Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"bad Image" Popups After Starting Outlook


  • This topic is locked This topic is locked
12 replies to this topic

#1 googly

googly

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 21 July 2008 - 06:06 AM

Hi, Since yesterday, whenever I start MS Outlook, I get numerous popups which state the following: "(Application Name) - Bad Image 'The application or DLL f:\windows\system32\qyqcxzi.dll is not a valid Windows image. Please check this againt your installation diskette.'"

While the Application name varies in each popup (eg MsnMsgr.exe), the DLL file name (qyqcxzi.dll) remains the same. After I click OK to all the popups, Outlooks works fine.

I have tried to repair and reinstall MS Office, but the problem still persists. I am running Windows XP (SP1 and SP2) and MS Office 2003. Please help. Thanks.




HijackThis logs are as follows:

Deckard's System Scanner v20071014.68
Run by arif obaid on 2008-07-21 15:44:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as arif obaid.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:46 PM, on 21/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\ltmoh\Ltmoh.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\USBStorage\USBDetector.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\arif obaid\Desktop\dss.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\arif obaid.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6FA912D-1825-4CA2-A219-CDE47DB9819C} - F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll (file missing)
O2 - BHO: (no name) - {BEDFB95E-FFF6-4761-A700-BD4802533A21} - f:\windows\system32\yjwpicu.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] F:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - https://www.apple.com/qtactivex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECCAFB14-1EE3-48FA-97E5-84D18B82E8B8}: NameServer = 203.130.2.3 203.130.2.4
O20 - Winlogon Notify: hgtqvfqm - F:\WINDOWS\SYSTEM32\yjwpicu.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7008 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 gfjhzztk - f:\windows\system32\drivers\gfjhzztk.sys <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
R1 SAVRT - - (file missing)
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - f:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 s24trans (WLAN Transport) - f:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R4 SYMTDI - - (file missing)

S0 Wingo31 - f:\windows\system32\drivers\wingo31.sys (file missing)
S0 Winvd28 - f:\windows\system32\drivers\winvd28.sys (file missing)
S0 Winwe85 - f:\windows\system32\drivers\winwe85.sys (file missing)
S0 Winwf42 - f:\windows\system32\drivers\winwf42.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 OwnershipProtocol - f:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - f:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R4 ccEvtMgr (Symantec Event Manager) - - (file missing)

S4 SNDSrvc (Symantec Network Drivers Service) - - (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PCI FLASH Memory
Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Manufacturer:
Name: PCI FLASH Memory
PNP Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Service:


-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-21 15:46:37 0 d-------- F:\Program Files\Trend Micro
2008-07-21 15:12:10 0 d-------- F:\Program Files\Symantec AntiVirus
2008-07-21 14:33:49 68096 --a------ F:\WINDOWS\zip.exe
2008-07-21 14:33:49 49152 --a------ F:\WINDOWS\VFind.exe
2008-07-21 14:33:49 212480 --a------ F:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-21 14:33:49 136704 --a------ F:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-21 14:33:49 161792 --a------ F:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-21 14:33:49 98816 --a------ F:\WINDOWS\sed.exe
2008-07-21 14:33:49 80412 --a------ F:\WINDOWS\grep.exe
2008-07-21 14:33:49 89504 --a------ F:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-21 13:31:04 0 d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12:46 0 d-------- F:\Documents and Settings\arif obaid\Application Data\Mozilla
2008-07-20 17:12:42 0 d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08:14 0 d-------- F:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-20 15:08:12 0 d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13:32 22068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat
2008-07-20 00:03:16 15360 --a------ F:\WINDOWS\system32\rsnotifyj.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-21 14:37:20 103424 --a------ F:\WINDOWS\system32\qyqcxzi.dll
2008-06-07 15:19:48 0 d-------- F:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [02/11/2004 06:03 AM]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [02/11/2004 05:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [22/07/2004 10:38 AM F:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [28/04/2003 12:08 PM]
"SoundMan"="SOUNDMAN.EXE" [20/01/2005 05:04 PM F:\WINDOWS\SOUNDMAN.EXE]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [15/10/2004 11:27 AM]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [15/10/2004 11:31 AM]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [04/08/2003 05:28 PM]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38 AM]
"USBDetector"="C:\USBStorage\USBDetector.exe" [07/01/2004 02:55 PM]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [07/06/2008 03:19 PM]
"ccApp"="-" []
"vptray"="F:\PROGRA~1\SYMANT~1\VPTray.exe" [02/08/2004 07:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 05:43 PM]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [29/03/2008 2:13:20 PM]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgtqvfqm]
yjwpicu.dll 21/07/2008 02:37 PM 103424 F:\WINDOWS\system32\yjwpicu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
F:\Program Files\Intel\Wireless\Bin\LgNotify.dll 15/10/2004 11:27 AM 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingo31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvd28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwf42.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
glasrjoq

*Newly Created Service* - CCEVTMGR
*Newly Created Service* - GLASRJOQ



-- End of Deckard's System Scanner: finished at 2008-07-21 15:48:13 ------------

Deckard's System Scanner v20071014.68
Run by arif obaid on 2008-07-21 15:44:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as arif obaid.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:46 PM, on 21/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\ltmoh\Ltmoh.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\USBStorage\USBDetector.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\arif obaid\Desktop\dss.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\arif obaid.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6FA912D-1825-4CA2-A219-CDE47DB9819C} - F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll (file missing)
O2 - BHO: (no name) - {BEDFB95E-FFF6-4761-A700-BD4802533A21} - f:\windows\system32\yjwpicu.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] F:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - https://www.apple.com/qtactivex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECCAFB14-1EE3-48FA-97E5-84D18B82E8B8}: NameServer = 203.130.2.3 203.130.2.4
O20 - Winlogon Notify: hgtqvfqm - F:\WINDOWS\SYSTEM32\yjwpicu.dll
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7008 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 gfjhzztk - f:\windows\system32\drivers\gfjhzztk.sys <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
R1 SAVRT - - (file missing)
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - f:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 s24trans (WLAN Transport) - f:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R4 SYMTDI - - (file missing)

S0 Wingo31 - f:\windows\system32\drivers\wingo31.sys (file missing)
S0 Winvd28 - f:\windows\system32\drivers\winvd28.sys (file missing)
S0 Winwe85 - f:\windows\system32\drivers\winwe85.sys (file missing)
S0 Winwf42 - f:\windows\system32\drivers\winwf42.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 OwnershipProtocol - f:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - f:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R4 ccEvtMgr (Symantec Event Manager) - - (file missing)

S4 SNDSrvc (Symantec Network Drivers Service) - - (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PCI FLASH Memory
Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Manufacturer:
Name: PCI FLASH Memory
PNP Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Service:


-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-21 15:46:37 0 d-------- F:\Program Files\Trend Micro
2008-07-21 15:12:10 0 d-------- F:\Program Files\Symantec AntiVirus
2008-07-21 14:33:49 68096 --a------ F:\WINDOWS\zip.exe
2008-07-21 14:33:49 49152 --a------ F:\WINDOWS\VFind.exe
2008-07-21 14:33:49 212480 --a------ F:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-21 14:33:49 136704 --a------ F:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-21 14:33:49 161792 --a------ F:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-21 14:33:49 98816 --a------ F:\WINDOWS\sed.exe
2008-07-21 14:33:49 80412 --a------ F:\WINDOWS\grep.exe
2008-07-21 14:33:49 89504 --a------ F:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-21 13:31:04 0 d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12:46 0 d-------- F:\Documents and Settings\arif obaid\Application Data\Mozilla
2008-07-20 17:12:42 0 d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08:14 0 d-------- F:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-20 15:08:12 0 d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13:32 22068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat
2008-07-20 00:03:16 15360 --a------ F:\WINDOWS\system32\rsnotifyj.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-21 14:37:20 103424 --a------ F:\WINDOWS\system32\qyqcxzi.dll
2008-06-07 15:19:48 0 d-------- F:\Program Files\QuickTime


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [02/11/2004 06:03 AM]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [02/11/2004 05:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [22/07/2004 10:38 AM F:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [28/04/2003 12:08 PM]
"SoundMan"="SOUNDMAN.EXE" [20/01/2005 05:04 PM F:\WINDOWS\SOUNDMAN.EXE]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [15/10/2004 11:27 AM]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [15/10/2004 11:31 AM]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [04/08/2003 05:28 PM]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38 AM]
"USBDetector"="C:\USBStorage\USBDetector.exe" [07/01/2004 02:55 PM]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [07/06/2008 03:19 PM]
"ccApp"="-" []
"vptray"="F:\PROGRA~1\SYMANT~1\VPTray.exe" [02/08/2004 07:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 05:43 PM]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [29/03/2008 2:13:20 PM]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgtqvfqm]
yjwpicu.dll 21/07/2008 02:37 PM 103424 F:\WINDOWS\system32\yjwpicu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
F:\Program Files\Intel\Wireless\Bin\LgNotify.dll 15/10/2004 11:27 AM 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingo31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvd28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwf42.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
glasrjoq

*Newly Created Service* - CCEVTMGR
*Newly Created Service* - GLASRJOQ



-- End of Deckard's System Scanner: finished at 2008-07-21 15:48:13 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.73GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 503.42 MiB / 170.77 MiB
Pagefile Memory (total/avail): 1229.46 MiB / 930.89 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.8 MiB

C: is Fixed (FAT32) - 9.76 GiB total, 2.09 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 6.69 GiB free.
E: is Fixed (FAT32) - 9.76 GiB total, 5.33 GiB free.
F: is Fixed (FAT32) - 7.94 GiB total, 2.83 GiB free.
G: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - WDC WD400UE-00HCT0 - 37.26 GiB - 4 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 27.49 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v9.0.1.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Messenger\\msmsgs.exe"="F:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe"="D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe:*:Enabled:AirPort Admin Utility for Windows"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\arif obaid\Application Data
CommonProgramFiles=F:\Program Files\Common Files
COMPUTERNAME=ARIF
ComSpec=F:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=F:
HOMEPATH=\Documents and Settings\arif obaid
LOGONSERVER=\\ARIF
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=F:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=F:
SystemRoot=F:\WINDOWS
TEMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
TMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
USERDOMAIN=ARIF
USERNAME=arif obaid
USERPROFILE=F:\Documents and Settings\arif obaid
windir=F:\WINDOWS


-- User Profiles ---------------------------------------------------------------

arif obaid (admin)
MO (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> F:\WINDOWS\ISUNINST.EXE -f"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
HP Image Zone 3.5 --> F:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "F:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE F:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> F:\WINDOWS\Installer\iProInst.exe
LiveUpdate 2.0 (Symantec Corporation) --> F:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SOAP Toolkit 3.0 --> MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft Visual FoxPro 9.0 Professional - English --> f:\Program Files\Microsoft Visual FoxPro 9\setup\Visual FoxPro 9.0 Professional - English\setup.exe /MaintMode
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
PL-2303 USB-to-Serial --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
Qualcomm Multimedia USB Ver. 1.00 --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{9101E5A0-66C8-11D4-A511-00C04F9643C9}\setup.exe" -uninst
Realtek AC'97 Audio --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Yahoo! Browser Services --> F:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> F:\WINDOWS\system32\regsvr32 /u F:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> F:\WINDOWS\system32\regsvr32 /u /s F:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> F:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U F:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! uC --> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type4885 / Error
Event Submitted/Written: 07/21/2008 03:47:37 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type4857 / Error
Event Submitted/Written: 07/21/2008 02:35:08 PM
Event ID/Source: 1000 / Windows Live Messenger
Event Description:
msnmsgr.exe8.5.1302.10184717a53bunknown0.0.0.000000000010002e2c

Event Record #/Type4856 / Error
Event Submitted/Written: 07/21/2008 02:35:01 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application yahoom~1.exe, version 8.1.0.421, faulting module unknown, version 0.0.0.0, fault address 0x04c42e2c.
Processing media-specific event for [yahoom~1.exe!ws!]

Event Record #/Type4854 / Error
Event Submitted/Written: 07/21/2008 02:29:16 PM
Event ID/Source: 1000 / Microsoft Office 11
Event Description:
Faulting application outlook.exe, version 11.0.5510.0, stamp 3f1380f0, faulting module ntdll.dll, version 5.1.2600.2180, stamp 411096b4, debug? 0, fault address 0x00010f29.

Event Record #/Type4843 / Warning
Event Submitted/Written: 07/21/2008 01:33:44 PM
Event ID/Source: 2002 / LoadPerf
Event Description:
The MOF file created for the Outlook service could not be loaded. The
error code returned by the MOF Compiler is contained in the Record Data.
Before the performance counters of this service can be collected by WMI
the MOF file will need to be loaded manually. Contact the vendor of this
service for additional information.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20668 / Warning
Event Submitted/Written: 07/21/2008 01:33:21 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type20666 / Warning
Event Submitted/Written: 07/21/2008 01:33:07 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft Office Document Image Writer was deleted.

Event Record #/Type20665 / Warning
Event Submitted/Written: 07/21/2008 01:33:04 PM
Event ID/Source: 4 / Print
Event Description:
Printer Microsoft Office Document Image Writer is pending deletion.

Event Record #/Type20625 / Warning
Event Submitted/Written: 07/21/2008 01:13:39 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type20624 / Warning
Event Submitted/Written: 07/21/2008 01:13:25 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft Office Document Image Writer was deleted.



-- End of Deckard's System Scanner: finished at 2008-07-21 15:48:13 ------------

BC AdBot (Login to Remove)

 


m

#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:26 PM

Posted 06 August 2008 - 09:50 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 googly

googly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 08 August 2008 - 06:16 PM

Hi, Thanks for your help.

First I will post a fresh scan result by DSS:

Deckard's System Scanner v20071014.68
Run by arif obaid on 2008-08-09 00:16:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as arif obaid.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:39 AM, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\ltmoh\Ltmoh.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\USBStorage\USBDetector.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\System32\alg.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\Documents and Settings\arif obaid\Desktop\dss.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ARIFOB~1.EXE
F:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6FA912D-1825-4CA2-A219-CDE47DB9819C} - F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll (file missing)
O2 - BHO: (no name) - {BEDFB95E-FFF6-4761-A700-BD4802533A21} - f:\windows\system32\yjwpicu.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] F:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3
O20 - Winlogon Notify: hgtqvfqm - F:\WINDOWS\SYSTEM32\yjwpicu.dll
O23 - Service: EvtEng - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: OwnershipProtocol - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8097 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-02 23:17:29 0 d-------- F:\Documents and Settings\All Users\Application Data\MCA3C.tmp
2008-08-02 23:10:50 0 d-------- F:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-02 23:10:00 0 d-------- F:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-08-02 23:09:59 0 dr------- F:\Documents and Settings\LocalService\Favorites
2008-07-23 12:06:18 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 12:05:32 0 d-------- F:\Program Files\McAfee
2008-07-23 12:05:32 0 d-------- F:\Documents and Settings\arif obaid\Application Data\McAfee
2008-07-23 12:05:27 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-23 12:04:55 0 d-------- F:\Program Files\McAfee.com
2008-07-21 15:46:37 0 d-------- F:\Program Files\Trend Micro
2008-07-21 14:33:49 68096 --a------ F:\WINDOWS\zip.exe
2008-07-21 14:33:49 49152 --a------ F:\WINDOWS\VFind.exe
2008-07-21 14:33:49 212480 --a------ F:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-21 14:33:49 136704 --a------ F:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-21 14:33:49 161792 --a------ F:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-21 14:33:49 98816 --a------ F:\WINDOWS\sed.exe
2008-07-21 14:33:49 80412 --a------ F:\WINDOWS\grep.exe
2008-07-21 14:33:49 89504 --a------ F:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-21 13:31:04 0 d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12:46 0 d-------- F:\Documents and Settings\arif obaid\Application Data\Mozilla
2008-07-20 17:12:42 0 d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08:14 0 d-------- F:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-20 15:08:12 0 d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13:32 22068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-21 14:37:20 103424 --a------ F:\WINDOWS\system32\qyqcxzi.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [02/11/2004 06:03 AM]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [02/11/2004 05:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [22/07/2004 10:38 AM F:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [28/04/2003 12:08 PM]
"SoundMan"="SOUNDMAN.EXE" [20/01/2005 05:04 PM F:\WINDOWS\SOUNDMAN.EXE]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [15/10/2004 11:27 AM]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [15/10/2004 11:31 AM]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [04/08/2003 05:28 PM]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38 AM]
"USBDetector"="C:\USBStorage\USBDetector.exe" [07/01/2004 02:55 PM]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [07/06/2008 03:19 PM]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [08/07/2005 06:18 PM]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [10/08/2005 12:49 PM]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [22/09/2005 06:29 PM]
"MCUpdateExe"="f:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [11/01/2006 12:05 PM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [23/03/2005 04:33 PM]
"MSKDetectorExe"="F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [23/03/2005 03:47 PM]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [11/08/2005 10:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 05:43 PM]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [23/03/2005 04:33 PM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [29/03/2008 2:13:20 PM]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgtqvfqm]
yjwpicu.dll 21/07/2008 02:37 PM 103424 F:\WINDOWS\system32\yjwpicu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
F:\Program Files\Intel\Wireless\Bin\LgNotify.dll 15/10/2004 11:27 AM 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingo31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvd28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwf42.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
glasrjoq




-- End of Deckard's System Scanner: finished at 2008-08-09 00:17:16 ------------

Deckard's System Scanner v20071014.68
Run by arif obaid on 2008-08-09 00:16:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as arif obaid.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:39 AM, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\ltmoh\Ltmoh.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\USBStorage\USBDetector.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\System32\alg.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\Documents and Settings\arif obaid\Desktop\dss.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ARIFOB~1.EXE
F:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6FA912D-1825-4CA2-A219-CDE47DB9819C} - F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll (file missing)
O2 - BHO: (no name) - {BEDFB95E-FFF6-4761-A700-BD4802533A21} - f:\windows\system32\yjwpicu.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] F:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3
O20 - Winlogon Notify: hgtqvfqm - F:\WINDOWS\SYSTEM32\yjwpicu.dll
O23 - Service: EvtEng - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: OwnershipProtocol - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8097 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-02 23:17:29 0 d-------- F:\Documents and Settings\All Users\Application Data\MCA3C.tmp
2008-08-02 23:10:50 0 d-------- F:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-02 23:10:00 0 d-------- F:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-08-02 23:09:59 0 dr------- F:\Documents and Settings\LocalService\Favorites
2008-07-23 12:06:18 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 12:05:32 0 d-------- F:\Program Files\McAfee
2008-07-23 12:05:32 0 d-------- F:\Documents and Settings\arif obaid\Application Data\McAfee
2008-07-23 12:05:27 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-23 12:04:55 0 d-------- F:\Program Files\McAfee.com
2008-07-21 15:46:37 0 d-------- F:\Program Files\Trend Micro
2008-07-21 14:33:49 68096 --a------ F:\WINDOWS\zip.exe
2008-07-21 14:33:49 49152 --a------ F:\WINDOWS\VFind.exe
2008-07-21 14:33:49 212480 --a------ F:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-21 14:33:49 136704 --a------ F:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-21 14:33:49 161792 --a------ F:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-21 14:33:49 98816 --a------ F:\WINDOWS\sed.exe
2008-07-21 14:33:49 80412 --a------ F:\WINDOWS\grep.exe
2008-07-21 14:33:49 89504 --a------ F:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-21 13:31:04 0 d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12:46 0 d-------- F:\Documents and Settings\arif obaid\Application Data\Mozilla
2008-07-20 17:12:42 0 d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08:14 0 d-------- F:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-20 15:08:12 0 d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13:32 22068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-21 14:37:20 103424 --a------ F:\WINDOWS\system32\qyqcxzi.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [02/11/2004 06:03 AM]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [02/11/2004 05:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [22/07/2004 10:38 AM F:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [28/04/2003 12:08 PM]
"SoundMan"="SOUNDMAN.EXE" [20/01/2005 05:04 PM F:\WINDOWS\SOUNDMAN.EXE]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [15/10/2004 11:27 AM]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [15/10/2004 11:31 AM]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [04/08/2003 05:28 PM]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38 AM]
"USBDetector"="C:\USBStorage\USBDetector.exe" [07/01/2004 02:55 PM]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [07/06/2008 03:19 PM]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [08/07/2005 06:18 PM]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [10/08/2005 12:49 PM]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [22/09/2005 06:29 PM]
"MCUpdateExe"="f:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [11/01/2006 12:05 PM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [23/03/2005 04:33 PM]
"MSKDetectorExe"="F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [23/03/2005 03:47 PM]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [11/08/2005 10:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 05:43 PM]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [23/03/2005 04:33 PM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [29/03/2008 2:13:20 PM]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgtqvfqm]
yjwpicu.dll 21/07/2008 02:37 PM 103424 F:\WINDOWS\system32\yjwpicu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
F:\Program Files\Intel\Wireless\Bin\LgNotify.dll 15/10/2004 11:27 AM 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingo31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvd28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwf42.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
glasrjoq




-- End of Deckard's System Scanner: finished at 2008-08-09 00:17:16 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.73GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 503.42 MiB / 170.77 MiB
Pagefile Memory (total/avail): 1229.46 MiB / 930.89 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.8 MiB

C: is Fixed (FAT32) - 9.76 GiB total, 2.09 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 6.69 GiB free.
E: is Fixed (FAT32) - 9.76 GiB total, 5.33 GiB free.
F: is Fixed (FAT32) - 7.94 GiB total, 2.83 GiB free.
G: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - WDC WD400UE-00HCT0 - 37.26 GiB - 4 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 27.49 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v9.0.1.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Messenger\\msmsgs.exe"="F:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe"="D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe:*:Enabled:AirPort Admin Utility for Windows"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\arif obaid\Application Data
CommonProgramFiles=F:\Program Files\Common Files
COMPUTERNAME=ARIF
ComSpec=F:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=F:
HOMEPATH=\Documents and Settings\arif obaid
LOGONSERVER=\\ARIF
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=F:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=F:
SystemRoot=F:\WINDOWS
TEMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
TMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
USERDOMAIN=ARIF
USERNAME=arif obaid
USERPROFILE=F:\Documents and Settings\arif obaid
windir=F:\WINDOWS


-- User Profiles ---------------------------------------------------------------

arif obaid (admin)
MO (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> F:\WINDOWS\ISUNINST.EXE -f"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
HP Image Zone 3.5 --> F:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "F:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE F:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> F:\WINDOWS\Installer\iProInst.exe
LiveUpdate 2.0 (Symantec Corporation) --> F:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SOAP Toolkit 3.0 --> MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft Visual FoxPro 9.0 Professional - English --> f:\Program Files\Microsoft Visual FoxPro 9\setup\Visual FoxPro 9.0 Professional - English\setup.exe /MaintMode
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
PL-2303 USB-to-Serial --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
Qualcomm Multimedia USB Ver. 1.00 --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{9101E5A0-66C8-11D4-A511-00C04F9643C9}\setup.exe" -uninst
Realtek AC'97 Audio --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Yahoo! Browser Services --> F:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> F:\WINDOWS\system32\regsvr32 /u F:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> F:\WINDOWS\system32\regsvr32 /u /s F:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> F:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U F:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! uC --> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type4885 / Error
Event Submitted/Written: 07/21/2008 03:47:37 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type4857 / Error
Event Submitted/Written: 07/21/2008 02:35:08 PM
Event ID/Source: 1000 / Windows Live Messenger
Event Description:
msnmsgr.exe8.5.1302.10184717a53bunknown0.0.0.000000000010002e2c

Event Record #/Type4856 / Error
Event Submitted/Written: 07/21/2008 02:35:01 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application yahoom~1.exe, version 8.1.0.421, faulting module unknown, version 0.0.0.0, fault address 0x04c42e2c.
Processing media-specific event for [yahoom~1.exe!ws!]

Event Record #/Type4854 / Error
Event Submitted/Written: 07/21/2008 02:29:16 PM
Event ID/Source: 1000 / Microsoft Office 11
Event Description:
Faulting application outlook.exe, version 11.0.5510.0, stamp 3f1380f0, faulting module ntdll.dll, version 5.1.2600.2180, stamp 411096b4, debug? 0, fault address 0x00010f29.

Event Record #/Type4843 / Warning
Event Submitted/Written: 07/21/2008 01:33:44 PM
Event ID/Source: 2002 / LoadPerf
Event Description:
The MOF file created for the Outlook service could not be loaded. The
error code returned by the MOF Compiler is contained in the Record Data.
Before the performance counters of this service can be collected by WMI
the MOF file will need to be loaded manually. Contact the vendor of this
service for additional information.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20668 / Warning
Event Submitted/Written: 07/21/2008 01:33:21 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type20666 / Warning
Event Submitted/Written: 07/21/2008 01:33:07 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft Office Document Image Writer was deleted.

Event Record #/Type20665 / Warning
Event Submitted/Written: 07/21/2008 01:33:04 PM
Event ID/Source: 4 / Print
Event Description:
Printer Microsoft Office Document Image Writer is pending deletion.

Event Record #/Type20625 / Warning
Event Submitted/Written: 07/21/2008 01:13:39 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type20624 / Warning
Event Submitted/Written: 07/21/2008 01:13:25 PM
Event ID/Source: 3 / Print
Event Description:
Printer Microsoft Office Document Image Writer was deleted.



-- End of Deckard's System Scanner: finished at 2008-07-21 15:48:13 ------------

Now, I will post the scan result from the run command:

Deckard's System Scanner v20071014.68
Run by arif obaid on 2008-08-09 00:22:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-08-08 19:22:49 UTC - RP4 - Deckard's System Scanner Restore Point
1: 2008-08-08 19:06:02 UTC - RP3 - System Checkpoint


Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as arif obaid.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:01 AM, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\ltmoh\Ltmoh.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\USBStorage\USBDetector.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\System32\alg.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\Documents and Settings\arif obaid\desktop\dss.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ARIFOB~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B6FA912D-1825-4CA2-A219-CDE47DB9819C} - F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll (file missing)
O2 - BHO: (no name) - {BEDFB95E-FFF6-4761-A700-BD4802533A21} - f:\windows\system32\yjwpicu.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] F:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3
O20 - Winlogon Notify: hgtqvfqm - F:\WINDOWS\SYSTEM32\yjwpicu.dll
O23 - Service: EvtEng - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: OwnershipProtocol - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8097 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 gfjhzztk - f:\windows\system32\drivers\gfjhzztk.sys <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - f:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 s24trans (WLAN Transport) - f:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S0 Wingo31 - f:\windows\system32\drivers\wingo31.sys (file missing)
S0 Winvd28 - f:\windows\system32\drivers\winvd28.sys (file missing)
S0 Winwe85 - f:\windows\system32\drivers\winwe85.sys (file missing)
S0 Winwf42 - f:\windows\system32\drivers\winwf42.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MskService (McAfee SpamKiller Server) - f:\progra~1\mcafee\spamki~1\msksrvr.exe <Not Verified; McAfee Inc.; McAfee SpamKiller>
R2 OwnershipProtocol - f:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - f:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PCI FLASH Memory
Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Manufacturer:
Name: PCI FLASH Memory
PNP Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Service:


-- Process Modules -------------------------------------------------------------

F:\WINDOWS\system32\winlogon.exe (pid 912)
2001-08-23 14:00:00 103424 --a------ F:\WINDOWS\system32\yjwpicu.dll
2004-10-15 11:27:42 110592 --a------ F:\Program Files\Intel\Wireless\Bin\LgNotify.dll <Not Verified; Intel Corporation; LogonNotify Dynamic Link Library>

F:\WINDOWS\system32\svchost.exe (pid 1240)
2001-08-23 14:00:00 103424 --a------ F:\WINDOWS\system32\yjwpicu.dll

F:\WINDOWS\explorer.exe (pid 1764)
2005-03-23 16:34:06 86016 --a------ F:\Program Files\McAfee\SpamKiller\MSKOEPlg.dll <Not Verified; McAfee Inc.; McAfee SpamKiller>
2007-08-30 17:43:14 6144 --a------ F:\Program Files\Yahoo!\Messenger\idle.dll <Not Verified; Yahoo! Inc.; Yahoo! Messenger>
2001-08-23 14:00:00 103424 --a------ F:\WINDOWS\system32\yjwpicu.dll
2005-07-01 20:44:30 114688 --a------ F:\Program Files\McAfee.com\VSO\mcvsshl.dll <Not Verified; McAfee, Inc.; McAfee VirusScan>
2005-07-01 20:38:58 3072 --a------ F:\Program Files\McAfee.com\VSO\shlres.dll <Not Verified; McAfee, Inc.; McAfee VirusScan>


-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-02 23:17:29 0 d-------- F:\Documents and Settings\All Users\Application Data\MCA3C.tmp
2008-08-02 23:10:50 0 d-------- F:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-02 23:10:00 0 d-------- F:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-08-02 23:09:59 0 dr------- F:\Documents and Settings\LocalService\Favorites
2008-07-23 12:06:18 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 12:05:32 0 d-------- F:\Program Files\McAfee
2008-07-23 12:05:32 0 d-------- F:\Documents and Settings\arif obaid\Application Data\McAfee
2008-07-23 12:05:27 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-23 12:04:55 0 d-------- F:\Program Files\McAfee.com
2008-07-21 15:46:37 0 d-------- F:\Program Files\Trend Micro
2008-07-21 14:33:49 68096 --a------ F:\WINDOWS\zip.exe
2008-07-21 14:33:49 49152 --a------ F:\WINDOWS\VFind.exe
2008-07-21 14:33:49 212480 --a------ F:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-21 14:33:49 136704 --a------ F:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-21 14:33:49 161792 --a------ F:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-21 14:33:49 98816 --a------ F:\WINDOWS\sed.exe
2008-07-21 14:33:49 80412 --a------ F:\WINDOWS\grep.exe
2008-07-21 14:33:49 89504 --a------ F:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-21 13:31:04 0 d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12:46 0 d-------- F:\Documents and Settings\arif obaid\Application Data\Mozilla
2008-07-20 17:12:42 0 d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08:14 0 d-------- F:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-20 15:08:12 0 d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13:32 22068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-21 14:37:20 103424 --a------ F:\WINDOWS\system32\qyqcxzi.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [02/11/2004 06:03 AM]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [02/11/2004 05:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [22/07/2004 10:38 AM F:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [28/04/2003 12:08 PM]
"SoundMan"="SOUNDMAN.EXE" [20/01/2005 05:04 PM F:\WINDOWS\SOUNDMAN.EXE]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [15/10/2004 11:27 AM]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [15/10/2004 11:31 AM]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [04/08/2003 05:28 PM]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38 AM]
"USBDetector"="C:\USBStorage\USBDetector.exe" [07/01/2004 02:55 PM]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [07/06/2008 03:19 PM]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [08/07/2005 06:18 PM]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [10/08/2005 12:49 PM]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [22/09/2005 06:29 PM]
"MCUpdateExe"="f:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [11/01/2006 12:05 PM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [23/03/2005 04:33 PM]
"MSKDetectorExe"="F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [23/03/2005 03:47 PM]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [11/08/2005 10:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 05:43 PM]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [23/03/2005 04:33 PM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [29/03/2008 2:13:20 PM]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgtqvfqm]
yjwpicu.dll 21/07/2008 02:37 PM 103424 F:\WINDOWS\system32\yjwpicu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
F:\Program Files\Intel\Wireless\Bin\LgNotify.dll 15/10/2004 11:27 AM 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingo31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvd28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwf42.sys]
@="Driver"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
glasrjoq




-- End of Deckard's System Scanner: finished at 2008-08-09 00:24:33 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.73GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 503.42 MiB / 229.07 MiB
Pagefile Memory (total/avail): 1230.34 MiB / 791.89 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.23 MiB

C: is Fixed (FAT32) - 9.76 GiB total, 2.09 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 6.69 GiB free.
E: is Fixed (FAT32) - 9.76 GiB total, 5.75 GiB free.
F: is Fixed (FAT32) - 7.94 GiB total, 1.8 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400UE-00HCT0 - 37.26 GiB - 4 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 27.49 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Messenger\\msmsgs.exe"="F:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe"="D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe:*:Enabled:AirPort Admin Utility for Windows"
"F:\\WINDOWS\\EXPLORER.EXE"="F:\\WINDOWS\\EXPLORER.EXE:*:Enabled:Windows Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\arif obaid\Application Data
CommonProgramFiles=F:\Program Files\Common Files
COMPUTERNAME=ARIF
ComSpec=F:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=F:
HOMEPATH=\Documents and Settings\arif obaid
LOGONSERVER=\\ARIF
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=F:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=F:
SystemRoot=F:\WINDOWS
TEMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
TMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
USERDOMAIN=ARIF
USERNAME=arif obaid
USERPROFILE=F:\Documents and Settings\arif obaid
windir=F:\WINDOWS


-- User Profiles ---------------------------------------------------------------

arif obaid (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> F:\WINDOWS\ISUNINST.EXE -f"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
HP Image Zone 3.5 --> F:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "F:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE F:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> F:\WINDOWS\Installer\iProInst.exe
LiveUpdate 2.0 (Symantec Corporation) --> F:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee SecurityCenter --> f:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=f:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee SpamKiller --> f:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /appid=MSK /uninstall=1 /interact=1 /script_proactive=0 /start="f:\PROGRA~1\mcafee.com\agent\uninst\mskremui.dll::uninstall.htm"
McAfee VirusScan --> f:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=f:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SOAP Toolkit 3.0 --> MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft Visual FoxPro 9.0 Professional - English --> f:\Program Files\Microsoft Visual FoxPro 9\setup\Visual FoxPro 9.0 Professional - English\setup.exe /MaintMode
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
PL-2303 USB-to-Serial --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
Qualcomm Multimedia USB Ver. 1.00 --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{9101E5A0-66C8-11D4-A511-00C04F9643C9}\setup.exe" -uninst
Realtek AC'97 Audio --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Yahoo! Browser Services --> F:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> F:\WINDOWS\system32\regsvr32 /u F:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> F:\WINDOWS\system32\regsvr32 /u /s F:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> F:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U F:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! uC --> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type4949 / Error
Event Submitted/Written: 07/23/2008 00:49:37 PM
Event ID/Source: 11335 / MsiInstaller
Event Description:
Product: Microsoft Office XP Professional with FrontPage -- Error 1335. The cabinet file 'OFFICE1.CAB' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Event Record #/Type4929 / Warning
Event Submitted/Written: 07/23/2008 00:01:02 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type4918 / Warning
Event Submitted/Written: 07/23/2008 10:14:03 AM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type4907 / Warning
Event Submitted/Written: 07/22/2008 09:05:03 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type4896 / Warning
Event Submitted/Written: 07/22/2008 11:39:41 AM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type23748 / Warning
Event Submitted/Written: 08/08/2008 04:18:28 AM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by WINLOGON.EXE.

Event Record #/Type23282 / Warning
Event Submitted/Written: 08/05/2008 11:40:02 PM
Event ID/Source: 11050 / dnscache
Event Description:
The DNS Client service could not contact any DNS servers for
a repeated number of attempts. For the next 30 seconds the
DNS Client service will not use the network to avoid further
network performance problems. It will resume its normal behavior
after that. If this problem persists, verify your TCP/IP
configuration, specifically check that you have a preferred
(and possibly an alternate) DNS server configured. If the problem
continues, verify network conditions to these DNS servers or contact
your network administrator.

Event Record #/Type22805 / Warning
Event Submitted/Written: 08/03/2008 05:57:00 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{A8A54765-37DB-4AB7-9448-1DD4346F3902}.

Event Record #/Type22428 / Warning
Event Submitted/Written: 08/02/2008 03:19:15 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by WINLOGON.EXE.

Event Record #/Type22350 / Warning
Event Submitted/Written: 08/01/2008 00:57:40 PM / 08/01/2008 00:57:41 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by WINLOGON.EXE.



-- End of Deckard's System Scanner: finished at 2008-08-09 00:24:33 ------------


And finally, here is the result from Kaspersky Online Scanner:


KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 08, 2008 20:05:03
Records in database: 1070303


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 102459
Threat name 8
Infected objects 10
Suspicious objects 6
Duration of the scan 03:01:22

File name Threat name Threats count
C:\WINDOWS\system32\drivers\nffdcfhp.dat Infected: Rootkit.Win32.Agent.aap 1

C:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\8PUZWHE3\index[1].htm Infected: Trojan-Clicker.HTML.IFrame.mb 1

C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2

E:\My Documents\Backup\Outlook\Outlook backup.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 4

F:\Documents and Settings\arif obaid\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Clicker.HTML.IFrame.ui 2

F:\Documents and Settings\arif obaid\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.JS.Agent.ckn 2

F:\QooBox\Quarantine\F\WINDOWS\system32\WinCtrl32.dl_.vir Infected: Trojan-Downloader.Win32.Mutant.app 1

F:\QooBox\Quarantine\F\WINDOWS\system32\WinCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Mutant.app 1

F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\Udk21.sys.vir Infected: Trojan.Win32.Agent.uzz 1

F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\Winkr28.sys.vir Infected: Trojan-Downloader.Win32.Mutant.aim 1

The selected area was scanned.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:26 PM

Posted 08 August 2008 - 10:58 PM

Hello, googly.
One very important thing I need to know:

Is this your ISP?
Pakistan Lahore Worldcall Multimedia Ltd

It appears you have run ComboFix in the past. Please DELETE any existing copies of ComboFix you have before preforming these instructions:

We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 googly

googly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 09 August 2008 - 02:14 PM

Thanks Billy. Yes, the ISP you list is correct.

Here's the report I got after following the instructions:

ComboFix 08-08-08.08 - arif obaid 2008-08-09 23:59:42.2 - FAT32x86
Running from: F:\Documents and Settings\arif obaid\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\arif obaid\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\windows\system32\yjwpicu.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GLASRJOQ
-------\Service_glasrjoq


((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.

2008-08-09 00:40 . 2008-08-09 00:40 <DIR> d-------- F:\WINDOWS\Sun
2008-08-09 00:40 . 2008-08-09 00:40 <DIR> d-------- F:\Program Files\Sun
2008-08-09 00:39 . 2008-06-10 02:32 73,728 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-08-09 00:38 . 2008-08-09 00:38 <DIR> d-------- F:\Program Files\Java
2008-08-09 00:32 . 2008-08-09 00:32 <DIR> d-------- F:\Program Files\Common Files\Java
2008-08-02 23:17 . 2008-08-02 23:17 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\MCA3C.tmp
2008-08-02 23:10 . 2008-08-02 23:10 <DIR> d-------- F:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-07-29 22:12 . 2008-07-29 22:12 268 --ah----- F:\sqmdata16.sqm
2008-07-29 22:12 . 2008-07-29 22:12 244 --ah----- F:\sqmnoopt16.sqm
2008-07-23 15:20 . 2005-08-10 11:22 114,464 --a------ F:\WINDOWS\system32\drivers\naiavf5x.sys
2008-07-23 12:06 . 2008-07-23 12:06 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Program Files\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Documents and Settings\arif obaid\Application Data\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- F:\Program Files\McAfee.com
2008-07-23 12:04 . 2005-10-18 11:08 349,760 --a------ F:\WINDOWS\system32\mcinsctl.dll
2008-07-23 12:04 . 2005-05-24 19:23 288,320 --a------ F:\WINDOWS\system32\McGDMgr.dll
2008-07-21 15:46 . 2008-07-21 15:46 <DIR> d-------- F:\Program Files\Trend Micro
2008-07-21 15:44 . 2008-07-21 15:44 <DIR> d-------- F:\Deckard
2008-07-21 13:31 . 2008-07-21 13:31 <DIR> d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12 . 2008-07-20 17:12 <DIR> d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08 . 2008-07-20 15:08 <DIR> d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13 . 2008-07-21 14:28 22,068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat
2008-07-19 22:12 . 2008-07-19 22:12 268 --ah----- F:\sqmdata15.sqm
2008-07-19 22:12 . 2008-07-19 22:12 244 --ah----- F:\sqmnoopt15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 09:37 103,424 ----a-w F:\WINDOWS\system32\qyqcxzi.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_14.40.59.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-20 08:16:00 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-07-21 10:12:52 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-07-20 08:16:00 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-07-21 10:12:52 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-06-09 20:21:02 135,168 ----a-w F:\WINDOWS\system32\java.exe
+ 2008-06-09 20:21:04 135,168 ----a-w F:\WINDOWS\system32\javaw.exe
+ 2008-06-09 21:32:34 139,264 ----a-w F:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]
F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]
2008-07-21 14:37 103424 --a------ f:\windows\system32\yjwpicu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [2004-11-02 06:03 155648]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [2004-11-02 05:59 126976]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [2003-04-28 12:08 184320]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"USBDetector"="C:\USBStorage\USBDetector.exe" [2004-01-07 14:55 53248]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-06-07 15:19 413696]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="F:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33 126976]
"MSKDetectorExe"="F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [2005-03-23 15:47 1111040]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 10:38 88361 F:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 17:04 77824 F:\WINDOWS\SOUNDMAN.EXE]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-03-29 14:13:20 49254]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 11:27 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingo31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvd28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwf42.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"65075:TCP"= 65075:TCP:@xpsp2res.dll,-22009
"22834:TCP"= 22834:TCP:@xpsp2res.dll,-22009
"10032:TCP"= 10032:TCP:@xpsp2res.dll,-22009
"19763:TCP"= 19763:TCP:@xpsp2res.dll,-22009
"57139:TCP"= 57139:TCP:@xpsp2res.dll,-22009
"43059:TCP"= 43059:TCP:@xpsp2res.dll,-22009
"12083:TCP"= 12083:TCP:@xpsp2res.dll,-22009
"6706:TCP"= 6706:TCP:@xpsp2res.dll,-22009
"36147:TCP"= 36147:TCP:@xpsp2res.dll,-22009
"2354:TCP"= 2354:TCP:@xpsp2res.dll,-22009
"6707:TCP"= 6707:TCP:@xpsp2res.dll,-22009
"13362:TCP"= 13362:TCP:@xpsp2res.dll,-22009
"50227:TCP"= 50227:TCP:@xpsp2res.dll,-22009
"563:TCP"= 563:TCP:@xpsp2res.dll,-22009
"5939:TCP"= 5939:TCP:@xpsp2res.dll,-22009
"7730:TCP"= 7730:TCP:@xpsp2res.dll,-22009
"48435:TCP"= 48435:TCP:@xpsp2res.dll,-22009
"42035:TCP"= 42035:TCP:@xpsp2res.dll,-22009
"41776:TCP"= 41776:TCP:@xpsp2res.dll,-22009

R0 gfjhzztk;gfjhzztk;F:\WINDOWS\system32\drivers\gfjhzztk.sys [2001-08-23 14:00]
S0 Wingo31;Wingo31;F:\WINDOWS\system32\Drivers\Wingo31.sys []
S0 Winvd28;Winvd28;F:\WINDOWS\system32\Drivers\Winvd28.sys []
S0 Winwe85;Winwe85;F:\WINDOWS\system32\Drivers\Winwe85.sys []
S0 Winwf42;Winwf42;F:\WINDOWS\system32\Drivers\Winwf42.sys []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xport to Microsoft Excel - F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 00:07:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDETECT.EXE
F:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHIELD.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
F:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
F:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\ZCFGSVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\OPROTSVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\1XCONFIG.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
F:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
F:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
F:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-08-10 0:09:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-09 19:09:46
ComboFix2.txt 2008-07-21 09:41:26

Pre-Run: 1,780,125,696 bytes free
Post-Run: 2,025,852,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=C:\$WIN_NT$.~BT\BOOTSECT.DAT
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

196

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:26 PM

Posted 10 August 2008 - 12:15 AM

Hello, googly.

Do you have a partially installed copy of Windows on this machine?

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    KillAll::
    
    Rootkit::
    F:\WINDOWS\system32\drivers\gfjhzztk.sys
    f:\windows\system32\yjwpicu.dll
    F:\WINDOWS\system32\qyqcxzi.dll
    F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll
    F:\WINDOWS\system32\Drivers\Wingo31.sys
    F:\WINDOWS\system32\Drivers\Winvd28.sys
    F:\WINDOWS\system32\Drivers\Winwe85.sys
    F:\WINDOWS\system32\Drivers\Winwf42.sys
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]
    
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingo31.sys]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvd28.sys]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwe85.sys]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwf42.sys]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "80:TCP"=-
    "65075:TCP"=-
    "22834:TCP"=-
    "10032:TCP"=-
    "19763:TCP"=-
    "57139:TCP"=-
    "43059:TCP"=-
    "12083:TCP"=-
    "6706:TCP"=-
    "36147:TCP"=-
    "2354:TCP"=-
    "6707:TCP"=-
    "13362:TCP"=-
    "50227:TCP"=-
    "563:TCP"=-
    "5939:TCP"=-
    "7730:TCP"=-
    "48435:TCP"=-
    "42035:TCP"=-
    "41776:TCP"=-
    
    Driver::
    gfjhzztk
    Wingo31
    Winvd28
    Winwe85
    Winwf42
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 googly

googly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 10 August 2008 - 04:27 AM

Hi Billy,

Yes, I have another version of windows xp installed on drive C. However, I boot from drive F where I have another version installed.

Here is the result after following your instructions:

ComboFix 08-08-08.08 - arif obaid 2008-08-10 14:15:19.3 - FAT32x86
Running from: F:\Documents and Settings\arif obaid\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\arif obaid\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll
F:\WINDOWS\system32\Drivers\Wingo31.sys
F:\WINDOWS\system32\Drivers\Winvd28.sys
F:\WINDOWS\system32\Drivers\Winwe85.sys
F:\WINDOWS\system32\Drivers\Winwf42.sys
F:\WINDOWS\system32\drivers\gfjhzztk.sys . . . . failed to delete
F:\WINDOWS\system32\qyqcxzi.dll . . . . failed to delete
f:\windows\system32\yjwpicu.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GFJHZZTK
-------\Legacy_GLASRJOQ
-------\Legacy_WINVD28
-------\Legacy_WINWE85
-------\Service_gfjhzztk
-------\Service_glasrjoq
-------\Service_Wingo31
-------\Service_Winvd28
-------\Service_Winwe85
-------\Service_Winwf42


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 00:40 . 2008-08-09 00:40 <DIR> d-------- F:\WINDOWS\Sun
2008-08-09 00:40 . 2008-08-09 00:40 <DIR> d-------- F:\Program Files\Sun
2008-08-09 00:39 . 2008-06-10 02:32 73,728 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-08-09 00:38 . 2008-08-09 00:38 <DIR> d-------- F:\Program Files\Java
2008-08-09 00:32 . 2008-08-09 00:32 <DIR> d-------- F:\Program Files\Common Files\Java
2008-08-02 23:17 . 2008-08-02 23:17 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\MCA3C.tmp
2008-08-02 23:10 . 2008-08-02 23:10 <DIR> d-------- F:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-07-29 22:12 . 2008-07-29 22:12 268 --ah----- F:\sqmdata16.sqm
2008-07-29 22:12 . 2008-07-29 22:12 244 --ah----- F:\sqmnoopt16.sqm
2008-07-23 15:20 . 2005-08-10 11:22 114,464 --a------ F:\WINDOWS\system32\drivers\naiavf5x.sys
2008-07-23 12:06 . 2008-07-23 12:06 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Program Files\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Documents and Settings\arif obaid\Application Data\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- F:\Program Files\McAfee.com
2008-07-23 12:04 . 2005-10-18 11:08 349,760 --a------ F:\WINDOWS\system32\mcinsctl.dll
2008-07-23 12:04 . 2005-05-24 19:23 288,320 --a------ F:\WINDOWS\system32\McGDMgr.dll
2008-07-21 15:46 . 2008-07-21 15:46 <DIR> d-------- F:\Program Files\Trend Micro
2008-07-21 15:44 . 2008-07-21 15:44 <DIR> d-------- F:\Deckard
2008-07-21 13:31 . 2008-07-21 13:31 <DIR> d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12 . 2008-07-20 17:12 <DIR> d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08 . 2008-07-20 15:08 <DIR> d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13 . 2008-07-21 14:28 22,068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat
2008-07-19 22:12 . 2008-07-19 22:12 268 --ah----- F:\sqmdata15.sqm
2008-07-19 22:12 . 2008-07-19 22:12 244 --ah----- F:\sqmnoopt15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 09:17 23,424 ----a-w F:\WINDOWS\system32\drivers\meocnick.sys
2008-07-21 09:37 103,424 ----a-w F:\WINDOWS\system32\qyqcxzi.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_14.40.59.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-20 08:16:00 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-07-21 10:12:52 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-07-20 08:16:00 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-07-21 10:12:52 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-06-09 20:21:02 135,168 ----a-w F:\WINDOWS\system32\java.exe
+ 2008-06-09 20:21:04 135,168 ----a-w F:\WINDOWS\system32\javaw.exe
+ 2008-06-09 21:32:34 139,264 ----a-w F:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]
F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp\dmA8.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]
2008-07-21 14:37 103424 --a------ f:\windows\system32\yjwpicu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-03-23 16:33 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [2004-11-02 06:03 155648]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [2004-11-02 05:59 126976]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [2003-04-28 12:08 184320]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"USBDetector"="C:\USBStorage\USBDetector.exe" [2004-01-07 14:55 53248]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-06-07 15:19 413696]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="F:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33 126976]
"MSKDetectorExe"="F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [2005-03-23 15:47 1111040]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 10:38 88361 F:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 17:04 77824 F:\WINDOWS\SOUNDMAN.EXE]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-03-29 14:13:20 49254]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 11:27 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe"=

R0 gfjhzztk;gfjhzztk;F:\WINDOWS\system32\drivers\gfjhzztk.sys [2008-08-10 14:17]

*Newly Created Service* - GFJHZZTK
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 14:20:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDETECT.EXE
F:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHIELD.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
F:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
F:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\OPROTSVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\ZCFGSVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\1XCONFIG.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
F:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
F:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOM~1.EXE
F:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
F:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-08-10 14:22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 09:22:36
ComboFix3.txt 2008-07-21 09:41:26
ComboFix2.txt 2008-08-09 19:10:06

Pre-Run: 1,940,762,624 bytes free
Post-Run: 2,037,084,160 bytes free

164

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:26 PM

Posted 10 August 2008 - 12:10 PM

Hello, googly.
Grrr... it's being stubborn...

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Please download The Avenger2 by SwanDog46.
  • Unzip avenger.exe to your desktop.
  • Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    drivers to delete:
    gfjhzztk
    
    files to delete:
    F:\WINDOWS\system32\drivers\gfjhzztk.sys
    F:\WINDOWS\system32\qyqcxzi.dll
    f:\windows\system32\yjwpicu.dll
    
    registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}
  • Now start The Avenger2 by double clicking avenger.exe on your desktop.
  • Read the prompt that appears, and press OK.
  • Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  • Press the "Execute" button.
  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
In your next reply, please include the following:
  • Avenger's Log
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 googly

googly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 11 August 2008 - 07:07 AM

Hi Billy,

Here's the result:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gfjhzztk" deleted successfully.
File "F:\WINDOWS\system32\drivers\gfjhzztk.sys" deleted successfully.
File "F:\WINDOWS\system32\qyqcxzi.dll" deleted successfully.
File "f:\windows\system32\yjwpicu.dll" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BEDFB95E-FFF6-4761-A700-BD4802533A21}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Deckard's System Scanner v20071014.68
Run by arif obaid on 2008-08-11 17:02:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-08-11 12:02:52 UTC - RP8 - Deckard's System Scanner Restore Point
1: 2008-08-11 11:50:18 UTC - RP7 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as arif obaid.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:16 PM, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\ltmoh\Ltmoh.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\USBStorage\USBDetector.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\WINDOWS\system32\wuauclt.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Documents and Settings\arif obaid\desktop\dss.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ARIFOB~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] F:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3
O20 - Winlogon Notify: hgtqvfqm - yjwpicu.dll (file missing)
O23 - Service: EvtEng - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: OwnershipProtocol - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8409 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - f:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 s24trans (WLAN Transport) - f:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MskService (McAfee SpamKiller Server) - f:\progra~1\mcafee\spamki~1\msksrvr.exe <Not Verified; McAfee Inc.; McAfee SpamKiller>
R2 OwnershipProtocol - f:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - f:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: PCI FLASH Memory
Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Manufacturer:
Name: PCI FLASH Memory
PNP Device ID: PCI\VEN_1524&DEV_0530&SUBSYS_001214C0&REV_00\4&1D3F0FBB&0&21F0
Service:


-- Process Modules -------------------------------------------------------------

F:\WINDOWS\system32\winlogon.exe (pid 916)
2004-10-15 11:27:42 110592 --a------ F:\Program Files\Intel\Wireless\Bin\LgNotify.dll <Not Verified; Intel Corporation; LogonNotify Dynamic Link Library>

F:\WINDOWS\explorer.exe (pid 372)
2005-03-23 16:34:06 86016 --a------ F:\Program Files\McAfee\SpamKiller\MSKOEPlg.dll <Not Verified; McAfee Inc.; McAfee SpamKiller>
2005-09-26 18:12:52 98304 --a------ F:\Program Files\McAfee.com\VSO\McVSSkt.Dll <Not Verified; McAfee, Inc.; McAfee VirusScan>
2007-08-30 17:43:14 6144 --a------ F:\Program Files\Yahoo!\Messenger\idle.dll <Not Verified; Yahoo! Inc.; Yahoo! Messenger>


-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-09 00:40:30 0 d-------- F:\WINDOWS\Sun
2008-08-09 00:40:30 0 d-------- F:\Documents and Settings\arif obaid\Application Data\Sun
2008-08-09 00:40:11 0 d-------- F:\Program Files\Sun
2008-08-09 00:38:26 0 d-------- F:\Program Files\Java
2008-08-09 00:32:01 0 d-------- F:\Program Files\Common Files\Java
2008-08-02 23:17:29 0 d-------- F:\Documents and Settings\All Users\Application Data\MCA3C.tmp
2008-08-02 23:10:50 0 d-------- F:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-02 23:10:00 0 d-------- F:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-08-02 23:09:59 0 dr------- F:\Documents and Settings\LocalService\Favorites
2008-07-23 12:06:18 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 12:05:32 0 d-------- F:\Program Files\McAfee
2008-07-23 12:05:32 0 d-------- F:\Documents and Settings\arif obaid\Application Data\McAfee
2008-07-23 12:05:27 0 d-------- F:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-23 12:04:55 0 d-------- F:\Program Files\McAfee.com
2008-07-21 15:46:37 0 d-------- F:\Program Files\Trend Micro
2008-07-21 14:33:49 68096 --a------ F:\WINDOWS\zip.exe
2008-07-21 14:33:49 49152 --a------ F:\WINDOWS\VFind.exe
2008-07-21 14:33:49 212480 --a------ F:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-21 14:33:49 136704 --a------ F:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-21 14:33:49 161792 --a------ F:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-21 14:33:49 98816 --a------ F:\WINDOWS\sed.exe
2008-07-21 14:33:49 80412 --a------ F:\WINDOWS\grep.exe
2008-07-21 14:33:49 89504 --a------ F:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-21 13:31:04 0 d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 17:12:46 0 d-------- F:\Documents and Settings\arif obaid\Application Data\Mozilla
2008-07-20 17:12:42 0 d-------- F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
2008-07-20 15:08:14 0 d-------- F:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-07-20 15:08:12 0 d-------- F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
2008-07-20 00:13:32 22068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [02/11/2004 06:03 AM]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [02/11/2004 05:59 AM]
"AGRSMMSG"="AGRSMMSG.exe" [22/07/2004 10:38 AM F:\WINDOWS\AGRSMMSG.exe]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [28/04/2003 12:08 PM]
"SoundMan"="SOUNDMAN.EXE" [20/01/2005 05:04 PM F:\WINDOWS\SOUNDMAN.EXE]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [15/10/2004 11:27 AM]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [15/10/2004 11:31 AM]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [04/08/2003 05:28 PM]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 08:38 AM]
"USBDetector"="C:\USBStorage\USBDetector.exe" [07/01/2004 02:55 PM]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [07/06/2008 03:19 PM]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [08/07/2005 06:18 PM]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [10/08/2005 12:49 PM]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [22/09/2005 06:29 PM]
"MCUpdateExe"="F:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [11/01/2006 12:05 PM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [23/03/2005 04:33 PM]
"MSKDetectorExe"="F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [23/03/2005 03:47 PM]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [11/08/2005 10:02 PM]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [30/08/2007 05:43 PM]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [23/03/2005 04:33 PM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [29/03/2008 2:13:20 PM]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [16/09/2003 5:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgtqvfqm]
yjwpicu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
F:\Program Files\Intel\Wireless\Bin\LgNotify.dll 15/10/2004 11:27 AM 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
glasrjoq




-- End of Deckard's System Scanner: finished at 2008-08-11 17:04:24 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.73GHz
Percentage of Memory in Use: 81%
Physical Memory (total/avail): 503.42 MiB / 93.93 MiB
Pagefile Memory (total/avail): 1230.3 MiB / 837.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.08 MiB

C: is Fixed (FAT32) - 9.76 GiB total, 2.08 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 6.69 GiB free.
E: is Fixed (FAT32) - 9.76 GiB total, 5.75 GiB free.
F: is Fixed (FAT32) - 7.94 GiB total, 1.89 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400UE-00HCT0 - 37.26 GiB - 4 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 27.49 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\Messenger\\msmsgs.exe"="F:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="F:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe"="D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe:*:Enabled:AirPort Admin Utility for Windows"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\arif obaid\Application Data
CommonProgramFiles=F:\Program Files\Common Files
COMPUTERNAME=ARIF
ComSpec=F:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=F:
HOMEPATH=\Documents and Settings\arif obaid
LOGONSERVER=\\ARIF
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=F:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=F:
SystemRoot=F:\WINDOWS
TEMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
TMP=F:\DOCUME~1\ARIFOB~1\LOCALS~1\Temp
USERDOMAIN=ARIF
USERNAME=arif obaid
USERPROFILE=F:\Documents and Settings\arif obaid
windir=F:\WINDOWS


-- User Profiles ---------------------------------------------------------------

arif obaid (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> F:\WINDOWS\ISUNINST.EXE -f"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
HP Image Zone 3.5 --> F:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "F:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{34957B51-9676-41CE-9E52-44AE91B73F1C}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE F:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> F:\WINDOWS\Installer\iProInst.exe
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LiveUpdate 2.0 (Symantec Corporation) --> F:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee SecurityCenter --> f:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=f:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee SpamKiller --> f:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /appid=MSK /uninstall=1 /interact=1 /script_proactive=0 /start="f:\PROGRA~1\mcafee.com\agent\uninst\mskremui.dll::uninstall.htm"
McAfee VirusScan --> f:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=f:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU.msi --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SOAP Toolkit 3.0 --> MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft Visual FoxPro 9.0 Professional - English --> f:\Program Files\Microsoft Visual FoxPro 9\setup\Visual FoxPro 9.0 Professional - English\setup.exe /MaintMode
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PL-2303 USB-to-Serial --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
Qualcomm Multimedia USB Ver. 1.00 --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{9101E5A0-66C8-11D4-A511-00C04F9643C9}\setup.exe" -uninst
Realtek AC'97 Audio --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Yahoo! Browser Services --> F:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> F:\WINDOWS\system32\regsvr32 /u F:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> F:\WINDOWS\system32\regsvr32 /u /s F:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> F:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U F:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! uC --> F:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE


-- Application Event Log -------------------------------------------------------

Event Record #/Type4949 / Error
Event Submitted/Written: 07/23/2008 00:49:37 PM
Event ID/Source: 11335 / MsiInstaller
Event Description:
Product: Microsoft Office XP Professional with FrontPage -- Error 1335. The cabinet file 'OFFICE1.CAB' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Event Record #/Type4929 / Warning
Event Submitted/Written: 07/23/2008 00:01:02 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type4918 / Warning
Event Submitted/Written: 07/23/2008 10:14:03 AM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type4907 / Warning
Event Submitted/Written: 07/22/2008 09:05:03 PM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.

Event Record #/Type4896 / Warning
Event Submitted/Written: 07/22/2008 11:39:41 AM
Event ID/Source: 22 / Symantec AntiVirus
Event Description:
Symantec AntiVirus Auto-Protect failed to load.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24748 / Error
Event Submitted/Written: 08/11/2008 04:57:56 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
PCIIde

Event Record #/Type24743 / Error
Event Submitted/Written: 08/11/2008 04:57:52 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Realtek RTL8139/810x/8169/8110 all in one NDIS XP Support service terminated with the following error:
%%126

Event Record #/Type24659 / Warning
Event Submitted/Written: 08/11/2008 04:02:15 PM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by WINLOGON.EXE.

Event Record #/Type24556 / Error
Event Submitted/Written: 08/10/2008 02:20:05 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Event Record #/Type24555 / Warning
Event Submitted/Written: 08/10/2008 02:20:00 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0012F0263390. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-08-11 17:04:24 ------------

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:26 PM

Posted 11 August 2008 - 08:25 AM

Hello, googly.
Looks like that got most of what causes it to hide. Should just be a little cleanup now :thumbsup:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    folder::
    F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
    F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
    
    registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgtqvfqm] 
    
    [-HKEY_CLASSES_ROOT\CLSID\{B6FA912D-1825-4CA2-A219-CDE47DB9819C}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{BEDFB95E-FFF6-4761-A700-BD4802533A21}]
    
    netsvc::
    glasrjoq
    
    driver::
    glasrjoq
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-Language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Please let me know of any problems you may have encountered.

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 googly

googly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:26 PM

Posted 12 August 2008 - 03:04 PM

Hi Billy,

Here are the logs after following your instructions:

ComboFix 08-08-08.08 - arif obaid 2008-08-12 21:58:12.4 - FAT32x86
Running from: F:\Documents and Settings\arif obaid\Desktop\ComboFix.exe
Command switches used :: F:\Documents and Settings\arif obaid\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Documents and Settings\arif obaid\Application Data\iofyxrlh
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\profiles.ini
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\cert8.db
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\compatibility.ini
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\compreg.dat
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\cookies.sqlite
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\formhistory.sqlite
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\key3.db
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\localstore.rdf
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\permissions.sqlite
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\places.sqlite-journal
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\places.sqlite
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\pluginreg.dat
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\prefs.js
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\secmod.db
F:\Documents and Settings\arif obaid\Application Data\iofyxrlh\Profiles\dem8c4zc.default\xpti.dat
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\profiles.ini
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\cert8.db
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\compatibility.ini
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\compreg.dat
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\cookies.sqlite
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\formhistory.sqlite
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\key3.db
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\localstore.rdf
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\permissions.sqlite
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\places.sqlite-journal
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\places.sqlite-stmtjrnl
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\places.sqlite
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\pluginreg.dat
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\prefs.js
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\secmod.db
F:\Documents and Settings\NetworkService\Application Data\iofyxrlh\Profiles\ziyhmjyn.default\xpti.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GLASRJOQ
-------\Service_glasrjoq


((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-09 00:40 . 2008-08-09 00:40 <DIR> d-------- F:\WINDOWS\Sun
2008-08-09 00:40 . 2008-08-09 00:40 <DIR> d-------- F:\Program Files\Sun
2008-08-09 00:39 . 2008-06-10 02:32 73,728 --a------ F:\WINDOWS\system32\javacpl.cpl
2008-08-09 00:38 . 2008-08-09 00:38 <DIR> d-------- F:\Program Files\Java
2008-08-09 00:32 . 2008-08-09 00:32 <DIR> d-------- F:\Program Files\Common Files\Java
2008-08-02 23:17 . 2008-08-02 23:17 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\MCA3C.tmp
2008-08-02 23:10 . 2008-08-02 23:10 <DIR> d-------- F:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-07-29 22:12 . 2008-07-29 22:12 268 --ah----- F:\sqmdata16.sqm
2008-07-29 22:12 . 2008-07-29 22:12 244 --ah----- F:\sqmnoopt16.sqm
2008-07-23 15:20 . 2005-08-10 11:22 114,464 --a------ F:\WINDOWS\system32\drivers\naiavf5x.sys
2008-07-23 12:06 . 2008-07-23 12:06 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Program Files\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Documents and Settings\arif obaid\Application Data\McAfee
2008-07-23 12:05 . 2008-07-23 12:05 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-23 12:04 . 2008-07-23 12:04 <DIR> d-------- F:\Program Files\McAfee.com
2008-07-23 12:04 . 2005-10-18 11:08 349,760 --a------ F:\WINDOWS\system32\mcinsctl.dll
2008-07-23 12:04 . 2005-05-24 19:23 288,320 --a------ F:\WINDOWS\system32\McGDMgr.dll
2008-07-21 15:46 . 2008-07-21 15:46 <DIR> d-------- F:\Program Files\Trend Micro
2008-07-21 15:44 . 2008-07-21 15:44 <DIR> d-------- F:\Deckard
2008-07-21 13:31 . 2008-07-21 13:31 <DIR> d-------- F:\Program Files\Microsoft ActiveSync
2008-07-20 00:13 . 2008-07-21 14:28 22,068 --a------ F:\Documents and Settings\All Users\Application Data\ustore.dat
2008-07-19 22:12 . 2008-07-19 22:12 268 --ah----- F:\sqmdata15.sqm
2008-07-19 22:12 . 2008-07-19 22:12 244 --ah----- F:\sqmnoopt15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 09:17 23,424 ----a-w F:\WINDOWS\system32\drivers\meocnick.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-21_14.40.59.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-20 08:16:00 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-07-21 10:12:52 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut4.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-07-20 08:16:00 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-07-21 10:12:52 40,960 ----a-r F:\WINDOWS\Installer\{848AC794-8B81-440A-81AE-6474337DB527}\NewShortcut5.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-06-09 20:21:02 135,168 ----a-w F:\WINDOWS\system32\java.exe
+ 2008-06-09 20:21:04 135,168 ----a-w F:\WINDOWS\system32\javaw.exe
+ 2008-06-09 21:32:34 139,264 ----a-w F:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Yahoo! Pager"="F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"MsnMsgr"="F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="F:\WINDOWS\system32\igfxtray.exe" [2004-11-02 06:03 155648]
"HotKeysCmds"="F:\WINDOWS\system32\hkcmd.exe" [2004-11-02 05:59 126976]
"LtMoh"="F:\Program Files\ltmoh\Ltmoh.exe" [2003-04-28 12:08 184320]
"IntelWireless"="F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]
"HP Software Update"="F:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="F:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"USBDetector"="C:\USBStorage\USBDetector.exe" [2004-01-07 14:55 53248]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-06-07 15:19 413696]
"VSOCheckTask"="F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="F:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"MCAgentExe"="f:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="F:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"MSKAGENTEXE"="F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [2005-03-23 16:33 126976]
"MSKDetectorExe"="F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [2005-03-23 15:47 1111040]
"OASClnt"="F:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 10:38 88361 F:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 17:04 77824 F:\WINDOWS\SOUNDMAN.EXE]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-03-29 14:13:20 49254]
HP Digital Imaging Monitor.lnk - F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 11:27 110592 F:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Drivers\\Apple Computer\\AirPort Extreme Admin Utility\\Admin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45875:TCP"= 45875:TCP:@xpsp2res.dll,-22009
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 22:03:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDETECT.EXE
F:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHIELD.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
F:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
F:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\OPROTSVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\ZCFGSVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
F:\PROGRAM FILES\INTEL\WIRELESS\BIN\1XCONFIG.EXE
F:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
F:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
F:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOM~1.EXE
F:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
F:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-08-12 22:06:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-12 17:06:14
ComboFix4.txt 2008-07-21 09:41:26
ComboFix3.txt 2008-08-09 19:10:06
ComboFix2.txt 2008-08-10 09:22:52

Pre-Run: 1,953,685,504 bytes free
Post-Run: 1,994,227,712 bytes free

176

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3349 (20080812)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=67f3d2edec14fe48940433642407a30b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-12 07:36:08
# local_time=2008-08-13 12:36:08 (+0500, West Asia Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=556507
# found=7
# scan_time=6925
C:\WINDOWS\system32\drivers\nffdcfhp.dat Win32/Rootkit.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\test\Local Settings\Temp\gpvofjol.dat probably a variant of Win32/Rootkit.Agent.QQ trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\System Volume Information\_restore{07C0DD2B-0E3C-4AFA-A166-37F4E6D6BFE6}\RP7\A0000032.sys Win32/BHO.EXT trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\QooBox\Quarantine\F\WINDOWS\system32\WinCtrl32.dl_.vir Win32/Wigon.DH trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\QooBox\Quarantine\F\WINDOWS\system32\WinCtrl32.dll.vir Win32/Wigon.DH trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\Udk21.sys.vir Win32/Wigon trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\Winkr28.sys.vir Win32/Wigon.CK trojan (unable to clean - deleted) 00000000000000000000000000000000

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:46 AM, on 13/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
F:\WINDOWS\system32\spoolsv.exe
f:\program files\mcafee.com\agent\mcdetect.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
F:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\hkcmd.exe
F:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
F:\WINDOWS\AGRSMMSG.exe
F:\Program Files\ltmoh\Ltmoh.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
F:\Program Files\HP\HP Software Update\HPWuSchd.exe
F:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\USBStorage\USBDetector.exe
F:\Program Files\McAfee.com\VSO\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee.com\VSO\oasclnt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
F:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
f:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! uC - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] F:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] F:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] F:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] F:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] F:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "F:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "F:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] F:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] F:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] F:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] F:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - https://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218570031968
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8A54765-37DB-4AB7-9448-1DD4346F3902}: NameServer = 203.81.204.23,203.81.204.3
O23 - Service: EvtEng - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - f:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - f:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - F:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: OwnershipProtocol - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - F:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8218 bytes

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:26 PM

Posted 12 August 2008 - 03:26 PM

Hello, googly.
You now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "Delf, Vundo, Rootkits"

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :thumbsup:
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :)
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :)
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :)
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :spacer:
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.
    :spacer:
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:26 PM

Posted 14 August 2008 - 10:42 AM

Hello, googly.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users