Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispyware2009 And Other Web Browser Popups


  • This topic is locked This topic is locked
7 replies to this topic

#1 The7thSon

The7thSon

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 27 July 2008 - 10:28 AM

Hello!
These sites (Antispyware2009, Spy-Shredder, etc.) constantly pop up, and I would love to be rid of them.

These mods have saved me before, I've got faith in them.

Cheers,
The Seventh Son

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:24 AM, on 27/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitLord\BitLord.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rateyourmusic.com/~The7thSon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [24691e57] rundll32.exe "C:\WINDOWS\system32\huqhpnqd.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212376872324
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8931 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 PM

Posted 03 August 2008 - 05:39 AM

Hi,

Welcome to Bleeping Computer HijackThis forum. I am farbar. I am going to assist you with your problem.

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.

Please give me some time to look it over and I will get back to you as soon as possible. If it took some time to get back to you please be patient.
Please refrain from any changes and limit the usage of computer to a minimum as a quick look at you log shows apparent infection.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 PM

Posted 03 August 2008 - 08:06 PM

Hi The7Son,

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Bitlord). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Removal Instructions

  • Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main "Select Files to Delete" choose: Select All.
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please download Deckard's System Scanner (DSS) and save to your Desktop.
    alternate download site

    DSS will do the following:
    • Create a new System Restore point in Windows XP and Vista.
    • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
    • Check some important areas of your system and produce a report for an analyst to review.
    • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
    You must be logged onto an account with administrator privileges when using.
    • Close all applications and windows.
    • Double-click on dss.exe to run it and follow the prompts.
    • If your anti-virus or firewall complains, please allow this script to run as it is not
      malicious.
    • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



In your next reply:
  • The log of MBAM.
  • Both DSS logs.


#4 The7thSon

The7thSon
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 04 August 2008 - 04:51 PM

Farbar,

Here are the logs as requested:

Malwarebytes' Anti-Malware 1.21
Database version: 969
Windows 5.1.2600 Service Pack 2

1:53:00 PM 04/08/2008
mbam-log-8-4-2008 (13-53-00).txt

Scan type: Quick Scan
Objects scanned: 42107
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 13
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\enrwlsrl.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\byXNfGAT.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\uphnvugi.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jhrrjvxw.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wjpynpdn.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\nnnljjIy.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tcwmxoeq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\tpsxmj.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\denubeow.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yldaha.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\bnxkjkmh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\iilpga.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\opnlKDTJ.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0370f872-7124-4ea3-b457-a137412217ed} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0370f872-7124-4ea3-b457-a137412217ed} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{50cbff60-4398-403d-90a1-652940572e67} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{50cbff60-4398-403d-90a1-652940572e67} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2a65be74-ec8d-401e-93df-5bda3dc05505} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2a65be74-ec8d-401e-93df-5bda3dc05505} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnljjiy (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24691e57 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2a65be74-ec8d-401e-93df-5bda3dc05505} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iilpga.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\byXNfGAT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\TAGfNXyb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TAGfNXyb.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ywgysjqh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hqjsygwy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ueymnloo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oolnmyeu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enrwlsrl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lrslwrne.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uphnvugi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iguvnhpu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jhrrjvxw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wxvjrrhj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wjpynpdn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ndpnypjw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnljjIy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tcwmxoeq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tpsxmj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\denubeow.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yldaha.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bnxkjkmh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\opnlKDTJ.dll (Trojan.Vundo) -> Delete on reboot.

Deckard's System Scanner v20071014.68
Run by The Seventh Son on 2008-08-04 17:38:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
83: 2008-08-04 21:38:44 UTC - RP83 - Deckard's System Scanner Restore Point
82: 2008-08-04 21:21:14 UTC - RP82 - Last known good configuration
81: 2008-08-04 21:21:09 UTC - RP81 - System Checkpoint
80: 2008-08-04 21:21:09 UTC - RP80 - System Checkpoint
79: 2008-08-04 21:21:09 UTC - RP79 - System Checkpoint


-- First Restore Point --
1: 2008-08-04 21:21:07 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as The Seventh Son.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:58 PM, on 04/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\The Seventh Son\Desktop\stupid scanning bullbleep\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\The Seventh Son.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rateyourmusic.com/~The7thSon
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {2A65BE74-EC8D-401E-93DF-5BDA3DC05505} - C:\WINDOWS\system32\nnnljjIy.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {724FC52F-BC3B-4B5D-BF8F-CCAA13A3B2F5} - C:\WINDOWS\system32\byXNfGAT.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {1313b8f8-14ef-4d69-7464-28a5e2725309} - {9035272e-5a82-4647-96d4-fe418f8b3131} - C:\WINDOWS\system32\glvamz.dll
O2 - BHO: (no name) - {B48FED30-6B03-40C5-BAAA-FBE06644A21C} - C:\WINDOWS\system32\rqRIbaYR.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [24691e57] rundll32.exe "C:\WINDOWS\system32\hqllrflw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212376872324
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: tpsxmj.dll yldaha.dll iilpga.dll
O20 - Winlogon Notify: nnnljjIy - C:\WINDOWS\SYSTEM32\nnnljjIy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9916 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080603-000332-782 O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jswnw64n.exe
backup-20080603-000332-723 O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcnttkdm.exe
backup-20080603-001116-816 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.gooochi.biz/bc/123kah.php
backup-20080603-015246-743 O4 - HKLM\..\Run: [{91-1E-EF-F8-DW}] C:\windows\system32\jswnw64n.exe DWramFF
backup-20080603-015246-306 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kcnttkdm.exe DWramFF
backup-20080603-015246-481 O4 - HKLM\..\Run: [24691e57] rundll32.exe "C:\WINDOWS\system32\yhxvndsk.dll",b
backup-20080603-015246-110 O4 - HKLM\..\Run: [BM275a2dcb] Rundll32.exe "C:\WINDOWS\system32\kqcrcrkl.dll",s
backup-20080603-015304-381 O4 - HKLM\..\Run: [BM275a2dcb] Rundll32.exe "C:\WINDOWS\system32\kqcrcrkl.dll",s
backup-20080603-015311-149 O4 - HKLM\..\Run: [BM275a2dcb] Rundll32.exe "C:\WINDOWS\system32\kqcrcrkl.dll",s
backup-20080603-015328-333 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 Intel Alert Handler - c:\windows\system32\ams_ii\hndlrsvc.exe <Not Verified; Intel® Corporation; Intel Alert Management System 2>
R2 Intel Alert Originator - c:\windows\system32\ams_ii\iao.exe <Not Verified; Intel® Corporation; Intel Alert Management System 2>
R2 Intel File Transfer - c:\windows\system32\cba\xfr.exe <Not Verified; Intel® Corporation; Intel Common Base Agent>
R2 Intel PDS - c:\windows\system32\cba\pds.exe <Not Verified; Intel® Corporation; Intel Common Base Agent>
R2 NSCTOP (Symantec System Center Discovery Service) - c:\progra~1\symantec\symant~1\nsctop.exe <Not Verified; Symantec Corporation; Symantec System Center>

S2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_1095&DEV_3512&SUBSYS_35121095&REV_01\4&1C660DD6&0&03F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_1095&DEV_3512&SUBSYS_35121095&REV_01\4&1C660DD6&0&03F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01D51028&REV_02\4&1C660DD6&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01D51028&REV_02\4&1C660DD6&0&40F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02\3&172E68DD&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02\3&172E68DD&0&FD
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-07-31 15:33:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-07-28 20:38:52 642 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - The Seventh Son.job


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 17:23:57 99200 --a------ C:\WINDOWS\system32\hqllrflw.dll
2008-08-04 17:21:45 120960 --a------ C:\WINDOWS\system32\glvamz.dll
2008-08-04 17:21:44 120960 --a------ C:\WINDOWS\system32\aaccjqdl.dll
2008-08-04 17:20:57 518350 --ahs---- C:\WINDOWS\system32\RYabIRqr.ini2
2008-08-04 17:20:50 323328 --a------ C:\WINDOWS\system32\rqRIbaYR.dll
2008-08-03 22:07:20 130432 -----n--- C:\WINDOWS\system32\iilpga.dll
2008-08-02 22:01:59 130432 -----n--- C:\WINDOWS\system32\yldaha.dll
2008-08-02 21:23:35 130432 -----n--- C:\WINDOWS\system32\tpsxmj.dll
2008-08-01 20:31:49 129920 --a------ C:\WINDOWS\system32\dtumca.dll
2008-08-01 20:31:48 129920 --a------ C:\WINDOWS\system32\nqwgvokm.dll
2008-07-31 20:29:33 120960 --a------ C:\WINDOWS\system32\snfkqm.dll
2008-07-31 20:29:32 120960 --a------ C:\WINDOWS\system32\pdeomsme.dll
2008-07-30 20:34:44 99712 --a------ C:\WINDOWS\system32\mufmkegk.dll
2008-07-30 20:32:25 120960 --a------ C:\WINDOWS\system32\gomyrd.dll
2008-07-30 20:32:24 120960 --a------ C:\WINDOWS\system32\lulhlixb.dll
2008-07-30 13:13:55 511 --a------ C:\WINDOWS\eReg.dat
2008-07-30 13:13:32 0 d-------- C:\Program Files\EACOM
2008-07-30 11:31:49 0 d-------- C:\i386
2008-07-29 23:24:31 120448 --a------ C:\WINDOWS\system32\ciakms.dll
2008-07-29 23:24:30 120448 --a------ C:\WINDOWS\system32\fqgkfhqw.dll
2008-07-29 21:53:45 120448 --a------ C:\WINDOWS\system32\hanwjs.dll
2008-07-29 21:53:44 120448 --a------ C:\WINDOWS\system32\cfdfenmw.dll
2008-07-29 11:30:16 120448 --a------ C:\WINDOWS\system32\ykhbte.dll
2008-07-29 11:30:16 120448 --a------ C:\WINDOWS\system32\cgcakkpt.dll
2008-07-29 11:29:51 120448 --a------ C:\WINDOWS\system32\ogvtbv.dll
2008-07-29 11:29:51 120448 --a------ C:\WINDOWS\system32\efxxeetf.dll
2008-07-28 11:21:29 116352 --a------ C:\WINDOWS\system32\fbxajh.dll
2008-07-28 11:21:28 116352 --a------ C:\WINDOWS\system32\kvbqlxkw.dll
2008-07-27 11:16:21 116352 --a------ C:\WINDOWS\system32\pvchfh.dll
2008-07-27 11:16:20 116352 --a------ C:\WINDOWS\system32\iebkbybl.dll
2008-07-27 10:47:15 116352 --a------ C:\WINDOWS\system32\ijvfvyef.dll
2008-07-27 10:47:15 116352 --a------ C:\WINDOWS\system32\ihjdgw.dll
2008-07-26 12:04:12 116864 --a------ C:\WINDOWS\system32\nuxdmu.dll
2008-07-26 12:04:11 116864 --a------ C:\WINDOWS\system32\juvheohm.dll
2008-07-25 12:04:11 116352 --a------ C:\WINDOWS\system32\inpkno.dll
2008-07-25 12:04:09 116352 --a------ C:\WINDOWS\system32\cptcjajd.dll
2008-07-24 12:04:09 116864 --a------ C:\WINDOWS\system32\mtwyly.dll
2008-07-24 12:04:08 116864 --a------ C:\WINDOWS\system32\uiqkkwxe.dll
2008-07-23 09:54:42 116864 --a------ C:\WINDOWS\system32\znwwzc.dll
2008-07-23 09:54:41 116864 --a------ C:\WINDOWS\system32\tptdktjq.dll
2008-07-22 10:58:03 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-22 10:43:29 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-22 09:52:25 116864 --a------ C:\WINDOWS\system32\jcdwux.dll
2008-07-22 09:52:24 116864 --a------ C:\WINDOWS\system32\sroblrqw.dll
2008-07-22 01:56:42 116864 --a------ C:\WINDOWS\system32\yynqrr.dll
2008-07-22 01:56:41 116864 --a------ C:\WINDOWS\system32\tjbnuvti.dll
2008-07-21 15:17:08 0 d--hs---- C:\FOUND.001
2008-07-21 02:55:45 116352 --a------ C:\WINDOWS\system32\tneohh.dll
2008-07-21 02:55:44 116352 --a------ C:\WINDOWS\system32\rafadkhc.dll
2008-07-20 20:40:59 0 d-------- C:\Program Files\IK Multimedia
2008-07-20 20:40:33 314368 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-07-20 03:01:56 0 d--hs---- C:\FOUND.000
2008-07-20 02:55:18 116864 --a------ C:\WINDOWS\system32\owswiq.dll
2008-07-20 02:55:16 116864 --a------ C:\WINDOWS\system32\shxlvcpc.dll
2008-07-20 02:51:21 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Malwarebytes
2008-07-20 02:51:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-20 02:51:16 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-20 02:47:05 32640 -----n--- C:\WINDOWS\system32\nnnljjIy.dll
2008-07-20 02:45:11 0 d-------- C:\Program Files\Outsim
2008-07-19 19:54:13 0 d-------- C:\Program Files\DOSBox-0.72
2008-07-15 00:36:48 0 dr-h----- C:\Documents and Settings\The Seventh Son\Recent
2008-07-14 01:53:27 0 d-------- C:\Program Files\iPod
2008-07-11 03:16:38 0 d-------- C:\Program Files\ImTOO
2008-07-09 23:46:36 0 d-------- C:\Program Files\CDex_170b2
2008-07-09 23:34:32 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\AccurateRip
2008-07-09 23:34:28 0 d-------- C:\Program Files\Exact Audio Copy
2008-07-08 21:13:38 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Roxio
2008-07-08 21:11:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Uninstall
2008-07-08 21:11:23 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-07-08 19:45:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-08 19:41:43 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-07 23:24:44 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-07-07 22:47:52 9856 --a------ C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2008-07-07 22:47:52 671744 --a------ C:\WINDOWS\system32\DolbyHph.dll <Not Verified; Lake Technology Limited, http://www.lake.com.au; Dolby Headphone>
2008-07-07 22:47:52 0 d-------- C:\Program Files\NVIDIA Corporation
2008-07-07 20:29:59 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-07 20:06:18 0 dr-h----- C:\Documents and Settings\The Seventh Son\Application Data\SecuROM
2008-07-07 19:57:50 0 d-------- C:\Program Files\EA Sports


-- Find3M Report ---------------------------------------------------------------

2008-07-03 20:05:12 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Media Player Classic
2008-07-03 14:32:32 0 d-------- C:\Program Files\Apple Software Update
2008-07-01 19:46:34 0 d-------- C:\Program Files\Cucusoft
2008-07-01 19:42:58 0 d-------- C:\Program Files\Essentials Codec Pack
2008-06-29 19:32:36 0 d-------- C:\Program Files\GoldWave
2008-06-20 01:54:10 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\fretsonfire
2008-06-20 01:53:58 0 d-------- C:\Program Files\Frets on Fire
2008-06-20 01:15:00 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\OnReally
2008-06-20 01:14:42 0 d-------- C:\Program Files\OnReally
2008-06-18 22:48:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 17:12:28 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\HiYo
2008-06-17 09:29:26 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\AdobeUM
2008-06-17 09:28:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-17 09:07:16 0 d-------- C:\Program Files\Windows Sidebar
2008-06-17 09:06:08 0 d-------- C:\Program Files\Norton Internet Security
2008-06-17 09:05:10 0 d-------- C:\Program Files\Symantec
2008-06-15 09:38:58 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Apple Computer
2008-06-15 09:38:24 0 d-------- C:\Program Files\iTunes
2008-06-15 09:37:54 0 d-------- C:\Program Files\Bonjour
2008-06-15 09:36:40 0 d-------- C:\Program Files\QuickTime
2008-06-15 09:35:30 0 d-------- C:\Program Files\Common Files\Apple
2008-06-13 18:18:08 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\dvdcss
2008-06-13 17:59:02 0 d-------- C:\Program Files\WinXMedia
2008-06-09 02:41:26 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\.BitTornado
2008-06-09 02:40:28 0 d-------- C:\Program Files\BitTornado
2008-06-09 02:00:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-09 01:58:08 0 d-------- C:\Program Files\Microsoft.NET
2008-06-08 20:21:58 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Google
2008-06-08 20:19:56 0 d-------- C:\Program Files\Google
2008-06-08 09:56:34 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Sonic
2008-06-08 09:56:12 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Leadertech
2008-06-08 09:54:14 0 d-------- C:\Program Files\Common Files\TiVo Shared
2008-06-08 09:54:08 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-08 09:52:04 0 d-------- C:\Program Files\Roxio
2008-06-08 09:52:00 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-07 11:07:02 0 d-------- C:\Program Files\Microsoft Silverlight
2008-06-05 22:20:12 0 d-------- C:\Program Files\Xvid
2008-06-05 20:24:52 0 d-------- C:\Program Files\Smart Projects
2008-06-04 22:39:34 20487 --a------ C:\WINDOWS\system32\z-lib.dll <Not Verified; Microsoft; Microsoft_Scripting_Service>
2008-06-04 01:14:50 0 d-------- C:\Program Files\Winamp Remote
2008-06-04 01:12:40 0 d-------- C:\Program Files\Winamp
2008-06-04 01:12:40 0 d-------- C:\Documents and Settings\The Seventh Son\Application Data\Winamp
2008-06-03 01:21:18 1970 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-02 01:27:44 1580544 --a------ C:\WINDOWS\system32\sfcfiles.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-01 23:05:08 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-01 21:40:02 0 -rahs---- C:\MSDOS.SYS
2008-06-01 21:40:02 0 -rahs---- C:\IO.SYS
2008-06-01 21:40:02 0 --a------ C:\CONFIG.SYS
2008-06-01 21:40:02 0 --a------ C:\AUTOEXEC.BAT
2008-06-01 21:37:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-01 21:13:50 62 --ahs---- C:\Documents and Settings\The Seventh Son\Application Data\desktop.ini
2008-05-06 02:01:28 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}]
20/07/2008 02:47 AM 32640 --------- C:\WINDOWS\system32\nnnljjIy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
24/08/2007 11:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
17/06/2008 09:27 AM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724FC52F-BC3B-4B5D-BF8F-CCAA13A3B2F5}]
C:\WINDOWS\system32\byXNfGAT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9035272e-5a82-4647-96d4-fe418f8b3131}]
04/08/2008 05:21 PM 120960 --a------ C:\WINDOWS\system32\glvamz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B48FED30-6B03-40C5-BAAA-FBE06644A21C}]
04/08/2008 05:20 PM 323328 --a------ C:\WINDOWS\system32\rqRIbaYR.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [24/08/2007 11:51 PM 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [18/03/2005 04:34 AM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [16/12/2004 05:49 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 09:36 AM]
"C-Media Mixer"="Mixer.exe" [15/10/2002 06:00 PM C:\WINDOWS\mixer.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [07/11/2005 05:20 AM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [11/09/2006 04:40 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [14/02/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [25/08/2007 12:53 AM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [08/04/2007 12:44 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [12/06/2008 02:38 AM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10/07/2008 09:47 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/07/2008 10:51 AM]
"24691e57"="C:\WINDOWS\system32\hqllrflw.dll" [04/08/2008 05:24 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 04:56 AM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18/10/2007 11:34 AM]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [31/03/2008 09:54 PM]
"Google Update"="C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [11/07/2008 01:21 PM]

C:\Documents and Settings\The Seventh Son\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [09/11/2007 1:33:08 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}"= C:\WINDOWS\system32\nnnljjIy.dll [20/07/2008 02:47 AM 32640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnljjIy]
nnnljjIy.dll 20/07/2008 02:47 AM 32640 C:\WINDOWS\system32\nnnljjIy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=tpsxmj.dll yldaha.dll iilpga.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-08-04 17:41:29 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.53GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 509.98 MiB / 223.33 MiB
Pagefile Memory (total/avail): 1248.87 MiB / 932.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.18 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 465.64 GiB total, 337.38 GiB free.
D: is CDROM (UDF)
E: is Removable (FAT)
F: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - WDC WD50 00AAKS-65YGA0 SCSI Disk Device - 465.76 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 465.75 GiB - C:

\\.\PHYSICALDRIVE1 - Memorex Flashdrive 601B USB Device - 470.65 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 477.36 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v15.0.0.60 (Symantec Corporation) Disabled
AV: Norton Internet Security v15.0.0.60 (Symantec Corporation) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\The Seventh Son\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BOOTS-B39FAB5CF
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\The Seventh Son
LOGONSERVER=\\BOOTS-B39FAB5CF
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Smart Projects\IsoBuster;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\THESEV~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\THESEV~1\LOCALS~1\Temp
USERDOMAIN=BOOTS-B39FAB5CF
USERNAME=The Seventh Son
USERPROFILE=C:\Documents and Settings\The Seventh Son
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

The Seventh Son (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com --> C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com --> MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe AIR --> MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AirPlus G --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{2B7E4354-0492-460A-BDB1-1F59EE141025} /l1033
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
BitTornado 0.3.18 --> C:\Program Files\BitTornado\uninst.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
CDex extraction audio --> "C:\Program Files\CDex_170b2\uninstall.exe"
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07 --> "C:\Documents and Settings\The Seventh Son\My Documents\My DVDs\avi-dvd-pro\unins000.exe"
EA.com Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB97F52-512B-43EF-AAEC-4825C17B32ED}\setup.exe" -l0x0 Uninstall
Frets On Fire --> "C:\Program Files\Frets on Fire\Uninstall.exe"
GoldWave v5.25 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.25" "C:\Program Files\GoldWave\unstall.log"
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Guitar Hero Explorer --> MsiExec.exe /I{2B072A33-D445-46D5-9442-7B41F5171AAC}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ImTOO DVD Ripper Platinum 5 --> C:\Program Files\ImTOO\DVD Ripper Platinum 5\Uninstall.exe
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
IsoBuster 2.4 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.16) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
NBA Live 2001 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE2C92E0-6DFE-11D4-0089-C400C04F6A0E}\setup.exe" -l0x9 Uninstall
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe" /X
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
NVIDIA DVD Decoder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}\setup.exe" -l0x9 -uninstall
PCI Audio Driver --> cmuninst.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Rolling Stone - Cover to Cover --> MsiExec.exe /X{B5B606B5-7FF0-4946-80E3-35185EEF84AD}
Roxio Creator Audio --> MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy --> MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data --> MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE --> C:\Documents and Settings\All Users\Application Data\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE --> MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools --> MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio Express Labeler 3 --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec System Center --> MsiExec.exe /I{1F211E59-C268-4A86-ACC2-5B0CD153C26C}
Symantec System Center --> MsiExec.exe /I{1F211E59-C268-4A86-ACC2-5B0CD153C26C}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Remote --> "C:\Program Files\Winamp Remote\uninstall.exe"
Windows Essentials Media Codec Pack 1.0 --> C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
YouTube Uploader --> MsiExec.exe /X{171818BA-E0AD-313D-B45A-1BC9D77ADA86}


-- Application Event Log -------------------------------------------------------

Event Record #/Type4990 / Error
Event Submitted/Written: 07/29/2008 08:58:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application winamp.exe, version 5.5.3.1938, faulting module in_vorbis.dll, version 0.0.0.0, fault address 0x000017a2.
Processing media-specific event for [winamp.exe!ws!]

Event Record #/Type4677 / Error
Event Submitted/Written: 07/26/2008 01:41:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module byxnfgat.dll, version 0.0.0.0, fault address 0x0005499d.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type4488 / Error
Event Submitted/Written: 07/23/2008 07:40:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module byxnfgat.dll, version 0.0.0.0, fault address 0x0005499d.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type4212 / Warning
Event Submitted/Written: 07/20/2008 07:20:10 PM
Event ID/Source: 2002 / LoadPerf
Event Description:
The MOF file created for the Outlook service could not be loaded. The
error code returned by the MOF Compiler is contained in the Record Data.
Before the performance counters of this service can be collected by WMI
the MOF file will need to be loaded manually. Contact the vendor of this
service for additional information.

Event Record #/Type4061 / Error
Event Submitted/Written: 07/19/2008 03:40:13 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module unknown, version 0.0.0.0, fault address 0x3000d8a5.
Processing media-specific event for [firefox.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type10065 / Warning
Event Submitted/Written: 08/03/2008 00:07:12 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type10031 / Warning
Event Submitted/Written: 08/03/2008 01:18:15 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type10021 / Error
Event Submitted/Written: 08/02/2008 10:27:07 PM
Event ID/Source: 4199 / Tcpip
Event Description:
The system detected an address conflict for IP address 192.168.0.3 with the system
having network hardware address 00:1D:4F:C6:6E:5D. Network operations on this system may
be disrupted as a result.

Event Record #/Type9991 / Error
Event Submitted/Written: 08/02/2008 09:15:26 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.0.4 for the Network Card with network address 0015E93F6F30 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type9969 / Warning
Event Submitted/Written: 08/02/2008 01:04:31 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-08-04 17:41:29 ------------

Thank you for your help!
The Seventh Son

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 PM

Posted 05 August 2008 - 12:30 PM

Hi The7Son,
  • Please let me know if you have turned off your firewall yourself. And if you new your Antivirus is outdated? You need to update your Antivirus.

  • Turn off Windows automatic updates as it might lead to unexpected results at this stage:
    • Go to start -> Control Panel -> double-click System to open it.
    • Go to the Automatic Updates tab.
    • Select the "Turn off Automatic Updates" box.
    • Click Apply and then OK.
  • Empty all p2p (Bitlord, uTorrent, etc...) download folders. They might contain infected applications. Please avoid using these p2p applications until the system is clean.

  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully.

    You have to install the Recovery Console before running the tool because Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Instruction to install Recovery Console :

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.


    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'Yes' to run the full ComboFix scan.

      Posted Image
    • When the tool is finished, it will produce a report for you.
    Please copy and paste the content of C:\ComboFix.txt along with a fresh Hijackthis log for further review.


    In your next reply:
    • The Combofix log.
    • A fresh Hijackthis log.


#6 The7thSon

The7thSon
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 05 August 2008 - 10:13 PM

Farbar,

Here are the two logs as requested:

ComboFix 08-08-04.08 - The Seventh Son 2008-08-05 17:29:28.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.177 [GMT -4:00]
Running from: C:\Documents and Settings\The Seventh Son\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\The Seventh Son\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\The Seventh Son\Application Data\macromedia\Flash Player\#SharedObjects\FRPPXBCM\interclick.com
C:\Documents and Settings\The Seventh Son\Application Data\macromedia\Flash Player\#SharedObjects\FRPPXBCM\interclick.com\ud.sol
C:\Documents and Settings\The Seventh Son\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\The Seventh Son\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aaccjqdl.dll
C:\WINDOWS\system32\cfdfenmw.dll
C:\WINDOWS\system32\cgcakkpt.dll
C:\WINDOWS\system32\ciakms.dll
C:\WINDOWS\system32\cptcjajd.dll
C:\WINDOWS\system32\cptxykle.ini
C:\WINDOWS\system32\dnttgg.dll
C:\WINDOWS\system32\dqnphquh.ini
C:\WINDOWS\system32\eerbbknj.ini
C:\WINDOWS\system32\efxxeetf.dll
C:\WINDOWS\system32\elmnpwjk.ini
C:\WINDOWS\system32\ethvledk.ini
C:\WINDOWS\system32\fbxajh.dll
C:\WINDOWS\system32\fqgkfhqw.dll
C:\WINDOWS\system32\glvamz.dll
C:\WINDOWS\system32\gomyrd.dll
C:\WINDOWS\system32\hanwjs.dll
C:\WINDOWS\system32\hgGxWqqP.dll
C:\WINDOWS\system32\hindcapn.ini
C:\WINDOWS\system32\ibrvipqe.ini
C:\WINDOWS\system32\iebkbybl.dll
C:\WINDOWS\system32\ihjdgw.dll
C:\WINDOWS\system32\ijvfvyef.dll
C:\WINDOWS\system32\inpkno.dll
C:\WINDOWS\system32\iwunpgqn.dll
C:\WINDOWS\system32\jcdwux.dll
C:\WINDOWS\system32\juvheohm.dll
C:\WINDOWS\system32\kvbqlxkw.dll
C:\WINDOWS\system32\kyhwthjl.ini
C:\WINDOWS\system32\lulhlixb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mtwyly.dll
C:\WINDOWS\system32\myehkgkr.ini
C:\WINDOWS\system32\nnnljjIy.dll
C:\WINDOWS\system32\nuxdmu.dll
C:\WINDOWS\system32\ogvtbv.dll
C:\WINDOWS\system32\owswiq.dll
C:\WINDOWS\system32\pdeomsme.dll
C:\WINDOWS\system32\PqqWxGgh.ini
C:\WINDOWS\system32\PqqWxGgh.ini2
C:\WINDOWS\system32\pvchfh.dll
C:\WINDOWS\system32\qkgpqogj.ini
C:\WINDOWS\system32\rafadkhc.dll
C:\WINDOWS\system32\rqRIbaYR.dll
C:\WINDOWS\system32\RYabIRqr.ini
C:\WINDOWS\system32\RYabIRqr.ini2
C:\WINDOWS\system32\shxlvcpc.dll
C:\WINDOWS\system32\snfkqm.dll
C:\WINDOWS\system32\sroblrqw.dll
C:\WINDOWS\system32\tcsgejtw.ini
C:\WINDOWS\system32\tjbnuvti.dll
C:\WINDOWS\system32\tneohh.dll
C:\WINDOWS\system32\tptdktjq.dll
C:\WINDOWS\system32\uiqkkwxe.dll
C:\WINDOWS\system32\uobwkwus.ini
C:\WINDOWS\system32\wlfrllqh.ini
C:\WINDOWS\system32\xnyumrrp.ini
C:\WINDOWS\system32\xqqnygyu.ini
C:\WINDOWS\system32\ykhbte.dll
C:\WINDOWS\system32\yynqrr.dll
C:\WINDOWS\system32\znwwzc.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 17:07 . 2008-08-05 17:07 99,712 --a------ C:\WINDOWS\system32\suwkwbou.dll
2008-08-05 16:54 . 2008-06-03 19:02 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-04 17:37 . 2008-08-04 17:37 <DIR> d-------- C:\Deckard
2008-08-03 22:07 . 2008-08-03 22:07 130,432 --------- C:\WINDOWS\system32\iilpga.dll
2008-08-02 22:01 . 2008-08-02 22:02 130,432 --------- C:\WINDOWS\system32\yldaha.dll
2008-08-02 21:23 . 2008-08-02 21:23 130,432 --------- C:\WINDOWS\system32\tpsxmj.dll
2008-08-01 20:31 . 2008-08-01 20:31 129,920 --a------ C:\WINDOWS\system32\nqwgvokm.dll
2008-08-01 20:31 . 2008-08-01 20:31 129,920 --a------ C:\WINDOWS\system32\dtumca.dll
2008-07-30 20:34 . 2008-07-30 20:34 99,712 --a------ C:\WINDOWS\system32\mufmkegk.dll
2008-07-30 13:13 . 2008-07-30 13:13 <DIR> d-------- C:\Program Files\EACOM
2008-07-30 13:13 . 2008-07-30 13:13 511 --a------ C:\WINDOWS\eReg.dat
2008-07-30 11:32 . 2008-07-30 11:32 6,330 --a------ C:\inf.zip
2008-07-30 11:31 . 2008-07-30 11:31 <DIR> d-------- C:\i386
2008-07-30 11:30 . 2008-07-30 11:31 3,806,003 --a------ C:\i386.zip
2008-07-23 09:54 . 2008-07-23 09:55 0 --a------ C:\WINDOWS\system32\elmnpwjk.tmp
2008-07-22 10:58 . 2008-07-22 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-22 10:43 . 2008-07-22 10:43 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-21 15:17 . 2008-07-21 15:17 <DIR> d--hs---- C:\FOUND.001
2008-07-20 20:40 . 2008-07-20 20:41 <DIR> d-------- C:\Program Files\IK Multimedia
2008-07-20 20:40 . 1997-05-12 17:53 314,368 --a------ C:\WINDOWS\IsUninst.exe
2008-07-20 03:01 . 2008-07-20 03:01 <DIR> d--hs---- C:\FOUND.000
2008-07-20 02:51 . 2008-07-20 02:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-20 02:51 . 2008-07-20 02:51 <DIR> d-------- C:\Documents and Settings\The Seventh Son\Application Data\Malwarebytes
2008-07-20 02:51 . 2008-07-20 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-20 02:51 . 2008-07-18 19:22 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-20 02:51 . 2008-07-18 19:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-20 02:45 . 2008-07-20 02:45 <DIR> d-------- C:\Program Files\Outsim
2008-07-20 02:45 . 2002-07-07 18:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-07-19 19:54 . 2008-07-19 19:54 <DIR> d-------- C:\Program Files\DOSBox-0.72
2008-07-14 01:53 . 2008-07-14 01:53 <DIR> d-------- C:\Program Files\iPod
2008-07-11 20:01 . 2008-07-30 00:15 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-07-11 03:16 . 2008-07-11 03:16 <DIR> d-------- C:\Program Files\ImTOO
2008-07-09 23:46 . 2008-07-09 23:46 <DIR> d-------- C:\Program Files\CDex_170b2
2008-07-09 23:34 . 2008-07-09 23:34 <DIR> d-------- C:\Program Files\Exact Audio Copy
2008-07-09 23:34 . 2008-07-09 23:34 <DIR> d-------- C:\Documents and Settings\The Seventh Son\Application Data\AccurateRip
2008-07-08 21:13 . 2008-07-08 21:13 <DIR> d-------- C:\Documents and Settings\The Seventh Son\Application Data\Roxio
2008-07-08 21:11 . 2008-07-08 21:11 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-07-08 21:11 . 2008-07-08 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uninstall
2008-07-08 19:41 . 2008-07-08 19:41 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-07 23:24 . 2008-07-07 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-07-07 22:47 . 2008-07-07 22:47 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-07-07 22:47 . 2004-10-11 12:28 671,744 --a------ C:\WINDOWS\system32\DolbyHph.dll
2008-07-07 22:47 . 2004-10-11 12:29 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-07-07 22:47 . 2004-10-11 12:28 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-07-07 20:06 . 2008-07-07 20:06 <DIR> dr-h----- C:\Documents and Settings\The Seventh Son\Application Data\SecuROM
2008-07-07 20:06 . 2008-07-07 20:06 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-07 19:57 . 2008-07-07 19:57 <DIR> d-------- C:\Program Files\EA Sports

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 21:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-04 00:05 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\Media Player Classic
2008-07-03 18:32 --------- d-----w C:\Program Files\Apple Software Update
2008-07-01 23:46 --------- d-----w C:\Program Files\Cucusoft
2008-07-01 23:42 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-06-29 23:32 --------- d-----w C:\Program Files\GoldWave
2008-06-20 05:54 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\fretsonfire
2008-06-20 05:53 --------- d-----w C:\Program Files\Frets on Fire
2008-06-20 05:15 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\OnReally
2008-06-20 05:14 --------- d-----w C:\Program Files\OnReally
2008-06-19 02:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 20:59 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-18 20:59 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-18 20:59 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-18 20:59 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-17 21:12 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\HiYo
2008-06-17 13:29 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\AdobeUM
2008-06-17 13:28 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-17 13:07 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-17 13:06 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-17 13:05 --------- d-----w C:\Program Files\Symantec
2008-06-15 13:38 --------- d-----w C:\Program Files\iTunes
2008-06-15 13:38 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\Apple Computer
2008-06-15 13:37 --------- d-----w C:\Program Files\Bonjour
2008-06-15 13:36 --------- d-----w C:\Program Files\QuickTime
2008-06-15 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-15 13:35 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-15 13:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-13 22:18 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\dvdcss
2008-06-13 21:59 --------- d-----w C:\Program Files\WinXMedia
2008-06-13 18:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 18:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 18:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 18:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 18:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 18:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 18:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 18:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 18:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 18:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 18:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 18:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-09 06:41 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\.BitTornado
2008-06-09 06:40 --------- d-----w C:\Program Files\BitTornado
2008-06-09 06:00 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-09 05:58 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-09 00:19 --------- d-----w C:\Program Files\Google
2008-06-08 13:56 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\Sonic
2008-06-08 13:56 --------- d-----w C:\Documents and Settings\The Seventh Son\Application Data\Leadertech
2008-06-08 13:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-08 13:54 --------- d-----w C:\Program Files\Common Files\TiVo Shared
2008-06-08 13:54 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-06-08 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-06-08 13:52 --------- d-----w C:\Program Files\Roxio
2008-06-08 13:52 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-07 15:07 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-06 02:20 --------- d-----w C:\Program Files\Xvid
2008-06-06 00:24 --------- d-----w C:\Program Files\Smart Projects
2008-06-05 21:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-05 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-05 02:39 20,487 ----a-w C:\WINDOWS\system32\z-lib.dll
2008-06-03 05:21 1,970 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-02 05:27 984,576 ----a-w C:\WINDOWS\system32\syssetup.dll
2008-06-02 05:27 1,580,544 ----a-w C:\WINDOWS\system32\sfcfiles.dll
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-06 06:01 45,056 ----a-w C:\WINDOWS\system32\WNASPI32.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-03-31 21:54 507904]
"Google Update"="C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-07-11 13:21 119280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 04:34 1228800]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 05:20 122940]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 00:53 714608]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"24691e57"="C:\WINDOWS\system32\suwkwbou.dll" [2008-08-05 17:07 99712]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\The Seventh Son\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 13:33:08 71152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tpsxmj.dll yldaha.dll iilpga.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Si3112r;Si3112r;C:\WINDOWS\system32\drivers\Si3112r.sys [2008-06-02 01:27]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 11:02]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 19:17]
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-05 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - The Seventh Son.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 21:19]

2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{724FC52F-BC3B-4B5D-BF8F-CCAA13A3B2F5} - C:\WINDOWS\system32\byXNfGAT.dll
HKLM-Run-ISUSPM Startup - C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\The Seventh Son\Application Data\Mozilla\Firefox\Profiles\5e9uoyxk.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 17:38:01
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\suwkwbou.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
.
**************************************************************************
.
Completion time: 2008-08-05 17:40:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 21:40:02

Pre-Run: 358,809,468,928 bytes free
Post-Run: 358,722,568,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

318

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:59 PM, on 05/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rateyourmusic.com/~The7thSon
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [24691e57] rundll32.exe "C:\WINDOWS\system32\suwkwbou.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\The Seventh Son\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212376872324
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: tpsxmj.dll yldaha.dll iilpga.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9752 bytes

Two questions, however:
1. Before I go and revert the changes made, why has my default browser changed back to IE?
2. Is AVG 8.0 Free Version, suggested to me by my cousin, a suitable anti-virus program, as Norton and McAfee have both failed me.

Cheers,
The Seventh Son

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:46 PM

Posted 06 August 2008 - 04:13 PM

Hi The7Son,


1. Before I go and revert the changes made, why has my default browser changed back to IE?


The privacy settings in IE is often lowered by Vundo. But changing the default Internet browser to IE might be set by Combofix. You can change the default setting when you are clean.

2. Is AVG 8.0 Free Version, suggested to me by my cousin, a suitable anti-virus program, as Norton and McAfee have both failed me.


Yes AVG 8 is a suitable anti-virus. You have to either update Norton or install AVG. If you want to install AVG 8 you have to remove Norton first with a removal tool then install AVG 8. You need a good firewall too other than Windows firewall, but I'll give you more information about recommended firewalls later on. Please decide about AVG and Norton and let me know, as your PC is not protected by an Antivirus right know.
  • Close any open browsers.

    Open notepad and copy/paste the text in the quote box below into it:

    File::
    C:\WINDOWS\system32\suwkwbou.dll
    C:\WINDOWS\system32\iilpga.dll
    C:\WINDOWS\system32\yldaha.dll
    C:\WINDOWS\system32\tpsxmj.dll
    C:\WINDOWS\system32\nqwgvokm.dll
    C:\WINDOWS\system32\dtumca.dll
    C:\WINDOWS\system32\mufmkegk.dll
    C:\WINDOWS\system32\elmnpwjk.tmp

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "24691e57"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "appinit_dlls"=" "


    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall




  • Please copy and paste a fresh Hijackthis log to your reply.

    In your next reply:
  • Let me know your decision about Norton and AVG.
  • The Combofix log.
  • A fresh Hijackthis log.


#8 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:07:46 AM

Posted 12 August 2008 - 08:20 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users