOWS\shdocpl.dll
2008-06-05 19:40:05 16640 --a------ C:\WINDOWS\ntnut.exe
2008-06-05 19:40:04 28928 --a------ C:\WINDOWS\shdocpe.dll
2008-06-05 19:40:02 26112 --a------ C:\WINDOWS\winsb.dll
2008-06-05 19:40:01 15104 --a------ C:\WINDOWS\browserad.dll
2008-06-05 19:40:01 9984 --a------ C:\WINDOWS\aviwrap32.dll
2008-06-05 19:40:01 18944 --a------ C:\WINDOWS\avisynthex32.dll
2008-06-05 19:40:01 11520 --a------ C:\WINDOWS\avifile32.dll
2008-06-05 19:40:00 23808 --a------ C:\WINDOWS\autodisc32.dll
2008-06-05 19:40:00 21504 --a------ C:\WINDOWS\audiosrv32.dll
2008-06-05 19:40:00 25344 --a------ C:\WINDOWS\ati2dvag32.dll
2008-06-05 19:39:59 21248 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-06-05 19:39:59 13568 --a------ C:\WINDOWS\athprxy32.dll
2008-06-05 19:39:59 29696 --a------ C:\WINDOWS\asycfilt32.dll
2008-06-05 19:39:58 17408 --a------ C:\WINDOWS\changeurl_30.dll
2008-06-05 19:39:58 18176 --a------ C:\WINDOWS\asferror32.dll
2008-06-05 19:39:58 12800 --a------ C:\WINDOWS\apphelp32.dll
2008-06-05 19:35:44 0 d-------- C:\Program Files\F-Secure
2008-06-05 19:35:30 0 d-------- C:\Program Files\Common Files
2008-06-05 19:34:18 6830 --ahs---- C:\WINDOWS\system32\hkmVCJlm.ini2
2008-05-10 11:10:01 316480 --a------ C:\WINDOWS\system32\urqrsQig.dll
2008-05-10 11:06:15 37376 --a------ C:\WINDOWS\mrofinu72.exe
2008-05-10 11:06:07 32768 --a------ C:\WINDOWS\system32\sockins32.dll <Not Verified; ThinkPad; ThinkPad repl>
2008-05-10 11:05:40 0 d-------- C:\Program Files\webHancer
2008-05-10 11:05:35 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-10 11:05:24 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-10 11:04:47 25728 --a------ C:\WINDOWS\system32\fccawVNg.dll
2008-05-10 11:04:38 91563 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-05-10 11:04:38 91563 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-10 11:04:11 25600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 12:10:08 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-05-09 11:10:10 229514 --a------ C:\WINDOWS\system32\000080.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75aaa0e1-ef30-47d1-b433-723ebdf3bb5a}]
07/10/2008 01:38 PM 105232 --a------ C:\WINDOWS\system32\haquma.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8334B247-C961-4907-B005-B3FB1ACCE1AF}]
05/10/2008 11:10 AM 316480 --a------ C:\WINDOWS\system32\urqrsQig.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
05/10/2008 11:04 AM 25728 --a------ C:\WINDOWS\system32\fccawVNg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]
10/11/2007 01:49 PM 159744 --a------ C:\Program Files\webHancer\programs\whiehlpr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [10/25/2005 07:51 PM]
"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [05/27/2004 02:57 AM]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/18/2005 11:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"webHancer Agent"="C:\Program Files\webHancer\Programs\whagent.exe" [10/11/2007 01:49 PM]
"runner1"="C:\WINDOWS\mrofinu72.exe" [05/10/2008 11:06 AM]
"BMd38e5e17"="C:\WINDOWS\system32\nppgrfxl.dll" [07/10/2008 01:36 PM]
"d0bd6d8b"="C:\WINDOWS\system32\rtadwhck.dll" [07/10/2008 01:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/08/2008 08:26 PM]
"A00F116464.exe"="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F116464.exe" []
"A00F9423D.exe"="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F9423D.exe" []
"A00FC9669.exe"="C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00FC9669.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM]
F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [3/28/2006 2:08:45 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2/20/2007 6:10:26 AM]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 3:12:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\fccawVNg.dll [05/10/2008 11:04 AM 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccawVNg]
fccawVNg.dll 05/10/2008 11:04 AM 25728 C:\WINDOWS\system32\fccawVNg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F80CB]
C:\WINDOWS\system32\__c00F80CB.dat 06/27/2008 10:43 AM 24576 C:\WINDOWS\system32\__c00F80CB.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqrsQig

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule



-- End of Deckard's System Scanner: finished at 2008-07-10 13:44:56 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.50GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 446.17 MiB / 150.45 MiB
Pagefile Memory (total/avail): 672.69 MiB / 210.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.88 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 24.86 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - TOSHIBA MK4026GAX - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:

\\.\PHYSICALDRIVE1 - OTi Flash Disk USB Device - 243.17 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 249.98 MiB - E:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FW: F-Secure Anti-Virus Client Security 6.01 v6.01 (F-Secure Corporation)
AV: F-Secure Anti-Virus Client Security 6.01 v6.01 (F-Secure Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"="C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe:*:Enabled:F-Secure Automatic Update"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"="C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe:*:Enabled:F-Secure Automatic Update"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LP-LGONZALES
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\LP-LGONZALES
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=LP-LGONZALES
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HPREC (admin)
Administrator (admin)
lgonzales (admin)
mjohnson (new local, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware Scanner"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Spyware"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus Client Security Installer"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure DAAS"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Diagnostics"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure FWES"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure GUI"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Help"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Management Agent"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Policy Manager Support"
--> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure TNB"
--> C:\WINDOWS\BWUnin-6.3.2.116-7681197L.exe -AppId 7681197
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actiontec Gateway/Router --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4D490D0-CF24-47AB-B8B3-BE19366D80C8}\setup.exe" -l0x9
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Atheros Client Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}\setup.exe" -l0x9
Atheros Wireless LAN MiniPCI card Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}\Setup.exe" -l0x9
Avanquest update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe" -l0x9 -removeonly
Burger Island (remove only) --> "C:\Program Files\AOL Games\Burger Island\Uninstall.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -ItosEW6a.INF
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
F-Secure Anti-Virus Client Security - Automatic Update Agent --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Backweb"
F-Secure Anti-Virus Client Security - E-Mail Scanning --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure E-mail Scanning"
F-Secure Anti-Virus Client Security - Internet Shield --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Internet Shield"
F-Secure Anti-Virus Client Security - Virus & Spy Protection --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Anti-Virus"
F-Secure Anti-Virus Client Security - Web Traffic Scanning --> "C:\Program Files\F-Secure\fsuninst.exe" /UninstRegKey:"F-Secure Protocol Scanner"
fflink --> MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Imikimi Plugin --> "C:\Program Files\Imikimi\uninstall.exe"
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_190001_1de3dee\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LimeWire 4.16.7 --> "C:\Documents and Settings\lgonzales\My Documents\My Received Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Outlook Connector --> MsiExec.exe /I{60435DF6-41D7-49D5-9C3B-1383439E195D}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Express 9 --> C:\WINDOWS\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0900}
Microsoft Picture It! Library 9 --> C:\WINDOWS\system32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3220}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Encarta Plus Support Files --> MsiExec.exe /I{00000000-785F-478A-BAA2-87F1A136068C}
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
MyDSC2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83D96ED0-98AA-4515-8DDC-816F3EFDD104}\Setup.exe" -l0x9
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
Outerinfo --> "C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe"
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Qwest QuickCare --> "C:\Program Files\Support.com\Qwest\Uninstall.exe" /c "Are you sure you want to remove QuickCare?"
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
tooltips --> MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
webHancer Customer Companion --> C:\Program Files\webHancer\Programs\whInstaller.exe -uninstall
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Live Toolbar --> C:\Program Files\Windows Live Toolbar\UnInstall.exe {73B1C023-4490-4A57-A7E1-F20268ECBE52}
Windows Live Toolbar --> MsiExec.exe /X{73B1C023-4490-4A57-A7E1-F20268ECBE52}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type6098 / Error
Event Submitted/Written: 07/10/2008 01:31:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application fsdfwd.exe, version 6.2.540.0, faulting module msvcrt.dll, version 7.0.2600.2180, fault address 0x00021c85.
Processing media-specific event for [fsdfwd.exe!ws!]

Event Record #/Type6097 / Error
Event Submitted/Written: 07/10/2008 01:29:43 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Event Record #/Type6095 / Error
Event Submitted/Written: 07/10/2008 01:27:52 PM / 07/10/2008 01:27:58 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007271d). An attempt was made to access a socket in a way forbidden by its access permissions.
Enrollment will not be performed.

Event Record #/Type6092 / Error
Event Submitted/Written: 07/10/2008 01:26:31 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (An attempt was made to access a socket in a way forbidden by its access permissions. ). Group Policy processing aborted.

Event Record #/Type6090 / Error
Event Submitted/Written: 06/27/2008 11:33:38 AM
Event ID/Source: 1004 / Application Error
Event Description:
Faulting application fsdfwd.exe, version 6.2.540.0, faulting module msvcrt.dll, version 7.0.2600.2180, fault address 0x00021c85.
Error in creating result PEAP-TLV in response to received PEAP-TLV (fsdfwd.exe!ld!)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11555 / Error
Event Submitted/Written: 07/10/2008 01:42:48 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type11554 / Error
Event Submitted/Written: 07/10/2008 01:35:23 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The F-Secure Anti-Virus Firewall Daemon service terminated unexpectedly. It has done this 2 time(s).

Event Record #/Type11552 / Error
Event Submitted/Written: 07/10/2008 01:31:26 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The F-Secure Anti-Virus Firewall Daemon service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type11533 / Error
Event Submitted/Written: 07/10/2008 01:27:46 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type11532 / Error
Event Submitted/Written: 07/10/2008 01:27:42 PM / 07/10/2008 01:27:43 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-07-10 13:44:56 ------------


Any help would be greatly appreciated. Thank you.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 11 July 2008 - 12:27 AM

Hi,

A question first....

A co-worker has just given me her computer in the hopes that I can rid it of a major spyware problem. In a week's time, though, I've yet to make any noticable progress whatsoever.

Is above computer used for work?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SineQuaNon

SineQuaNon
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 14 July 2008 - 02:25 PM

Hello.

Is above computer used for work?


Not so much. Microsoft Office documents mostly, as well as internet access to the company's website. It is not, however, her primary work computer, and instead, her daughter uses it the most. Games and like, she says.

By the by, I apologize for the lateness of my response. I've only just returned from out of town.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 14 July 2008 - 02:59 PM

Not so much.

So I assume it's being used for work as well. In that case... There are a few things that need attention first before we proceed with this..

* You must inform your Supervisor immediately.

This because of:
  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.
* Your Company must give permission for us to give you assistance.

This because of:
  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.
Also, since this is a computer used at work - the first thing I always advise is to back up important files you don't want to lose, this since malware causes a system unstable and it may happen that it suddenly won't boot anymore, because of the damage already present.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SineQuaNon

SineQuaNon
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 14 July 2008 - 04:10 PM

Well, all managerial tasks have been taken care, and permission has been extended. No important documents have been left on the computer (or rather, none were there to begin with), and the unimportant ones have all previously been backed up. I suppose everything's ready to proceed...

However...

I'm having a bit of trouble getting the Recovery Console onto the machine. The procedure to using the drag-n-drop method on ComboFix doesn't seem to be working, for whatever reason. In any case, I'll have to talk with a colleague tomorrow, so I can get the Windows XP disk. Will update tomorrow.

Thank you for your help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 15 July 2008 - 02:42 AM

Ok, I'll read you later. :thumbsup:

Don't expect miracles here, because this computer is severly infected - so we can only hope that the malware didn't cause too much damage already.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SineQuaNon

SineQuaNon
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 15 July 2008 - 03:30 PM

I'm certainly not expecting a full recovery (or for that matter, much of a partial recovery), and I don't think the owner is either. But I suppose it's worth a shot...

Recovery Console installed and scans ran.


ComboFix 08-07-14.2 - Administrator 2008-07-15 13:57:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.118 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\lgonzales\Application Data\SpamBlocker
C:\Documents and Settings\lgonzales\Application Data\SpamBlockerUtility_Icons
C:\Documents and Settings\lgonzales\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico
C:\Documents and Settings\lgonzales\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
C:\Documents and Settings\lgonzales\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
C:\Documents and Settings\lgonzales\Start Menu\Programs\Outerinfo
C:\Documents and Settings\lgonzales\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\lgonzales\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Hotbar
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\webhdll.dll.bak.bak
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\temp\iee
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\b2new.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\BMd38e5e17.txt
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\homepage.html
C:\WINDOWS\index.html
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\promo1.html
C:\WINDOWS\promo2.html
C:\WINDOWS\promo3.html
C:\WINDOWS\promo4.html
C:\WINDOWS\promo5.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\adult.txt
C:\WINDOWS\system32\bzstym.dll
C:\WINDOWS\system32\cyrhyktq.dll
C:\WINDOWS\system32\fbcancyi.dll
C:\WINDOWS\system32\fccawVNg.dll
C:\WINDOWS\system32\finance.txt
C:\WINDOWS\system32\giQsrqru.ini
C:\WINDOWS\system32\giQsrqru.ini2
C:\WINDOWS\system32\haquma.dll
C:\WINDOWS\system32\heflkacv.dll
C:\WINDOWS\system32\hjhgxpgv.dll
C:\WINDOWS\system32\hkmVCJlm.ini2
C:\WINDOWS\system32\hvdmiv.dll
C:\WINDOWS\system32\isnyfsqr.dll
C:\WINDOWS\system32\jjoeklsl.dll
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msuncvcl.dll
C:\WINDOWS\system32\nppgrfxl.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\O02PREZ1065.0XE
C:\WINDOWS\system32\other.txt
C:\WINDOWS\system32\ozdukv.dll
C:\WINDOWS\system32\pharma.txt
C:\WINDOWS\system32\rqlypvlu.dll
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\sn.txt
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\urqrsQig.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\yweqifax.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://hprecsvr01
hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-14 14:13 . 1980-08-16 18:00 24,576 --a------ C:\WINDOWS\system32\__c007A110.dat
2008-07-14 14:12 . 2008-07-14 14:12 81,168 --a------ C:\WINDOWS\system32\bflthxes.dll
2008-07-14 14:12 . 2008-07-14 14:12 37,888 --a------ C:\WINDOWS\system32\coebjctj.exe
2008-07-14 14:12 . 2008-07-15 14:09 1,186 ---hs---- C:\WINDOWS\system32\sexhtlfb.ini
2008-07-14 14:10 . 2008-07-14 14:10 105,264 --a------ C:\WINDOWS\system32\zfxwem.dll
2008-07-14 14:10 . 2008-07-14 14:10 105,264 --a------ C:\WINDOWS\system32\jtwdarbs.dll
2008-07-14 14:10 . 2008-07-14 14:10 90,944 --a------ C:\WINDOWS\system32\mtvakeou.dll
2008-07-14 13:22 . 2008-07-14 14:07 534 --ahs---- C:\WINDOWS\system32\htwanwhf.ini
2008-07-14 13:19 . 2008-07-14 13:19 105,264 --a------ C:\WINDOWS\system32\ynsasi.dll
2008-07-14 13:19 . 2008-07-14 13:19 105,264 --a------ C:\WINDOWS\system32\wssjwghb.dll
2008-07-14 13:17 . 2008-07-14 13:17 90,944 --a------ C:\WINDOWS\system32\qhvrqsep.dll
2008-07-10 13:39 . 2008-07-10 13:39 <DIR> d-------- C:\Deckard
2008-07-10 13:38 . 2008-07-10 13:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 13:38 . 2008-07-10 13:38 37,888 --a------ C:\WINDOWS\system32\yoiihxjk.exe
2008-07-10 13:38 . 1980-08-16 18:00 24,576 --a------ C:\WINDOWS\system32\__c006E8F2.dat
2008-07-10 13:37 . 2008-07-14 13:13 414 --ahs---- C:\WINDOWS\system32\kchwdatr.ini
2008-07-10 13:35 . 2008-07-10 13:35 37,888 --a------ C:\WINDOWS\system32\augsbaxn.exe
2008-07-10 13:35 . 1980-08-16 18:00 24,576 --a------ C:\WINDOWS\system32\__c005BE40.dat
2008-07-10 13:32 . 2008-07-10 13:32 294 --ahs---- C:\WINDOWS\system32\lfvjvbiu.ini
2008-06-27 11:45 . 2008-07-10 13:26 1,006 --ahs---- C:\WINDOWS\system32\epigakrm.ini
2008-06-27 11:44 . 2008-06-27 11:44 37,888 --a------ C:\WINDOWS\system32\ycispafb.exe
2008-06-27 11:44 . 1980-08-16 18:00 24,576 --a------ C:\WINDOWS\system32\__c00A98BA.dat
2008-06-27 11:01 . 2008-06-27 11:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-27 10:43 . 2008-06-27 11:33 886 --ahs---- C:\WINDOWS\system32\yvwyjgua.ini
2008-06-27 10:42 . 2008-06-27 10:42 37,888 --a------ C:\WINDOWS\system32\pevrashl.exe
2008-06-27 10:42 . 2008-07-14 14:17 24,576 --a------ C:\WINDOWS\system32\__c00F80CB.dat
2008-06-27 10:37 . 2008-06-27 10:37 354 --ahs---- C:\WINDOWS\system32\vmoelnsb.ini
2008-06-27 10:35 . 2008-06-27 10:35 294 --ahs---- C:\WINDOWS\system32\ovmsoahs.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 01:35 --------- d-----w C:\Program Files\F-Secure
2008-06-06 01:35 --------- d-----w C:\Documents and Settings\lgonzales\Application Data\U3
2008-05-10 17:06 37,376 ----a-w C:\WINDOWS\mrofinu72.exe
2008-05-10 17:05 41,724 --sh--w C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-09 18:10 187,904 --sh--w C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2007-12-13 15:12 91,728 ----a-w C:\Documents and Settings\lgonzales\mqdmmdm.sys
2007-12-13 15:12 9,456 ----a-w C:\Documents and Settings\lgonzales\mqdmmdfl.sys
2007-12-13 15:12 78,992 ----a-w C:\Documents and Settings\lgonzales\mqdmserd.sys
2007-12-13 15:12 66,640 ----a-w C:\Documents and Settings\lgonzales\mqdmbus.sys
2007-12-13 15:12 6,240 ----a-w C:\Documents and Settings\lgonzales\mqdmcmnt.sys
2007-12-13 15:12 5,968 ----a-w C:\Documents and Settings\lgonzales\mqdmwhnt.sys
2007-12-13 15:12 4,080 ----a-w C:\Documents and Settings\lgonzales\mqdmcr.sys
2007-12-13 15:12 25,600 ----a-w C:\Documents and Settings\lgonzales\usbsermptxp.sys
2007-12-13 15:12 22,768 ----a-w C:\Documents and Settings\lgonzales\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2c1c9dd0-a067-413a-b86c-1897a0e5e30e}]
2008-07-14 14:10 105264 --a------ C:\WINDOWS\system32\zfxwem.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 20:26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2005-10-25 19:51 122929]
"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 02:57 684032]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-18 23:33 1851392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"d0bd6d8b"="C:\WINDOWS\system32\bflthxes.dll" [2008-07-14 14:12 81168]
"BMd38e5e17"="C:\WINDOWS\system32\mtvakeou.dll" [2008-07-14 14:10 90944]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2006-03-28 14:08:45 32807]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 06:10:26 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F80CB]
2008-07-14 14:17 24576 C:\WINDOWS\system32\__c00F80CB.dat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 04:01]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2006-03-28 14:08]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 07:37]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 08:30]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 07:37]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 19:51:11 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
- - - - ORPHANS REMOVED - - - -

Notify-AtiExtEvent - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 14:11:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\BMd38e5e17.txt 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\__c00F80CB.dat

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\bflthxes.dll
-> C:\WINDOWS\system32\mtvakeou.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\common\FSMA32.EXE
C:\Program Files\F-Secure\common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure\common\FCH32.EXE
C:\Program Files\F-Secure\common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\FSRW.exe
C:\Program Files\F-Secure\Anti-Virus\FSAV32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\common\FNRB32.exe
C:\Program Files\F-Secure\common\FIH32.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-15 14:16:19 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-07-15 20:15:53

Pre-Run: 26,594,996,224 bytes free
Post-Run: 27,728,543,744 bytes free

271 --- E O F --- 2007-09-05 17:20:29

=========================================================



Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-15 14:18:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:16 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
O2 - BHO: {e03e5e0a-7981-c68b-a314-760a0dd9c1c2} - {2c1c9dd0-a067-413a-b86c-1897a0e5e30e} - C:\WINDOWS\system32\zfxwem.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d0bd6d8b] rundll32.exe "C:\WINDOWS\system32\bflthxes.dll",b
O4 - HKLM\..\Run: [BMd38e5e17] Rundll32.exe "C:\WINDOWS\system32\mtvakeou.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189007776402
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189007752482
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hprec.intranet
O17 - HKLM\Software\..\Telephony: DomainName = hprec.intranet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hprec.intranet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hprec.intranet
O20 - Winlogon Notify: __c00F80CB - C:\WINDOWS\system32\__c00F80CB.dat
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

--
End of file - 9426 bytes

-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 13:50:23 0 dr-hs---- C:\cmdcons
2008-07-15 13:50:19 0 d-------- C:\WINDOWS\setup.pss
2008-07-15 13:30:33 68096 --a------ C:\WINDOWS\zip.exe
2008-07-15 13:30:33 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-15 13:30:33 98816 --a------ C:\WINDOWS\sed.exe
2008-07-15 13:30:33 80412 --a------ C:\WINDOWS\grep.exe
2008-07-15 13:30:32 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-15 13:30:32 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-15 13:30:32 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-15 13:30:32 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-14 14:13:08 24576 --a------ C:\WINDOWS\system32\__c007A110.dat
2008-07-14 14:12:51 81168 --a------ C:\WINDOWS\system32\bflthxes.dll
2008-07-14 14:12:46 37888 --a------ C:\WINDOWS\system32\coebjctj.exe
2008-07-14 14:10:34 105264 --a------ C:\WINDOWS\system32\zfxwem.dll
2008-07-14 14:10:33 105264 --a------ C:\WINDOWS\system32\jtwdarbs.dll
2008-07-14 14:10:23 90944 --a------ C:\WINDOWS\system32\mtvakeou.dll
2008-07-14 13:19:49 105264 --a------ C:\WINDOWS\system32\ynsasi.dll
2008-07-14 13:19:48 105264 --a------ C:\WINDOWS\system32\wssjwghb.dll
2008-07-14 13:17:52 90944 --a------ C:\WINDOWS\system32\qhvrqsep.dll
2008-07-10 13:38:47 24576 --a------ C:\WINDOWS\system32\__c006E8F2.dat
2008-07-10 13:38:45 37888 --a------ C:\WINDOWS\system32\yoiihxjk.exe
2008-07-10 13:38:23 0 d-------- C:\Program Files\Trend Micro
2008-07-10 13:35:10 24576 --a------ C:\WINDOWS\system32\__c005BE40.dat
2008-07-10 13:35:05 37888 --a------ C:\WINDOWS\system32\augsbaxn.exe
2008-06-27 11:44:59 24576 --a------ C:\WINDOWS\system32\__c00A98BA.dat
2008-06-27 11:44:51 37888 --a------ C:\WINDOWS\system32\ycispafb.exe
2008-06-27 11:01:33 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-27 10:56:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-06-27 10:42:40 24576 --a------ C:\WINDOWS\system32\__c00F80CB.dat
2008-06-27 10:42:29 37888 --a------ C:\WINDOWS\system32\pevrashl.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-15 14:14:21 209775 --a------ C:\logfile
2008-06-05 19:44:14 24576 --a------ C:\WINDOWS\system32\__c00FE0C4.dat
2008-06-05 19:35:44 0 d-------- C:\Program Files\F-Secure
2008-06-05 19:35:30 0 d-------- C:\Program Files\Common Files
2008-05-10 11:06:15 37376 --a------ C:\WINDOWS\mrofinu72.exe
2008-05-10 11:05:24 41724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-05-09 12:10:08 187904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2c1c9dd0-a067-413a-b86c-1897a0e5e30e}]
07/14/2008 02:10 PM 105264 --a------ C:\WINDOWS\system32\zfxwem.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [10/25/2005 07:51 PM]
"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [05/27/2004 02:57 AM]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/18/2005 11:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]
"d0bd6d8b"="C:\WINDOWS\system32\bflthxes.dll" [07/14/2008 02:12 PM]
"BMd38e5e17"="C:\WINDOWS\system32\mtvakeou.dll" [07/14/2008 02:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/08/2008 08:26 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM]
F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [3/28/2006 2:08:45 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2/20/2007 6:10:26 AM]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 3:12:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F80CB]
C:\WINDOWS\system32\__c00F80CB.dat 07/14/2008 02:17 PM 24576 C:\WINDOWS\system32\__c00F80CB.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-15 14:18:44 ------------

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 16 July 2008 - 01:40 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\BMd38e5e17.txt
C:\WINDOWS\system32\__c007A110.dat
C:\WINDOWS\system32\bflthxes.dll
C:\WINDOWS\system32\coebjctj.exe
C:\WINDOWS\system32\sexhtlfb.ini
C:\WINDOWS\system32\zfxwem.dll
C:\WINDOWS\system32\jtwdarbs.dll
C:\WINDOWS\system32\mtvakeou.dll
C:\WINDOWS\system32\htwanwhf.ini
C:\WINDOWS\system32\ynsasi.dll
C:\WINDOWS\system32\wssjwghb.dll
C:\WINDOWS\system32\qhvrqsep.dll
C:\WINDOWS\system32\yoiihxjk.exe
C:\WINDOWS\system32\__c006E8F2.dat
C:\WINDOWS\system32\kchwdatr.ini
C:\WINDOWS\system32\augsbaxn.exe
C:\WINDOWS\system32\__c005BE40.dat
C:\WINDOWS\system32\lfvjvbiu.ini
C:\WINDOWS\system32\epigakrm.ini
C:\WINDOWS\system32\ycispafb.exe
C:\WINDOWS\system32\__c00A98BA.dat
C:\WINDOWS\system32\yvwyjgua.ini
C:\WINDOWS\system32\pevrashl.exe
C:\WINDOWS\system32\__c00F80CB.dat
C:\WINDOWS\system32\vmoelnsb.ini
C:\WINDOWS\system32\ovmsoahs.ini
C:\WINDOWS\mrofinu72.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2c1c9dd0-a067-413a-b86c-1897a0e5e30e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0bd6d8b"=-
"BMd38e5e17"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F80CB]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SineQuaNon

SineQuaNon
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 16 July 2008 - 02:43 PM

Alrighty.

Posting new logs...


ComboFix 08-07-14.2 - Administrator 2008-07-16 13:18:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\BMd38e5e17.txt
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\__c005BE40.dat
C:\WINDOWS\system32\__c006E8F2.dat
C:\WINDOWS\system32\__c007A110.dat
C:\WINDOWS\system32\__c00A98BA.dat
C:\WINDOWS\system32\__c00F80CB.dat
C:\WINDOWS\system32\augsbaxn.exe
C:\WINDOWS\system32\bflthxes.dll
C:\WINDOWS\system32\coebjctj.exe
C:\WINDOWS\system32\epigakrm.ini
C:\WINDOWS\system32\htwanwhf.ini
C:\WINDOWS\system32\jtwdarbs.dll
C:\WINDOWS\system32\kchwdatr.ini
C:\WINDOWS\system32\lfvjvbiu.ini
C:\WINDOWS\system32\mtvakeou.dll
C:\WINDOWS\system32\ovmsoahs.ini
C:\WINDOWS\system32\pevrashl.exe
C:\WINDOWS\system32\qhvrqsep.dll
C:\WINDOWS\system32\sexhtlfb.ini
C:\WINDOWS\system32\vmoelnsb.ini
C:\WINDOWS\system32\wssjwghb.dll
C:\WINDOWS\system32\ycispafb.exe
C:\WINDOWS\system32\ynsasi.dll
C:\WINDOWS\system32\yoiihxjk.exe
C:\WINDOWS\system32\yvwyjgua.ini
C:\WINDOWS\system32\zfxwem.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\BMd38e5e17.txt
C:\WINDOWS\BMd38e5e17.xml
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\__c005BE40.dat
C:\WINDOWS\system32\__c006E8F2.dat
C:\WINDOWS\system32\__c007A110.dat
C:\WINDOWS\system32\__c00A98BA.dat
C:\WINDOWS\system32\__c00F80CB.dat
C:\WINDOWS\system32\augsbaxn.exe
C:\WINDOWS\system32\bflthxes.dll
C:\WINDOWS\system32\coebjctj.exe
C:\WINDOWS\system32\epigakrm.ini
C:\WINDOWS\system32\htwanwhf.ini
C:\WINDOWS\system32\jtwdarbs.dll
C:\WINDOWS\system32\kchwdatr.ini
C:\WINDOWS\system32\lfvjvbiu.ini
C:\WINDOWS\system32\mtvakeou.dll
C:\WINDOWS\system32\ovmsoahs.ini
C:\WINDOWS\system32\pevrashl.exe
C:\WINDOWS\system32\qhvrqsep.dll
C:\WINDOWS\system32\sexhtlfb.ini
C:\WINDOWS\system32\vmoelnsb.ini
C:\WINDOWS\system32\wssjwghb.dll
C:\WINDOWS\system32\ycispafb.exe
C:\WINDOWS\system32\ynsasi.dll
C:\WINDOWS\system32\yoiihxjk.exe
C:\WINDOWS\system32\yvwyjgua.ini
C:\WINDOWS\system32\zfxwem.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-10 13:39 . 2008-07-10 13:39 <DIR> d-------- C:\Deckard
2008-07-10 13:38 . 2008-07-10 13:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-27 11:01 . 2008-06-27 11:01 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 01:35 --------- d-----w C:\Program Files\F-Secure
2008-06-06 01:35 --------- d-----w C:\Documents and Settings\lgonzales\Application Data\U3
2007-12-13 15:12 91,728 ----a-w C:\Documents and Settings\lgonzales\mqdmmdm.sys
2007-12-13 15:12 9,456 ----a-w C:\Documents and Settings\lgonzales\mqdmmdfl.sys
2007-12-13 15:12 78,992 ----a-w C:\Documents and Settings\lgonzales\mqdmserd.sys
2007-12-13 15:12 66,640 ----a-w C:\Documents and Settings\lgonzales\mqdmbus.sys
2007-12-13 15:12 6,240 ----a-w C:\Documents and Settings\lgonzales\mqdmcmnt.sys
2007-12-13 15:12 5,968 ----a-w C:\Documents and Settings\lgonzales\mqdmwhnt.sys
2007-12-13 15:12 4,080 ----a-w C:\Documents and Settings\lgonzales\mqdmcr.sys
2007-12-13 15:12 25,600 ----a-w C:\Documents and Settings\lgonzales\usbsermptxp.sys
2007-12-13 15:12 22,768 ----a-w C:\Documents and Settings\lgonzales\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 20:26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2005-10-25 19:51 122929]
"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [2004-05-27 02:57 684032]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-18 23:33 1851392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50 217193]
F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [2006-03-28 14:08:45 32807]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 06:10:26 282624]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\F-Secure\\BackWeb\\7681197\\program\\F-Secure Automatic Update.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-10-31 04:01]
R2 BackWeb Plug-in - 7681197;F-Secure Automatic Update;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2006-03-28 14:08]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2005-08-19 07:37]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2005-10-06 08:30]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2005-08-19 07:37]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 21:51:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 13:24:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32.exe
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure\common\FCH32.EXE
C:\Program Files\F-Secure\common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\FSRW.exe
C:\Program Files\F-Secure\Anti-Virus\FSAV32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\F-Secure\common\FNRB32.exe
C:\Program Files\F-Secure\common\FIH32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\FWES\program\fsdfwd.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-07-16 13:31:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-16 19:30:54
ComboFix2.txt 2008-07-15 20:16:21

Pre-Run: 28,652,822,528 bytes free
Post-Run: 28,638,175,232 bytes free

170 --- E O F --- 2007-09-05 17:20:29

========================================================

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-16 13:32:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:07 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\acs.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189007776402
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189007752482
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://aolsvc.aol.com/onlinegames/free-tri...mesLauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hprec.intranet
O17 - HKLM\Software\..\Telephony: DomainName = hprec.intranet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hprec.intranet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hprec.intranet
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

--
End of file - 9033 bytes

-- Files created between 2008-06-16 and 2008-07-16 -----------------------------

2008-07-15 13:50:23 0 dr-hs---- C:\cmdcons
2008-07-15 13:50:19 0 d-------- C:\WINDOWS\setup.pss
2008-07-15 13:30:33 68096 --a------ C:\WINDOWS\zip.exe
2008-07-15 13:30:33 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-15 13:30:33 98816 --a------ C:\WINDOWS\sed.exe
2008-07-15 13:30:33 80412 --a------ C:\WINDOWS\grep.exe
2008-07-15 13:30:32 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-15 13:30:32 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-15 13:30:32 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-15 13:30:32 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-10 13:38:23 0 d-------- C:\Program Files\Trend Micro
2008-06-27 11:01:33 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-27 10:56:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2008-07-16 13:31:33 211629 --a------ C:\logfile
2008-07-16 13:19:25 0 d-------- C:\Program Files\Common Files
2008-06-05 19:44:14 24576 --a------ C:\WINDOWS\system32\__c00FE0C4.dat
2008-06-05 19:35:44 0 d-------- C:\Program Files\F-Secure


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [10/25/2005 07:51 PM]
"F-Secure TNB"="C:\Program Files\F-Secure\TNB\TNBUtil.exe" [05/27/2004 02:57 AM]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/18/2005 11:33 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/08/2008 08:26 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 2:19:50 AM]
F-Secure Automatic Update.lnk - C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe [3/28/2006 2:08:45 PM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2/20/2007 6:10:26 AM]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 3:12:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-16 13:33:28 ------------

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 16 July 2008 - 02:53 PM

Hi,

Much better, but we're not finished yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Not sure if you purchased F-Secure or if it's a trial.. This because, as I see from your log, you only have 447 MiB Physical Memory and that is way too low to run F-Secure properly on. Your system should be crawling. So in case you didn't purchase it, I suggest you uninstall F-Secure and install another Antivirus instead. Look in my signature below for the ones I recommend. Only install 1!

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SineQuaNon

SineQuaNon
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 16 July 2008 - 05:06 PM

Hello,

The F-Secure is an old version previously installed on some of the older computers around here. It is to be removed soon and replaced with Trend Micro in the near future.

Well, everything seems to be working excellently. No problems as far as I can tell. Looks great!

Thank you very much for your time.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 17 July 2008 - 01:12 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:38 AM

Posted 17 July 2008 - 04:17 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users