Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - Registrydefender.com & Antivirus-server.com Popups!


  • This topic is locked This topic is locked
14 replies to this topic

#1 sms7204

sms7204

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 29 July 2008 - 03:52 PM

Here is the main.txt from the DSS report:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-29 15:57:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
94: 2008-07-29 20:57:40 UTC - RP682 - Deckard's System Scanner Restore Point
93: 2008-05-18 06:34:12 UTC - RP681 - Last known good configuration
92: 2008-05-18 06:34:07 UTC - RP680 - Removed Norton WMI Update
91: 2008-05-18 06:34:06 UTC - RP679 - Removed DesignPro 5.0 Media Edition
90: 2008-05-18 06:34:06 UTC - RP678 - System Checkpoint


-- First Restore Point --
1: 2008-05-18 06:33:55 UTC - RP589 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-29 15:58:52
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Documents and Settings\Owner\lsass.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\explorer.exe
C:\DSV_Football3\dsv_football.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {88e3b2c5-102e-6aab-fc34-2e365acaf391} - {193faca5-63e2-43cf-baa6-e2015c2b3e88} - C:\WINDOWS\system32\jiqgpw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\geBstsrq.dll
O2 - BHO: (no name) - {A754BA31-C9F4-4357-91DC-B8F8655E4A33} - C:\WINDOWS\system32\iiffDstU.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Owner\lsass.exe
O4 - HKLM\..\Run: [68502bf1] rundll32.exe "C:\WINDOWS\system32\ivgeuemw.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [SybaseCentral43] "C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{72C1B883-BC67-485D-AB81-C6D6EB6B479F}: NameServer = 172.16.6.30
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9CCDF2B8-5BD0-4921-8FD4-00D805E91A86}: NameServer = 172.16.6.30
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: geBstsrq - C:\WINDOWS\system32\geBstsrq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


--
End of file - 5257 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
R2 LANPkt (Realtek LANPkt Protocol) - c:\windows\system32\drivers\lanpkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt92>

S3 Diag69xp - c:\windows\system32\drivers\diag69xp.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8169 Gigabit Ethernet Adapter>
S3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-05 19:18:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 14:48:47 0 d-------- C:\Program Files\Enigma Software Group
2008-07-29 14:11:41 102400 --a------ C:\WINDOWS\system32\jiqgpw.dll
2008-07-29 14:11:41 102400 --a------ C:\WINDOWS\system32\dibjphge.dll
2008-07-29 14:08:48 6464 --a------ C:\WINDOWS\system32\egntiikj.dll
2008-07-29 12:26:12 6458 --a------ C:\WINDOWS\system32\stxeblfa.dll
2008-07-25 13:04:20 6458 --a------ C:\WINDOWS\system32\rdhheamx.dll
2008-07-23 20:56:48 6458 --a------ C:\WINDOWS\system32\nojlgdey.dll
2008-07-23 09:05:42 101888 --a------ C:\WINDOWS\system32\cvjmdk.dll
2008-07-23 09:05:41 101888 --a------ C:\WINDOWS\system32\sbkdtbkt.dll
2008-07-23 09:05:18 6464 --a------ C:\WINDOWS\system32\nmwlpqry.dll
2008-07-22 20:56:41 6458 --a------ C:\WINDOWS\system32\ykpoovdj.dll
2008-07-21 21:02:52 6464 --a------ C:\WINDOWS\system32\ayeaivxp.dll
2008-07-21 20:59:52 102400 --a------ C:\WINDOWS\system32\vbruws.dll
2008-07-21 20:59:52 102400 --a------ C:\WINDOWS\system32\dejfumjk.dll
2008-07-21 20:56:52 6458 --a------ C:\WINDOWS\system32\retofbqa.dll
2008-07-21 20:06:11 102400 --a------ C:\WINDOWS\system32\jbzeuh.dll
2008-07-21 20:06:10 102400 --a------ C:\WINDOWS\system32\dkpicegx.dll
2008-07-21 20:03:33 6464 --a------ C:\WINDOWS\system32\rysuvfdh.dll
2008-07-21 19:12:03 2560 --a------ C:\WINDOWS\system32\mmiglppk.exe
2008-07-21 18:09:59 2560 --a------ C:\WINDOWS\system32\hcgabmqj.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-29 15:56:28 877531 --ahs---- C:\WINDOWS\system32\UtsDffii.ini2
2008-05-29 15:34:57 2560 --a------ C:\WINDOWS\system32\ajhdbnep.exe
2008-05-29 15:31:57 101376 --a------ C:\WINDOWS\system32\ivgeuemw.dll
2008-05-29 15:28:57 111616 --a------ C:\WINDOWS\system32\fmsbddmy.dll
2008-05-29 15:23:17 106496 --a------ C:\WINDOWS\system32\orclwhtx.dll
2008-05-28 15:31:57 2560 --a------ C:\WINDOWS\system32\mtpgbtri.exe
2008-05-28 15:25:57 112640 --a------ C:\WINDOWS\system32\fgvtntfv.dll
2008-05-28 15:22:57 109568 --a------ C:\WINDOWS\system32\dcloijdx.dll
2008-05-27 15:25:57 2560 --a------ C:\WINDOWS\system32\dnkquepj.exe
2008-05-27 15:22:57 110592 --a------ C:\WINDOWS\system32\nnmqibha.dll
2008-05-26 15:29:57 2560 --a------ C:\WINDOWS\system32\ramgvdag.exe
2008-05-26 15:23:58 108544 --a------ C:\WINDOWS\system32\uhvyecfu.dll
2008-05-25 15:29:58 117760 --a------ C:\WINDOWS\system32\qepegwlt.dll
2008-05-25 15:26:57 2560 --a------ C:\WINDOWS\system32\vxltvosr.exe
2008-05-25 15:21:14 109056 --a------ C:\WINDOWS\system32\ljrebymo.dll
2008-05-24 15:32:58 117760 --a------ C:\WINDOWS\system32\gkniwcrj.dll
2008-05-24 15:26:57 2560 --a------ C:\WINDOWS\system32\efoyjltg.exe
2008-05-24 15:20:58 108544 --a------ C:\WINDOWS\system32\lxrhinmj.dll
2008-05-23 15:25:25 2560 --a------ C:\WINDOWS\system32\qtpntsbl.exe
2008-05-23 15:25:22 118272 --a------ C:\WINDOWS\system32\hgsewvhc.dll
2008-05-23 15:20:14 110080 --a------ C:\WINDOWS\system32\jyeadhuo.dll
2008-05-20 01:48:46 117760 --a------ C:\WINDOWS\system32\ohaqcoxa.dll
2008-05-20 01:39:45 2048 --a------ C:\WINDOWS\system32\jioxqsso.exe
2008-05-20 01:36:45 109056 --a------ C:\WINDOWS\system32\mgrxqnae.dll
2008-05-19 01:45:45 2048 --a------ C:\WINDOWS\system32\cnkveetq.exe
2008-05-19 01:39:46 118784 --a------ C:\WINDOWS\system32\adsxtqaf.dll
2008-05-19 01:36:45 109568 --a------ C:\WINDOWS\system32\skwnobat.dll
2008-05-18 01:45:45 2048 --a------ C:\WINDOWS\system32\gryqpaxb.exe
2008-05-18 01:42:46 118784 --a------ C:\WINDOWS\system32\uthdpwcf.dll
2008-05-18 01:34:44 109568 --a------ C:\WINDOWS\system32\snirsqes.dll
2008-05-18 01:33:44 374784 --a------ C:\WINDOWS\system32\iiffDstU.dll
2008-05-18 00:33:40 7031 --a------ C:\WINDOWS\system32\iifcAqRK.dll
2008-05-17 23:33:40 7031 --a------ C:\WINDOWS\system32\vtUnlkJB.dll
2008-05-17 22:33:39 7031 --a------ C:\WINDOWS\system32\efcAPhgH.dll
2008-05-17 21:33:37 7031 --a------ C:\WINDOWS\system32\iifgHATj.dll
2008-05-17 20:33:37 7031 --a------ C:\WINDOWS\system32\yayaATmJ.dll
2008-05-17 19:33:35 7031 --a------ C:\WINDOWS\system32\khfFYSJC.dll
2008-05-17 18:33:34 7031 --a------ C:\WINDOWS\system32\pmnnNeDT.dll
2008-05-17 17:33:34 7031 --a------ C:\WINDOWS\system32\hgGwVLeB.dll
2008-05-17 16:33:33 7031 --a------ C:\WINDOWS\system32\qoMdCSjH.dll
2008-05-17 15:33:32 7031 --a------ C:\WINDOWS\system32\ljJBuroM.dll
2008-05-17 14:33:31 7031 --a------ C:\WINDOWS\system32\ddcBSJbc.dll
2008-05-17 13:33:40 7031 --a------ C:\WINDOWS\system32\ljJBrRkl.dll
2008-05-17 12:33:29 7031 --a------ C:\WINDOWS\system32\iifeffDs.dll
2008-05-17 11:33:31 7031 --a------ C:\WINDOWS\system32\pmnoMcYR.dll
2008-05-17 10:33:27 7031 --a------ C:\WINDOWS\system32\hgGvspME.dll
2008-05-17 09:33:25 7031 --a------ C:\WINDOWS\system32\qoMeFxvW.dll
2008-05-17 08:33:28 7031 --a------ C:\WINDOWS\system32\awtuvWoO.dll
2008-05-17 07:33:23 7031 --a------ C:\WINDOWS\system32\hgGyaxya.dll
2008-05-17 06:33:23 7031 --a------ C:\WINDOWS\system32\tuvTllkk.dll
2008-05-17 05:33:22 7031 --a------ C:\WINDOWS\system32\ddcAtTLf.dll
2008-05-17 04:33:20 7031 --a------ C:\WINDOWS\system32\yaywuuTn.dll
2008-05-17 03:33:20 7031 --a------ C:\WINDOWS\system32\opnnmLFv.dll
2008-05-17 02:33:18 7031 --a------ C:\WINDOWS\system32\byXNgeCv.dll
2008-05-17 01:33:19 7031 --a------ C:\WINDOWS\system32\hgGxWppM.dll
2008-05-17 00:33:17 7031 --a------ C:\WINDOWS\system32\cbXNDVOg.dll
2008-05-16 23:33:15 7031 --a------ C:\WINDOWS\system32\yayxywTj.dll
2008-05-16 22:33:15 7031 --a------ C:\WINDOWS\system32\ljJBqqPH.dll
2008-05-16 21:33:14 7031 --a------ C:\WINDOWS\system32\hgGyaYpm.dll
2008-05-16 20:33:12 7031 --a------ C:\WINDOWS\system32\hgGyxUMD.dll
2008-05-16 19:33:12 7031 --a------ C:\WINDOWS\system32\tuvTklKa.dll
2008-05-16 18:33:11 7031 --a------ C:\WINDOWS\system32\ddcBUnkk.dll
2008-05-16 17:33:09 7034 --a------ C:\WINDOWS\system32\efcCtrQI.dll
2008-05-16 16:33:09 7034 --a------ C:\WINDOWS\system32\efcARljJ.dll
2008-05-16 15:33:08 7034 --a------ C:\WINDOWS\system32\yayvWQGx.dll
2008-05-16 14:33:07 7031 --a------ C:\WINDOWS\system32\rqRHwTLb.dll
2008-05-16 13:33:08 7031 --a------ C:\WINDOWS\system32\urqQgdbc.dll
2008-05-16 12:33:05 7031 --a------ C:\WINDOWS\system32\ljJBrQig.dll
2008-05-16 11:33:27 7031 --a------ C:\WINDOWS\system32\fccaXOEU.dll
2008-05-16 10:33:02 7031 --a------ C:\WINDOWS\system32\khfCuSjk.dll
2008-05-16 09:33:22 7031 --a------ C:\WINDOWS\system32\tuvUMffG.dll
2008-05-16 08:33:01 7031 --a------ C:\WINDOWS\system32\vtUklkKa.dll
2008-05-16 07:33:00 7031 --a------ C:\WINDOWS\system32\hgGxXppo.dll
2008-05-16 06:32:58 7031 --a------ C:\WINDOWS\system32\awtsPiig.dll
2008-05-16 05:32:58 7031 --a------ C:\WINDOWS\system32\mlJdBSih.dll
2008-05-16 04:32:57 7031 --a------ C:\WINDOWS\system32\qoMcabxX.dll
2008-05-16 03:32:55 7045 --a------ C:\WINDOWS\system32\fccdbCSK.dll
2008-05-16 02:32:55 7045 --a------ C:\WINDOWS\system32\ddcddbcy.dll
2008-05-16 01:32:54 7045 --a------ C:\WINDOWS\system32\geBuSKEV.dll
2008-05-16 00:32:52 7045 --a------ C:\WINDOWS\system32\xxyxXRjg.dll
2008-05-15 23:32:52 7045 --a------ C:\WINDOWS\system32\khfEUkKe.dll
2008-05-15 22:32:51 7045 --a------ C:\WINDOWS\system32\tuvuRIcD.dll
2008-05-15 21:32:49 7045 --a------ C:\WINDOWS\system32\iifcBuTn.dll
2008-05-15 20:32:49 7045 --a------ C:\WINDOWS\system32\opnOIxVm.dll
2008-05-15 19:32:48 7045 --a------ C:\WINDOWS\system32\khfcyVPF.dll
2008-05-15 18:32:47 7045 --a------ C:\WINDOWS\system32\rqRHYPHX.dll
2008-05-15 17:32:46 7045 --a------ C:\WINDOWS\system32\qoMdAQgE.dll
2008-05-15 16:32:44 7045 --a------ C:\WINDOWS\system32\khfDuUOF.dll
2008-05-15 14:32:45 7045 --a------ C:\WINDOWS\system32\cbXQJBRi.dll
2008-05-15 13:32:48 7034 --a------ C:\WINDOWS\system32\urqNEuRi.dll
2008-05-15 12:32:41 7034 --a------ C:\WINDOWS\system32\yayWoPjk.dll
2008-05-15 11:32:57 7034 --a------ C:\WINDOWS\system32\awtuvUMc.dll
2008-05-15 10:32:49 7034 --a------ C:\WINDOWS\system32\rqRIyvUo.dll
2008-05-15 09:32:57 7034 --a------ C:\WINDOWS\system32\urqQkHXQ.dll
2008-05-15 08:32:37 7034 --a------ C:\WINDOWS\system32\jkkKcDTm.dll
2008-05-15 07:32:35 7034 --a------ C:\WINDOWS\system32\ssqOFVOI.dll
2008-05-15 06:32:35 7034 --a------ C:\WINDOWS\system32\yayvTjhH.dll
2008-05-15 05:32:34 7034 --a------ C:\WINDOWS\system32\awtqRJcB.dll
2008-05-15 04:32:32 7034 --a------ C:\WINDOWS\system32\efcDVOfg.dll
2008-05-15 03:32:32 7034 --a------ C:\WINDOWS\system32\ljJYpPjG.dll
2008-05-15 02:32:31 7031 --a------ C:\WINDOWS\system32\nnnmnnmn.dll
2008-05-15 01:32:30 7031 --a------ C:\WINDOWS\system32\iiffETjj.dll
2008-05-15 00:32:28 7031 --a------ C:\WINDOWS\system32\ljJYSjhi.dll
2008-05-14 23:32:28 7031 --a------ C:\WINDOWS\system32\tuvSifdD.dll
2008-05-14 22:32:27 7031 --a------ C:\WINDOWS\system32\xxyaabxV.dll
2008-05-14 21:32:25 7045 --a------ C:\WINDOWS\system32\geBroMCT.dll
2008-05-14 20:32:25 7045 --a------ C:\WINDOWS\system32\pmnNfGAp.dll
2008-05-14 19:32:24 7045 --a------ C:\WINDOWS\system32\awttuurQ.dll
2008-05-14 18:32:22 7045 --a------ C:\WINDOWS\system32\iifecaba.dll
2008-05-14 17:32:21 7045 --a------ C:\WINDOWS\system32\vtUlkJDW.dll
2008-05-14 16:32:21 7045 --a------ C:\WINDOWS\system32\khfFVOfG.dll
2008-05-14 15:32:20 7045 --a------ C:\WINDOWS\system32\wvUkKExv.dll
2008-05-14 14:32:19 7045 --a------ C:\WINDOWS\system32\awtqnkhe.dll
2008-05-14 13:32:20 7034 --a------ C:\WINDOWS\system32\efcaawxv.dll
2008-05-14 12:32:47 7034 --a------ C:\WINDOWS\system32\nnnnOFUK.dll
2008-05-14 11:32:35 7034 --a------ C:\WINDOWS\system32\awtrrOfG.dll
2008-05-14 09:32:26 7034 --a------ C:\WINDOWS\system32\ssqRHXOh.dll
2008-05-14 08:32:14 7034 --a------ C:\WINDOWS\system32\ljJCvWqr.dll
2008-05-14 06:32:10 7034 --a------ C:\WINDOWS\system32\byXNFyvU.dll
2008-05-14 04:32:09 7034 --a------ C:\WINDOWS\system32\geBTnLbX.dll
2008-05-14 03:32:07 7031 --a------ C:\WINDOWS\system32\ljJCtrop.dll
2008-05-14 01:32:06 7031 --a------ C:\WINDOWS\system32\rqRJBUlJ.dll
2008-05-14 00:32:05 7031 --a------ C:\WINDOWS\system32\pmnkkhiF.dll
2008-05-13 23:32:04 7031 --a------ C:\WINDOWS\system32\cbXOHAtu.dll
2008-05-13 21:32:02 7031 --a------ C:\WINDOWS\system32\xxyvUKBR.dll
2008-05-13 20:32:00 7031 --a------ C:\WINDOWS\system32\ljJYPfgh.dll
2008-05-13 19:32:00 7031 --a------ C:\WINDOWS\system32\cbXNHXQJ.dll
2008-05-13 18:32:01 7031 --a------ C:\WINDOWS\system32\wvUnOGwW.dll
2008-05-13 17:31:59 7031 --a------ C:\WINDOWS\system32\opnolICS.dll
2008-05-13 17:26:56 28672 --a------ C:\WINDOWS\system32\geBstsrq.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{193faca5-63e2-43cf-baa6-e2015c2b3e88}]
07/29/2008 02:11 PM 102400 --a------ C:\WINDOWS\system32\jiqgpw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
05/13/2008 05:26 PM 28672 --a------ C:\WINDOWS\system32\geBstsrq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A754BA31-C9F4-4357-91DC-B8F8655E4A33}]
05/18/2008 01:33 AM 374784 --a------ C:\WINDOWS\system32\iiffDstU.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [08/15/2007 08:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"LSA Shellu"="C:\Documents and Settings\Owner\lsass.exe" [03/23/2008 10:17 PM]
"68502bf1"="C:\WINDOWS\system32\ivgeuemw.dll" [05/29/2008 03:31 PM]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [06/19/2008 04:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [10/13/2004 02:50 PM]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [10/19/2004 05:45 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Gadwin PrintScreen 3.1"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [09/26/2005 07:18 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\geBstsrq.dll [05/13/2008 05:26 PM 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBstsrq]
geBstsrq.dll 05/13/2008 05:26 PM 28672 C:\WINDOWS\system32\geBstsrq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iiffDstU

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GA311 Smart Wizard Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
backup=C:\WINDOWS\pss\GA311 Smart Wizard Utility.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtLmSsp"=3 (0x3)
"MSIServer"=3 (0x3)
"iPod Service"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6058e9ba-5196-11dc-8c65-0011116b783d}]
AutoRun\command- Autorun.exe /run
Shell00\Command- Autorun.exe /run
Shell01\Command- Autorun.exe /action
Shell02\Command- Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c461a-41b3-11db-8c35-000000000000}]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{753c728e-648c-11db-8c3c-0011116b783d}]
Auto\command- J:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b2c938a-c0fa-11db-8c50-0011116b783d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b14375-2628-11db-8c25-0011116b783d}]
AutoRun\command- M:\LaunchU3.exe

*Newly Created Service* - MCHINJDRV



-- End of Deckard's System Scanner: finished at 2008-07-29 15:59:52 ------------



And here is the extra.txt from DSS:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 1014.73 MiB / 542.95 MiB
Pagefile Memory (total/avail): 2443.19 MiB / 2123.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1915 MiB

C: is Fixed (NTFS) - 149.05 GiB total, 105.17 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
U: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD1600JD-22HBB0 - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.05 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\DSV_Football\\rteng6.exe"="C:\\DSV_Football\\rteng6.exe:*:Disabled:Adaptive Server Anywhere Database Engine"
"C:\\WINDOWS\\LMIE.tmp\\rescue.exe"="C:\\WINDOWS\\LMIE.tmp\\rescue.exe:*:Enabled:rescue"
"C:\\DSV_Football2\\rteng6.exe"="C:\\DSV_Football2\\rteng6.exe:*:Disabled:Adaptive Server Anywhere Database Engine"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
ASANY9=C:\Program Files\Sybase\SQL Anywhere 9
ASANYSH9=C:\Program Files\Sybase\Shared
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WORKSTATION1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\WORKSTATION1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Sybase\SQL Anywhere 9\win32;C:\Program Files\Sybase\Shared\win32;C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=WORKSTATION1
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{85808CBD-8E3E-4F04-B626-167115874290} /Q
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F6DFDC8-7EAA-4B9B-AC3A-AE04F77D81CF}\Setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4U AVI MPEG Converter (version 5.2.6) --> "C:\Program Files\4U Computing\AVI MPEG Converter\unins000.exe"
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Help Center 2.1 --> MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Premiere Elements 3.0.2 --> msiexec /I {530AFAFF-6F0A-48BB-88D0-04F9658322D3}
Adobe Premiere Elements 3.0.2 --> MsiExec.exe /I{530AFAFF-6F0A-48BB-88D0-04F9658322D3}
Adobe Premiere Elements 3.0.2 Templates --> MsiExec.exe /I{6EACDDF4-4220-49A3-9204-984C86852C3D}
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{763E8D6C-0098-4FF4-801A-3F311D2D9D80}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
DSV Football Pro --> C:\DSV_Football\UnInstall_26054.exe
DSV Football Pro 2.0 --> C:\DSV_Football2\UnInstall_26054.exe
DSV Football Pro 3.0 --> C:\DSV_Football3\UnInstall_26054.exe
DSV Football Pro 3.0 Updates --> C:\DSV_Football3\UnInstall_26054.exe
DSV Football Pro Updates --> C:\DSV_Football\UnInstall_26054.exe
FirstClassŪ Client --> C:\Program Files\InstallShield Installation Information\{5B35C417-2649-11D6-83D1-0050FC01225C}\setup.exe -runfromtemp -l0x0009 -uninst -removeonly
Gadwin PrintScreen --> C:\Program Files\Gadwin Systems\PrintScreen\Uninstall.exe
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes --> MsiExec.exe /I{974C05A0-C76C-4724-A9A2-11D5D1355729}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
MainConcept DV Codec (Demo) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B957D56-D804-4575-AFC2-61583D3404CC}\setup.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Photo Premium 9 --> c:\WINDOWS\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0903}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MiniCSU-3 USB Drivers --> C:\WINDOWS\system32\ftdiunin.exe C:\WINDOWS\system32\ftdiun2k.ini
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NETGEAR GA311 Smart Wizard Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{DBD40476-78A4-4738-86B4-A5FB8807946D}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Samsung ML-2010 Series --> C:\WINDOWS\Samsung\ML-2010\SETUP.EXE
ScenalyzerLive (remove) --> C:\WINDOWS\unslive.exe
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
SQL Anywhere Studio 9, Documentation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2B0FD55-03C2-4B7F-A67F-C042C260371F}\setup.exe" -l0x9 UNINSTALLING
SQL Anywhere Studio 9, Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F653AB56-DB37-415B-8DDD-EF5BC1982150}\is_setup.exe" -l0x9 UNINSTALLING
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

No Errors/Warnings found.


-- End of Deckard's System Scanner: finished at 2008-07-29 15:59:52 ------------

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:25 PM

Posted 30 July 2008 - 02:51 PM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sms7204

sms7204
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 01 August 2008 - 12:04 PM

Hi. Thanks for the help so far. Yeah, I agree that not having an anti-virus package is kind of ridiculous. This computer is actually at my job--I coach high school football, and we use this computer for watching lots of film on opponents. Not suer how it got infected with malware....but the football video software we use is rather finicky, and doesn't work well when anti-virus programs are also running....but we'll see how it does with Avira!

Here's the Avira report:



Avira AntiVir Personal
Report file date: Thursday, July 31, 2008 15:32

Scanning for 1523821 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: WORKSTATION1

Version information:
BUILD.DAT : 8.1.0.326 16933 Bytes 7/11/2008 12:57:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 15:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 20:54:15
ANTIVIR2.VDF : 7.0.5.174 2027008 Bytes 7/25/2008 20:04:38
ANTIVIR3.VDF : 7.0.5.200 212480 Bytes 7/31/2008 20:04:40
Engineversion : 8.1.1.15
AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 15:46:50
AESCRIPT.DLL : 8.1.0.61 311675 Bytes 7/31/2008 20:04:52
AESCN.DLL : 8.1.0.23 119156 Bytes 7/31/2008 20:04:51
AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 15:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/31/2008 20:04:49
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 7/31/2008 20:04:48
AEHEUR.DLL : 8.1.0.44 1343863 Bytes 7/31/2008 20:04:46
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 15:46:50
AEGEN.DLL : 8.1.0.32 315765 Bytes 7/31/2008 20:04:43
AEEMU.DLL : 8.1.0.7 430452 Bytes 7/31/2008 20:04:42
AECORE.DLL : 8.1.1.8 172406 Bytes 7/31/2008 20:04:41
AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 15:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 20:04:41
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, July 31, 2008 15:32

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'PrintScreen.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'dbisqlg.exe' - '1' Module(s) have been scanned
Scan process 'scjview.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
24 processes with 24 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\geBstsrq.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\lsass.exe
[DETECTION] Contains recognition pattern of the DR/IRCBot.ABUF dropper
[NOTE] The file was deleted!
C:\WINDOWS\system32\ivgeuemw.dll
[DETECTION] Is the TR/Mondera.101376.2 Trojan
[NOTE] The file was deleted!

The registry was scanned ( '56' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\ARK4.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was deleted!
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\AZKLI9QH\kb767887[1]
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP681\A0045260.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP681\A0045261.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP681\A0045272.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP681\A0046272.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP681\A0046274.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP681\A0047272.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP681\A0047273.dll
[DETECTION] Is the TR/Mondera.95232.2 Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP683\A0052299.exe
[DETECTION] Contains recognition pattern of the DR/IRCBot.ABUF dropper
[NOTE] The file was deleted!
C:\System Volume Information\_restore{7514DDF7-E082-4FB6-9635-49B7303C51BF}\RP683\A0052300.dll
[DETECTION] Is the TR/Mondera.101376.2 Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\adsxtqaf.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\ajhdbnep.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\bcwibsgb.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\bwrdqnwu.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\cnkveetq.exe
[DETECTION] Is the TR/PrivacySet.A Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\cvjmdk.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\dcloijdx.dll
[DETECTION] Is the TR/Mondera.109568.2 Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\dejfumjk.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\dibjphge.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\dkpicegx.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\dnkquepj.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\efoyjltg.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\fgvtntfv.dll
[DETECTION] Is the TR/Mondera.112640.1 Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\fmsbddmy.dll
[DETECTION] Is the TR/Mondera.111616.5 Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\gkniwcrj.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\gryqpaxb.exe
[DETECTION] Is the TR/PrivacySet.A Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\hcgabmqj.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\hgsewvhc.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\iiffDstU.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK lib.
[NOTE] The file was deleted!
C:\WINDOWS\system32\jbzeuh.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\jioxqsso.exe
[DETECTION] Is the TR/PrivacySet.A Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\jiqgpw.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\jyeadhuo.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\ljrebymo.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\lxrhinmj.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\mgrxqnae.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\mmiglppk.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\mtpgbtri.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\nnmqibha.dll
[DETECTION] Is the TR/Vundo.enl.1 Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\ohaqcoxa.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\orclwhtx.dll
[DETECTION] Is the TR/Mondera.106496.4 Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\qepegwlt.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\qtpntsbl.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\ramgvdag.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\sbkdtbkt.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\skwnobat.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\snirsqes.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\uhvyecfu.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\uthdpwcf.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\vbruws.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\vxltvosr.exe
[DETECTION] Is the TR/Lowzones.SG Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\xdptml.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\zpjkpm.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!


End of the scan: Friday, August 01, 2008 01:00
Used time: 9:27:36 Hour(s)

The scan has been done completely.

4962 Scanning directories
296057 Files were scanned
57 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
57 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
295998 Files not concerned
6641 Archives were scanned
9 Warnings
57 Notes

#4 sms7204

sms7204
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 01 August 2008 - 12:06 PM

Here is the HJT clone report, using DSS:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-01 12:20:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-01 12:20:45
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {d0e80d66-15b6-e999-fd04-ee102fc569d1} - {1d965cf2-01ee-40df-999e-6b5166d08e0d} - C:\WINDOWS\system32\xdptml.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - C:\WINDOWS\system32\geBstsrq.dll (file missing)
O2 - BHO: (no name) - {A4443DF1-7AA1-4DB5-9751-40C11BFC8A82} - C:\WINDOWS\system32\iiffDstU.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SybaseCentral43] "C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{72C1B883-BC67-485D-AB81-C6D6EB6B479F}: NameServer = 172.16.6.30
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9CCDF2B8-5BD0-4921-8FD4-00D805E91A86}: NameServer = 172.16.6.30
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: geBstsrq - C:\WINDOWS\system32\geBstsrq.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


--
End of file - 5353 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-07-31 15:17:45 15 --a------ C:\WINDOWS\system32\6850397f
2008-07-31 15:03:00 0 d-------- C:\Program Files\Avira
2008-07-31 15:03:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-31 14:41:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-31 12:32:02 6464 --a------ C:\WINDOWS\system32\vpmjhguo.dll
2008-07-31 12:29:02 6458 --a------ C:\WINDOWS\system32\qocscwth.dll
2008-07-30 12:35:02 6464 --a------ C:\WINDOWS\system32\mnbygmdl.dll
2008-07-30 12:29:02 6458 --a------ C:\WINDOWS\system32\lokucrdy.dll
2008-07-29 14:48:47 0 d-------- C:\Program Files\Enigma Software Group
2008-07-29 14:08:48 6464 --a------ C:\WINDOWS\system32\egntiikj.dll
2008-07-29 12:26:12 6458 --a------ C:\WINDOWS\system32\stxeblfa.dll
2008-07-25 13:04:20 6458 --a------ C:\WINDOWS\system32\rdhheamx.dll
2008-07-23 20:56:48 6458 --a------ C:\WINDOWS\system32\nojlgdey.dll
2008-07-23 09:05:18 6464 --a------ C:\WINDOWS\system32\nmwlpqry.dll
2008-07-22 20:56:41 6458 --a------ C:\WINDOWS\system32\ykpoovdj.dll
2008-07-21 21:02:52 6464 --a------ C:\WINDOWS\system32\ayeaivxp.dll
2008-07-21 20:56:52 6458 --a------ C:\WINDOWS\system32\retofbqa.dll
2008-07-21 20:03:33 6464 --a------ C:\WINDOWS\system32\rysuvfdh.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-01 11:44:43 860483 --ahs---- C:\WINDOWS\system32\UtsDffii.ini2
2008-05-18 00:33:40 7031 --a------ C:\WINDOWS\system32\iifcAqRK.dll
2008-05-17 23:33:40 7031 --a------ C:\WINDOWS\system32\vtUnlkJB.dll
2008-05-17 22:33:39 7031 --a------ C:\WINDOWS\system32\efcAPhgH.dll
2008-05-17 21:33:37 7031 --a------ C:\WINDOWS\system32\iifgHATj.dll
2008-05-17 20:33:37 7031 --a------ C:\WINDOWS\system32\yayaATmJ.dll
2008-05-17 19:33:35 7031 --a------ C:\WINDOWS\system32\khfFYSJC.dll
2008-05-17 18:33:34 7031 --a------ C:\WINDOWS\system32\pmnnNeDT.dll
2008-05-17 17:33:34 7031 --a------ C:\WINDOWS\system32\hgGwVLeB.dll
2008-05-17 16:33:33 7031 --a------ C:\WINDOWS\system32\qoMdCSjH.dll
2008-05-17 15:33:32 7031 --a------ C:\WINDOWS\system32\ljJBuroM.dll
2008-05-17 14:33:31 7031 --a------ C:\WINDOWS\system32\ddcBSJbc.dll
2008-05-17 13:33:40 7031 --a------ C:\WINDOWS\system32\ljJBrRkl.dll
2008-05-17 12:33:29 7031 --a------ C:\WINDOWS\system32\iifeffDs.dll
2008-05-17 11:33:31 7031 --a------ C:\WINDOWS\system32\pmnoMcYR.dll
2008-05-17 10:33:27 7031 --a------ C:\WINDOWS\system32\hgGvspME.dll
2008-05-17 09:33:25 7031 --a------ C:\WINDOWS\system32\qoMeFxvW.dll
2008-05-17 08:33:28 7031 --a------ C:\WINDOWS\system32\awtuvWoO.dll
2008-05-17 07:33:23 7031 --a------ C:\WINDOWS\system32\hgGyaxya.dll
2008-05-17 06:33:23 7031 --a------ C:\WINDOWS\system32\tuvTllkk.dll
2008-05-17 05:33:22 7031 --a------ C:\WINDOWS\system32\ddcAtTLf.dll
2008-05-17 04:33:20 7031 --a------ C:\WINDOWS\system32\yaywuuTn.dll
2008-05-17 03:33:20 7031 --a------ C:\WINDOWS\system32\opnnmLFv.dll
2008-05-17 02:33:18 7031 --a------ C:\WINDOWS\system32\byXNgeCv.dll
2008-05-17 01:33:19 7031 --a------ C:\WINDOWS\system32\hgGxWppM.dll
2008-05-17 00:33:17 7031 --a------ C:\WINDOWS\system32\cbXNDVOg.dll
2008-05-16 23:33:15 7031 --a------ C:\WINDOWS\system32\yayxywTj.dll
2008-05-16 22:33:15 7031 --a------ C:\WINDOWS\system32\ljJBqqPH.dll
2008-05-16 21:33:14 7031 --a------ C:\WINDOWS\system32\hgGyaYpm.dll
2008-05-16 20:33:12 7031 --a------ C:\WINDOWS\system32\hgGyxUMD.dll
2008-05-16 19:33:12 7031 --a------ C:\WINDOWS\system32\tuvTklKa.dll
2008-05-16 18:33:11 7031 --a------ C:\WINDOWS\system32\ddcBUnkk.dll
2008-05-16 17:33:09 7034 --a------ C:\WINDOWS\system32\efcCtrQI.dll
2008-05-16 16:33:09 7034 --a------ C:\WINDOWS\system32\efcARljJ.dll
2008-05-16 15:33:08 7034 --a------ C:\WINDOWS\system32\yayvWQGx.dll
2008-05-16 14:33:07 7031 --a------ C:\WINDOWS\system32\rqRHwTLb.dll
2008-05-16 13:33:08 7031 --a------ C:\WINDOWS\system32\urqQgdbc.dll
2008-05-16 12:33:05 7031 --a------ C:\WINDOWS\system32\ljJBrQig.dll
2008-05-16 11:33:27 7031 --a------ C:\WINDOWS\system32\fccaXOEU.dll
2008-05-16 10:33:02 7031 --a------ C:\WINDOWS\system32\khfCuSjk.dll
2008-05-16 09:33:22 7031 --a------ C:\WINDOWS\system32\tuvUMffG.dll
2008-05-16 08:33:01 7031 --a------ C:\WINDOWS\system32\vtUklkKa.dll
2008-05-16 07:33:00 7031 --a------ C:\WINDOWS\system32\hgGxXppo.dll
2008-05-16 06:32:58 7031 --a------ C:\WINDOWS\system32\awtsPiig.dll
2008-05-16 05:32:58 7031 --a------ C:\WINDOWS\system32\mlJdBSih.dll
2008-05-16 04:32:57 7031 --a------ C:\WINDOWS\system32\qoMcabxX.dll
2008-05-16 03:32:55 7045 --a------ C:\WINDOWS\system32\fccdbCSK.dll
2008-05-16 02:32:55 7045 --a------ C:\WINDOWS\system32\ddcddbcy.dll
2008-05-16 01:32:54 7045 --a------ C:\WINDOWS\system32\geBuSKEV.dll
2008-05-16 00:32:52 7045 --a------ C:\WINDOWS\system32\xxyxXRjg.dll
2008-05-15 23:32:52 7045 --a------ C:\WINDOWS\system32\khfEUkKe.dll
2008-05-15 22:32:51 7045 --a------ C:\WINDOWS\system32\tuvuRIcD.dll
2008-05-15 21:32:49 7045 --a------ C:\WINDOWS\system32\iifcBuTn.dll
2008-05-15 20:32:49 7045 --a------ C:\WINDOWS\system32\opnOIxVm.dll
2008-05-15 19:32:48 7045 --a------ C:\WINDOWS\system32\khfcyVPF.dll
2008-05-15 18:32:47 7045 --a------ C:\WINDOWS\system32\rqRHYPHX.dll
2008-05-15 17:32:46 7045 --a------ C:\WINDOWS\system32\qoMdAQgE.dll
2008-05-15 16:32:44 7045 --a------ C:\WINDOWS\system32\khfDuUOF.dll
2008-05-15 14:32:45 7045 --a------ C:\WINDOWS\system32\cbXQJBRi.dll
2008-05-15 13:32:48 7034 --a------ C:\WINDOWS\system32\urqNEuRi.dll
2008-05-15 12:32:41 7034 --a------ C:\WINDOWS\system32\yayWoPjk.dll
2008-05-15 11:32:57 7034 --a------ C:\WINDOWS\system32\awtuvUMc.dll
2008-05-15 10:32:49 7034 --a------ C:\WINDOWS\system32\rqRIyvUo.dll
2008-05-15 09:32:57 7034 --a------ C:\WINDOWS\system32\urqQkHXQ.dll
2008-05-15 08:32:37 7034 --a------ C:\WINDOWS\system32\jkkKcDTm.dll
2008-05-15 07:32:35 7034 --a------ C:\WINDOWS\system32\ssqOFVOI.dll
2008-05-15 06:32:35 7034 --a------ C:\WINDOWS\system32\yayvTjhH.dll
2008-05-15 05:32:34 7034 --a------ C:\WINDOWS\system32\awtqRJcB.dll
2008-05-15 04:32:32 7034 --a------ C:\WINDOWS\system32\efcDVOfg.dll
2008-05-15 03:32:32 7034 --a------ C:\WINDOWS\system32\ljJYpPjG.dll
2008-05-15 02:32:31 7031 --a------ C:\WINDOWS\system32\nnnmnnmn.dll
2008-05-15 01:32:30 7031 --a------ C:\WINDOWS\system32\iiffETjj.dll
2008-05-15 00:32:28 7031 --a------ C:\WINDOWS\system32\ljJYSjhi.dll
2008-05-14 23:32:28 7031 --a------ C:\WINDOWS\system32\tuvSifdD.dll
2008-05-14 22:32:27 7031 --a------ C:\WINDOWS\system32\xxyaabxV.dll
2008-05-14 21:32:25 7045 --a------ C:\WINDOWS\system32\geBroMCT.dll
2008-05-14 20:32:25 7045 --a------ C:\WINDOWS\system32\pmnNfGAp.dll
2008-05-14 19:32:24 7045 --a------ C:\WINDOWS\system32\awttuurQ.dll
2008-05-14 18:32:22 7045 --a------ C:\WINDOWS\system32\iifecaba.dll
2008-05-14 17:32:21 7045 --a------ C:\WINDOWS\system32\vtUlkJDW.dll
2008-05-14 16:32:21 7045 --a------ C:\WINDOWS\system32\khfFVOfG.dll
2008-05-14 15:32:20 7045 --a------ C:\WINDOWS\system32\wvUkKExv.dll
2008-05-14 14:32:19 7045 --a------ C:\WINDOWS\system32\awtqnkhe.dll
2008-05-14 13:32:20 7034 --a------ C:\WINDOWS\system32\efcaawxv.dll
2008-05-14 12:32:47 7034 --a------ C:\WINDOWS\system32\nnnnOFUK.dll
2008-05-14 11:32:35 7034 --a------ C:\WINDOWS\system32\awtrrOfG.dll
2008-05-14 09:32:26 7034 --a------ C:\WINDOWS\system32\ssqRHXOh.dll
2008-05-14 08:32:14 7034 --a------ C:\WINDOWS\system32\ljJCvWqr.dll
2008-05-14 06:32:10 7034 --a------ C:\WINDOWS\system32\byXNFyvU.dll
2008-05-14 04:32:09 7034 --a------ C:\WINDOWS\system32\geBTnLbX.dll
2008-05-14 03:32:07 7031 --a------ C:\WINDOWS\system32\ljJCtrop.dll
2008-05-14 01:32:06 7031 --a------ C:\WINDOWS\system32\rqRJBUlJ.dll
2008-05-14 00:32:05 7031 --a------ C:\WINDOWS\system32\pmnkkhiF.dll
2008-05-13 23:32:04 7031 --a------ C:\WINDOWS\system32\cbXOHAtu.dll
2008-05-13 21:32:02 7031 --a------ C:\WINDOWS\system32\xxyvUKBR.dll
2008-05-13 20:32:00 7031 --a------ C:\WINDOWS\system32\ljJYPfgh.dll
2008-05-13 19:32:00 7031 --a------ C:\WINDOWS\system32\cbXNHXQJ.dll
2008-05-13 18:32:01 7031 --a------ C:\WINDOWS\system32\wvUnOGwW.dll
2008-05-13 17:31:59 7031 --a------ C:\WINDOWS\system32\opnolICS.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1d965cf2-01ee-40df-999e-6b5166d08e0d}]
C:\WINDOWS\system32\xdptml.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
C:\WINDOWS\system32\geBstsrq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4443DF1-7AA1-4DB5-9751-40C11BFC8A82}]
C:\WINDOWS\system32\iiffDstU.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [08/15/2007 08:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [10/13/2004 02:50 PM]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [10/19/2004 05:45 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Gadwin PrintScreen 3.1"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [09/26/2005 07:18 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}"= C:\WINDOWS\system32\geBstsrq.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBstsrq]
geBstsrq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iiffDstU

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GA311 Smart Wizard Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
backup=C:\WINDOWS\pss\GA311 Smart Wizard Utility.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtLmSsp"=3 (0x3)
"MSIServer"=3 (0x3)
"iPod Service"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6058e9ba-5196-11dc-8c65-0011116b783d}]
AutoRun\command- Autorun.exe /run
Shell00\Command- Autorun.exe /run
Shell01\Command- Autorun.exe /action
Shell02\Command- Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c461a-41b3-11db-8c35-000000000000}]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{753c728e-648c-11db-8c3c-0011116b783d}]
Auto\command- J:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b2c938a-c0fa-11db-8c50-0011116b783d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b14375-2628-11db-8c25-0011116b783d}]
AutoRun\command- M:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-08-01 12:21:17 ------------

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:25 PM

Posted 01 August 2008 - 01:24 PM

Hi,

Let's deal with the rest now...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 sms7204

sms7204
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 01 August 2008 - 05:27 PM

Here is the ComboFix log:

ComboFix 08-07-31.06 - Owner 2008-08-01 17:01:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.637 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6b63186d.txt
C:\WINDOWS\BM6b63186d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cgarcihj.ini
C:\WINDOWS\system32\jokwdtps.ini
C:\WINDOWS\system32\lctdsbmj.ini
C:\WINDOWS\system32\lohqhfys.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qrtdovbn.ini
C:\WINDOWS\system32\rgtgjikn.ini
C:\WINDOWS\system32\scnabvfv.ini
C:\WINDOWS\system32\tyvtixjl.ini
C:\WINDOWS\system32\UtsDffii.ini
C:\WINDOWS\system32\UtsDffii.ini2
C:\WINDOWS\system32\wmeuegvi.ini
C:\WINDOWS\system32\yywrvsks.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 17:05 . 2008-08-01 17:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-01 17:05 . 2008-08-01 17:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-01 16:25 . 2008-08-01 16:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-31 15:17 . 2008-07-31 15:17 15 --a------ C:\WINDOWS\system32\6850397f
2008-07-31 15:03 . 2008-07-31 15:03 <DIR> d-------- C:\Program Files\Avira
2008-07-31 15:03 . 2008-07-31 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-31 12:32 . 2008-07-31 12:32 6,464 --a------ C:\WINDOWS\system32\vpmjhguo.dll
2008-07-31 12:29 . 2008-07-31 12:29 6,458 --a------ C:\WINDOWS\system32\qocscwth.dll
2008-07-30 12:35 . 2008-07-30 12:35 6,464 --a------ C:\WINDOWS\system32\mnbygmdl.dll
2008-07-30 12:29 . 2008-07-30 12:29 6,458 --a------ C:\WINDOWS\system32\lokucrdy.dll
2008-07-29 15:57 . 2008-07-29 15:57 <DIR> d-------- C:\Deckard
2008-07-29 14:48 . 2008-07-31 14:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-29 14:08 . 2008-07-29 14:08 6,464 --a------ C:\WINDOWS\system32\egntiikj.dll
2008-07-29 12:26 . 2008-07-29 12:26 6,458 --a------ C:\WINDOWS\system32\stxeblfa.dll
2008-07-25 13:04 . 2008-07-25 13:04 6,458 --a------ C:\WINDOWS\system32\rdhheamx.dll
2008-07-23 20:56 . 2008-07-23 20:56 6,458 --a------ C:\WINDOWS\system32\nojlgdey.dll
2008-07-23 09:05 . 2008-07-23 09:05 6,464 --a------ C:\WINDOWS\system32\nmwlpqry.dll
2008-07-22 20:56 . 2008-07-22 20:56 6,458 --a------ C:\WINDOWS\system32\ykpoovdj.dll
2008-07-21 21:02 . 2008-07-21 21:02 6,464 --a------ C:\WINDOWS\system32\ayeaivxp.dll
2008-07-21 20:56 . 2008-07-21 20:56 6,458 --a------ C:\WINDOWS\system32\retofbqa.dll
2008-07-21 20:03 . 2008-07-21 20:03 6,464 --a------ C:\WINDOWS\system32\rysuvfdh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-10-26 03:57 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2004-10-13 14:50 102400]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 17:45 131072]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Gadwin PrintScreen 3.1"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2005-09-26 19:18 1073152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GA311 Smart Wizard Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
backup=C:\WINDOWS\pss\GA311 Smart Wizard Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 20:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-11-01 04:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
--------- 2005-03-14 00:01 360448 C:\WINDOWS\Samsung\ComSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-12 00:18 135168 C:\Program Files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-07-03 04:49 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-07-06 03:05 2550272 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-18 03:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-18 00:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 18:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-01 20:58 73728 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtLmSsp"=3 (0x3)
"MSIServer"=3 (0x3)
"iPod Service"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\DSV_Football\\rteng6.exe"=
"C:\\DSV_Football2\\rteng6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"C:\\Program Files\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-08-15 02:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6058e9ba-5196-11dc-8c65-0011116b783d}]
\Shell\AutoRun\command - Autorun.exe /run
\Shell\Shell00\Command - Autorun.exe /run
\Shell\Shell01\Command - Autorun.exe /action
\Shell\Shell02\Command - Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c461a-41b3-11db-8c35-000000000000}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{753c728e-648c-11db-8c3c-0011116b783d}]
\Shell\Auto\command - J:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b2c938a-c0fa-11db-8c50-0011116b783d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b14375-2628-11db-8c25-0011116b783d}]
\Shell\AutoRun\command - M:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2007-11-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1d965cf2-01ee-40df-999e-6b5166d08e0d} - C:\WINDOWS\system32\xdptml.dll
BHO-{A4443DF1-7AA1-4DB5-9751-40C11BFC8A82} - C:\WINDOWS\system32\iiffDstU.dll
Notify-geBstsrq - geBstsrq.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qpoizezo.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://espn.go.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 17:05:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\QTFont.qfn 54156 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\SoftwareDistribution\Download\1ef77232e6f7faea77bfc1ae4b57d4af\update\update.exe
.
**************************************************************************
.
Completion time: 2008-08-01 17:08:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 22:08:38

Pre-Run: 112,694,280,192 bytes free
Post-Run: 112,682,762,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

191 --- E O F --- 2007-10-13 10:03:37

#7 sms7204

sms7204
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 01 August 2008 - 05:29 PM

And here is the latest HJT log via DSS:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-01 17:42:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-01 17:43:44
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SybaseCentral43] "C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{72C1B883-BC67-485D-AB81-C6D6EB6B479F}: NameServer = 172.16.6.30
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{9CCDF2B8-5BD0-4921-8FD4-00D805E91A86}: NameServer = 172.16.6.30
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


--
End of file - 5150 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 17:08:30 0 d-------- C:\WINDOWS\LastGood
2008-08-01 17:01:39 0 d-------- C:\cmdcons
2008-08-01 16:58:52 68096 --a------ C:\WINDOWS\zip.exe
2008-08-01 16:58:52 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-01 16:58:52 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-01 16:58:52 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-01 16:58:52 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-01 16:58:52 98816 --a------ C:\WINDOWS\sed.exe
2008-08-01 16:58:52 80412 --a------ C:\WINDOWS\grep.exe
2008-08-01 16:58:52 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-01 16:25:46 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-31 15:17:45 15 --a------ C:\WINDOWS\system32\6850397f
2008-07-31 15:03:00 0 d-------- C:\Program Files\Avira
2008-07-31 15:03:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-31 14:41:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-31 12:32:02 6464 --a------ C:\WINDOWS\system32\vpmjhguo.dll
2008-07-31 12:29:02 6458 --a------ C:\WINDOWS\system32\qocscwth.dll
2008-07-30 12:35:02 6464 --a------ C:\WINDOWS\system32\mnbygmdl.dll
2008-07-30 12:29:02 6458 --a------ C:\WINDOWS\system32\lokucrdy.dll
2008-07-29 14:48:47 0 d-------- C:\Program Files\Enigma Software Group
2008-07-29 14:08:48 6464 --a------ C:\WINDOWS\system32\egntiikj.dll
2008-07-29 12:26:12 6458 --a------ C:\WINDOWS\system32\stxeblfa.dll
2008-07-25 13:04:20 6458 --a------ C:\WINDOWS\system32\rdhheamx.dll
2008-07-23 20:56:48 6458 --a------ C:\WINDOWS\system32\nojlgdey.dll
2008-07-23 09:05:18 6464 --a------ C:\WINDOWS\system32\nmwlpqry.dll
2008-07-22 20:56:41 6458 --a------ C:\WINDOWS\system32\ykpoovdj.dll
2008-07-21 21:02:52 6464 --a------ C:\WINDOWS\system32\ayeaivxp.dll
2008-07-21 20:56:52 6458 --a------ C:\WINDOWS\system32\retofbqa.dll
2008-07-21 20:03:33 6464 --a------ C:\WINDOWS\system32\rysuvfdh.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-01 17:02:37 0 d-------- C:\Program Files\Common Files
2008-05-18 00:33:40 7031 --a------ C:\WINDOWS\system32\iifcAqRK.dll
2008-05-17 23:33:40 7031 --a------ C:\WINDOWS\system32\vtUnlkJB.dll
2008-05-17 22:33:39 7031 --a------ C:\WINDOWS\system32\efcAPhgH.dll
2008-05-17 21:33:37 7031 --a------ C:\WINDOWS\system32\iifgHATj.dll
2008-05-17 20:33:37 7031 --a------ C:\WINDOWS\system32\yayaATmJ.dll
2008-05-17 19:33:35 7031 --a------ C:\WINDOWS\system32\khfFYSJC.dll
2008-05-17 18:33:34 7031 --a------ C:\WINDOWS\system32\pmnnNeDT.dll
2008-05-17 17:33:34 7031 --a------ C:\WINDOWS\system32\hgGwVLeB.dll
2008-05-17 16:33:33 7031 --a------ C:\WINDOWS\system32\qoMdCSjH.dll
2008-05-17 15:33:32 7031 --a------ C:\WINDOWS\system32\ljJBuroM.dll
2008-05-17 14:33:31 7031 --a------ C:\WINDOWS\system32\ddcBSJbc.dll
2008-05-17 13:33:40 7031 --a------ C:\WINDOWS\system32\ljJBrRkl.dll
2008-05-17 12:33:29 7031 --a------ C:\WINDOWS\system32\iifeffDs.dll
2008-05-17 11:33:31 7031 --a------ C:\WINDOWS\system32\pmnoMcYR.dll
2008-05-17 10:33:27 7031 --a------ C:\WINDOWS\system32\hgGvspME.dll
2008-05-17 09:33:25 7031 --a------ C:\WINDOWS\system32\qoMeFxvW.dll
2008-05-17 08:33:28 7031 --a------ C:\WINDOWS\system32\awtuvWoO.dll
2008-05-17 07:33:23 7031 --a------ C:\WINDOWS\system32\hgGyaxya.dll
2008-05-17 06:33:23 7031 --a------ C:\WINDOWS\system32\tuvTllkk.dll
2008-05-17 05:33:22 7031 --a------ C:\WINDOWS\system32\ddcAtTLf.dll
2008-05-17 04:33:20 7031 --a------ C:\WINDOWS\system32\yaywuuTn.dll
2008-05-17 03:33:20 7031 --a------ C:\WINDOWS\system32\opnnmLFv.dll
2008-05-17 02:33:18 7031 --a------ C:\WINDOWS\system32\byXNgeCv.dll
2008-05-17 01:33:19 7031 --a------ C:\WINDOWS\system32\hgGxWppM.dll
2008-05-17 00:33:17 7031 --a------ C:\WINDOWS\system32\cbXNDVOg.dll
2008-05-16 23:33:15 7031 --a------ C:\WINDOWS\system32\yayxywTj.dll
2008-05-16 22:33:15 7031 --a------ C:\WINDOWS\system32\ljJBqqPH.dll
2008-05-16 21:33:14 7031 --a------ C:\WINDOWS\system32\hgGyaYpm.dll
2008-05-16 20:33:12 7031 --a------ C:\WINDOWS\system32\hgGyxUMD.dll
2008-05-16 19:33:12 7031 --a------ C:\WINDOWS\system32\tuvTklKa.dll
2008-05-16 18:33:11 7031 --a------ C:\WINDOWS\system32\ddcBUnkk.dll
2008-05-16 17:33:09 7034 --a------ C:\WINDOWS\system32\efcCtrQI.dll
2008-05-16 16:33:09 7034 --a------ C:\WINDOWS\system32\efcARljJ.dll
2008-05-16 15:33:08 7034 --a------ C:\WINDOWS\system32\yayvWQGx.dll
2008-05-16 14:33:07 7031 --a------ C:\WINDOWS\system32\rqRHwTLb.dll
2008-05-16 13:33:08 7031 --a------ C:\WINDOWS\system32\urqQgdbc.dll
2008-05-16 12:33:05 7031 --a------ C:\WINDOWS\system32\ljJBrQig.dll
2008-05-16 11:33:27 7031 --a------ C:\WINDOWS\system32\fccaXOEU.dll
2008-05-16 10:33:02 7031 --a------ C:\WINDOWS\system32\khfCuSjk.dll
2008-05-16 09:33:22 7031 --a------ C:\WINDOWS\system32\tuvUMffG.dll
2008-05-16 08:33:01 7031 --a------ C:\WINDOWS\system32\vtUklkKa.dll
2008-05-16 07:33:00 7031 --a------ C:\WINDOWS\system32\hgGxXppo.dll
2008-05-16 06:32:58 7031 --a------ C:\WINDOWS\system32\awtsPiig.dll
2008-05-16 05:32:58 7031 --a------ C:\WINDOWS\system32\mlJdBSih.dll
2008-05-16 04:32:57 7031 --a------ C:\WINDOWS\system32\qoMcabxX.dll
2008-05-16 03:32:55 7045 --a------ C:\WINDOWS\system32\fccdbCSK.dll
2008-05-16 02:32:55 7045 --a------ C:\WINDOWS\system32\ddcddbcy.dll
2008-05-16 01:32:54 7045 --a------ C:\WINDOWS\system32\geBuSKEV.dll
2008-05-16 00:32:52 7045 --a------ C:\WINDOWS\system32\xxyxXRjg.dll
2008-05-15 23:32:52 7045 --a------ C:\WINDOWS\system32\khfEUkKe.dll
2008-05-15 22:32:51 7045 --a------ C:\WINDOWS\system32\tuvuRIcD.dll
2008-05-15 21:32:49 7045 --a------ C:\WINDOWS\system32\iifcBuTn.dll
2008-05-15 20:32:49 7045 --a------ C:\WINDOWS\system32\opnOIxVm.dll
2008-05-15 19:32:48 7045 --a------ C:\WINDOWS\system32\khfcyVPF.dll
2008-05-15 18:32:47 7045 --a------ C:\WINDOWS\system32\rqRHYPHX.dll
2008-05-15 17:32:46 7045 --a------ C:\WINDOWS\system32\qoMdAQgE.dll
2008-05-15 16:32:44 7045 --a------ C:\WINDOWS\system32\khfDuUOF.dll
2008-05-15 14:32:45 7045 --a------ C:\WINDOWS\system32\cbXQJBRi.dll
2008-05-15 13:32:48 7034 --a------ C:\WINDOWS\system32\urqNEuRi.dll
2008-05-15 12:32:41 7034 --a------ C:\WINDOWS\system32\yayWoPjk.dll
2008-05-15 11:32:57 7034 --a------ C:\WINDOWS\system32\awtuvUMc.dll
2008-05-15 10:32:49 7034 --a------ C:\WINDOWS\system32\rqRIyvUo.dll
2008-05-15 09:32:57 7034 --a------ C:\WINDOWS\system32\urqQkHXQ.dll
2008-05-15 08:32:37 7034 --a------ C:\WINDOWS\system32\jkkKcDTm.dll
2008-05-15 07:32:35 7034 --a------ C:\WINDOWS\system32\ssqOFVOI.dll
2008-05-15 06:32:35 7034 --a------ C:\WINDOWS\system32\yayvTjhH.dll
2008-05-15 05:32:34 7034 --a------ C:\WINDOWS\system32\awtqRJcB.dll
2008-05-15 04:32:32 7034 --a------ C:\WINDOWS\system32\efcDVOfg.dll
2008-05-15 03:32:32 7034 --a------ C:\WINDOWS\system32\ljJYpPjG.dll
2008-05-15 02:32:31 7031 --a------ C:\WINDOWS\system32\nnnmnnmn.dll
2008-05-15 01:32:30 7031 --a------ C:\WINDOWS\system32\iiffETjj.dll
2008-05-15 00:32:28 7031 --a------ C:\WINDOWS\system32\ljJYSjhi.dll
2008-05-14 23:32:28 7031 --a------ C:\WINDOWS\system32\tuvSifdD.dll
2008-05-14 22:32:27 7031 --a------ C:\WINDOWS\system32\xxyaabxV.dll
2008-05-14 21:32:25 7045 --a------ C:\WINDOWS\system32\geBroMCT.dll
2008-05-14 20:32:25 7045 --a------ C:\WINDOWS\system32\pmnNfGAp.dll
2008-05-14 19:32:24 7045 --a------ C:\WINDOWS\system32\awttuurQ.dll
2008-05-14 18:32:22 7045 --a------ C:\WINDOWS\system32\iifecaba.dll
2008-05-14 17:32:21 7045 --a------ C:\WINDOWS\system32\vtUlkJDW.dll
2008-05-14 16:32:21 7045 --a------ C:\WINDOWS\system32\khfFVOfG.dll
2008-05-14 15:32:20 7045 --a------ C:\WINDOWS\system32\wvUkKExv.dll
2008-05-14 14:32:19 7045 --a------ C:\WINDOWS\system32\awtqnkhe.dll
2008-05-14 13:32:20 7034 --a------ C:\WINDOWS\system32\efcaawxv.dll
2008-05-14 12:32:47 7034 --a------ C:\WINDOWS\system32\nnnnOFUK.dll
2008-05-14 11:32:35 7034 --a------ C:\WINDOWS\system32\awtrrOfG.dll
2008-05-14 09:32:26 7034 --a------ C:\WINDOWS\system32\ssqRHXOh.dll
2008-05-14 08:32:14 7034 --a------ C:\WINDOWS\system32\ljJCvWqr.dll
2008-05-14 06:32:10 7034 --a------ C:\WINDOWS\system32\byXNFyvU.dll
2008-05-14 04:32:09 7034 --a------ C:\WINDOWS\system32\geBTnLbX.dll
2008-05-14 03:32:07 7031 --a------ C:\WINDOWS\system32\ljJCtrop.dll
2008-05-14 01:32:06 7031 --a------ C:\WINDOWS\system32\rqRJBUlJ.dll
2008-05-14 00:32:05 7031 --a------ C:\WINDOWS\system32\pmnkkhiF.dll
2008-05-13 23:32:04 7031 --a------ C:\WINDOWS\system32\cbXOHAtu.dll
2008-05-13 21:32:02 7031 --a------ C:\WINDOWS\system32\xxyvUKBR.dll
2008-05-13 20:32:00 7031 --a------ C:\WINDOWS\system32\ljJYPfgh.dll
2008-05-13 19:32:00 7031 --a------ C:\WINDOWS\system32\cbXNHXQJ.dll
2008-05-13 18:32:01 7031 --a------ C:\WINDOWS\system32\wvUnOGwW.dll
2008-05-13 17:31:59 7031 --a------ C:\WINDOWS\system32\opnolICS.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [08/15/2007 08:15 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [10/13/2004 02:50 PM]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [10/19/2004 05:45 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Gadwin PrintScreen 3.1"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [09/26/2005 07:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GA311 Smart Wizard Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
backup=C:\WINDOWS\pss\GA311 Smart Wizard Utility.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtLmSsp"=3 (0x3)
"MSIServer"=3 (0x3)
"iPod Service"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6058e9ba-5196-11dc-8c65-0011116b783d}]
AutoRun\command- Autorun.exe /run
Shell00\Command- Autorun.exe /run
Shell01\Command- Autorun.exe /action
Shell02\Command- Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c461a-41b3-11db-8c35-000000000000}]
AutoRun\command- J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{753c728e-648c-11db-8c3c-0011116b783d}]
Auto\command- J:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b2c938a-c0fa-11db-8c50-0011116b783d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b14375-2628-11db-8c25-0011116b783d}]
AutoRun\command- M:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-08-01 17:44:06 ------------

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:25 PM

Posted 01 August 2008 - 05:33 PM

Hi,

I have a question first...

I see you have disabled the following services via msconfig:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtLmSsp"=3 (0x3)
"MSIServer"=3 (0x3)
"iPod Service"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

Is there any reason why you disabled them? Do you know what these services are? Some services are required to run though.. especially if you want to update your Windows + install some programs etc..

Anyway, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\vpmjhguo.dll
C:\WINDOWS\system32\qocscwth.dll
C:\WINDOWS\system32\mnbygmdl.dll
C:\WINDOWS\system32\lokucrdy.dll
C:\WINDOWS\system32\egntiikj.dll
C:\WINDOWS\system32\stxeblfa.dll
C:\WINDOWS\system32\rdhheamx.dll
C:\WINDOWS\system32\nojlgdey.dll
C:\WINDOWS\system32\nmwlpqry.dll
C:\WINDOWS\system32\ykpoovdj.dll
C:\WINDOWS\system32\ayeaivxp.dll
C:\WINDOWS\system32\retofbqa.dll
C:\WINDOWS\system32\rysuvfdh.dll
C:\WINDOWS\system32\iifcAqRK.dll
C:\WINDOWS\system32\vtUnlkJB.dll
C:\WINDOWS\system32\efcAPhgH.dll
C:\WINDOWS\system32\iifgHATj.dll
C:\WINDOWS\system32\yayaATmJ.dll
C:\WINDOWS\system32\khfFYSJC.dll
C:\WINDOWS\system32\pmnnNeDT.dll
C:\WINDOWS\system32\hgGwVLeB.dll
C:\WINDOWS\system32\qoMdCSjH.dll
C:\WINDOWS\system32\ljJBuroM.dll
C:\WINDOWS\system32\ddcBSJbc.dll
C:\WINDOWS\system32\ljJBrRkl.dll
C:\WINDOWS\system32\iifeffDs.dll
C:\WINDOWS\system32\pmnoMcYR.dll
C:\WINDOWS\system32\hgGvspME.dll
C:\WINDOWS\system32\qoMeFxvW.dll
C:\WINDOWS\system32\awtuvWoO.dll
C:\WINDOWS\system32\hgGyaxya.dll
C:\WINDOWS\system32\tuvTllkk.dll
C:\WINDOWS\system32\ddcAtTLf.dll
C:\WINDOWS\system32\yaywuuTn.dll
C:\WINDOWS\system32\opnnmLFv.dll
C:\WINDOWS\system32\byXNgeCv.dll
C:\WINDOWS\system32\hgGxWppM.dll
C:\WINDOWS\system32\cbXNDVOg.dll
C:\WINDOWS\system32\yayxywTj.dll
C:\WINDOWS\system32\ljJBqqPH.dll
C:\WINDOWS\system32\hgGyaYpm.dll
C:\WINDOWS\system32\hgGyxUMD.dll
C:\WINDOWS\system32\tuvTklKa.dll
C:\WINDOWS\system32\ddcBUnkk.dll
C:\WINDOWS\system32\efcCtrQI.dll
C:\WINDOWS\system32\efcARljJ.dll
C:\WINDOWS\system32\yayvWQGx.dll
C:\WINDOWS\system32\rqRHwTLb.dll
C:\WINDOWS\system32\urqQgdbc.dll
C:\WINDOWS\system32\ljJBrQig.dll
C:\WINDOWS\system32\fccaXOEU.dll
C:\WINDOWS\system32\khfCuSjk.dll
C:\WINDOWS\system32\tuvUMffG.dll
C:\WINDOWS\system32\vtUklkKa.dll
C:\WINDOWS\system32\hgGxXppo.dll
C:\WINDOWS\system32\awtsPiig.dll
C:\WINDOWS\system32\mlJdBSih.dll
C:\WINDOWS\system32\qoMcabxX.dll
C:\WINDOWS\system32\fccdbCSK.dll
C:\WINDOWS\system32\ddcddbcy.dll
C:\WINDOWS\system32\geBuSKEV.dll
C:\WINDOWS\system32\xxyxXRjg.dll
C:\WINDOWS\system32\khfEUkKe.dll
C:\WINDOWS\system32\tuvuRIcD.dll
C:\WINDOWS\system32\iifcBuTn.dll
C:\WINDOWS\system32\opnOIxVm.dll
C:\WINDOWS\system32\khfcyVPF.dll
C:\WINDOWS\system32\rqRHYPHX.dll
C:\WINDOWS\system32\qoMdAQgE.dll
C:\WINDOWS\system32\khfDuUOF.dll
C:\WINDOWS\system32\cbXQJBRi.dll
C:\WINDOWS\system32\urqNEuRi.dll
C:\WINDOWS\system32\yayWoPjk.dll
C:\WINDOWS\system32\awtuvUMc.dll
C:\WINDOWS\system32\rqRIyvUo.dll
C:\WINDOWS\system32\urqQkHXQ.dll
C:\WINDOWS\system32\jkkKcDTm.dll
C:\WINDOWS\system32\ssqOFVOI.dll
C:\WINDOWS\system32\yayvTjhH.dll
C:\WINDOWS\system32\awtqRJcB.dll
C:\WINDOWS\system32\efcDVOfg.dll
C:\WINDOWS\system32\ljJYpPjG.dll
C:\WINDOWS\system32\nnnmnnmn.dll
C:\WINDOWS\system32\iiffETjj.dll
C:\WINDOWS\system32\ljJYSjhi.dll
C:\WINDOWS\system32\tuvSifdD.dll
C:\WINDOWS\system32\xxyaabxV.dll
C:\WINDOWS\system32\geBroMCT.dll
C:\WINDOWS\system32\pmnNfGAp.dll
C:\WINDOWS\system32\awttuurQ.dll
C:\WINDOWS\system32\iifecaba.dll
C:\WINDOWS\system32\vtUlkJDW.dll
C:\WINDOWS\system32\khfFVOfG.dll
C:\WINDOWS\system32\wvUkKExv.dll
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\efcaawxv.dll
C:\WINDOWS\system32\nnnnOFUK.dll
C:\WINDOWS\system32\awtrrOfG.dll
C:\WINDOWS\system32\ssqRHXOh.dll
C:\WINDOWS\system32\ljJCvWqr.dll
C:\WINDOWS\system32\byXNFyvU.dll
C:\WINDOWS\system32\geBTnLbX.dll
C:\WINDOWS\system32\ljJCtrop.dll
C:\WINDOWS\system32\rqRJBUlJ.dll
C:\WINDOWS\system32\pmnkkhiF.dll
C:\WINDOWS\system32\cbXOHAtu.dll
C:\WINDOWS\system32\xxyvUKBR.dll
C:\WINDOWS\system32\ljJYPfgh.dll
C:\WINDOWS\system32\cbXNHXQJ.dll
C:\WINDOWS\system32\wvUnOGwW.dll
C:\WINDOWS\system32\opnolICS.dll
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6058e9ba-5196-11dc-8c65-0011116b783d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{753c728e-648c-11db-8c3c-0011116b783d}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 01 August 2008 - 05:39 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:25 PM

Posted 01 August 2008 - 05:40 PM

I've edited above CFScript, since you posted the deckard system scanner log afterwards. That log shows more malicious files and that's because your system is already infected for more than 3 months. Combofix only lists less than 3 months.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 sms7204

sms7204
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 04 August 2008 - 01:02 PM

Here is the resulting log from the CFScript put into ComboFix. I will add a new HJT log shortly.

ComboFix 08-07-31.06 - Owner 2008-08-04 7:20:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.602 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\awtqRJcB.dll
C:\WINDOWS\system32\awtrrOfG.dll
C:\WINDOWS\system32\awtsPiig.dll
C:\WINDOWS\system32\awttuurQ.dll
C:\WINDOWS\system32\awtuvUMc.dll
C:\WINDOWS\system32\awtuvWoO.dll
C:\WINDOWS\system32\ayeaivxp.dll
C:\WINDOWS\system32\byXNFyvU.dll
C:\WINDOWS\system32\byXNgeCv.dll
C:\WINDOWS\system32\cbXNDVOg.dll
C:\WINDOWS\system32\cbXNHXQJ.dll
C:\WINDOWS\system32\cbXOHAtu.dll
C:\WINDOWS\system32\cbXQJBRi.dll
C:\WINDOWS\system32\ddcAtTLf.dll
C:\WINDOWS\system32\ddcBSJbc.dll
C:\WINDOWS\system32\ddcBUnkk.dll
C:\WINDOWS\system32\ddcddbcy.dll
C:\WINDOWS\system32\efcaawxv.dll
C:\WINDOWS\system32\efcAPhgH.dll
C:\WINDOWS\system32\efcARljJ.dll
C:\WINDOWS\system32\efcCtrQI.dll
C:\WINDOWS\system32\efcDVOfg.dll
C:\WINDOWS\system32\egntiikj.dll
C:\WINDOWS\system32\fccaXOEU.dll
C:\WINDOWS\system32\fccdbCSK.dll
C:\WINDOWS\system32\geBroMCT.dll
C:\WINDOWS\system32\geBTnLbX.dll
C:\WINDOWS\system32\geBuSKEV.dll
C:\WINDOWS\system32\hgGvspME.dll
C:\WINDOWS\system32\hgGwVLeB.dll
C:\WINDOWS\system32\hgGxWppM.dll
C:\WINDOWS\system32\hgGxXppo.dll
C:\WINDOWS\system32\hgGyaxya.dll
C:\WINDOWS\system32\hgGyaYpm.dll
C:\WINDOWS\system32\hgGyxUMD.dll
C:\WINDOWS\system32\iifcAqRK.dll
C:\WINDOWS\system32\iifcBuTn.dll
C:\WINDOWS\system32\iifecaba.dll
C:\WINDOWS\system32\iifeffDs.dll
C:\WINDOWS\system32\iiffETjj.dll
C:\WINDOWS\system32\iifgHATj.dll
C:\WINDOWS\system32\jkkKcDTm.dll
C:\WINDOWS\system32\khfCuSjk.dll
C:\WINDOWS\system32\khfcyVPF.dll
C:\WINDOWS\system32\khfDuUOF.dll
C:\WINDOWS\system32\khfEUkKe.dll
C:\WINDOWS\system32\khfFVOfG.dll
C:\WINDOWS\system32\khfFYSJC.dll
C:\WINDOWS\system32\ljJBqqPH.dll
C:\WINDOWS\system32\ljJBrQig.dll
C:\WINDOWS\system32\ljJBrRkl.dll
C:\WINDOWS\system32\ljJBuroM.dll
C:\WINDOWS\system32\ljJCtrop.dll
C:\WINDOWS\system32\ljJCvWqr.dll
C:\WINDOWS\system32\ljJYPfgh.dll
C:\WINDOWS\system32\ljJYpPjG.dll
C:\WINDOWS\system32\ljJYSjhi.dll
C:\WINDOWS\system32\lokucrdy.dll
C:\WINDOWS\system32\mlJdBSih.dll
C:\WINDOWS\system32\mnbygmdl.dll
C:\WINDOWS\system32\nmwlpqry.dll
C:\WINDOWS\system32\nnnmnnmn.dll
C:\WINDOWS\system32\nnnnOFUK.dll
C:\WINDOWS\system32\nojlgdey.dll
C:\WINDOWS\system32\opnnmLFv.dll
C:\WINDOWS\system32\opnOIxVm.dll
C:\WINDOWS\system32\opnolICS.dll
C:\WINDOWS\system32\pmnkkhiF.dll
C:\WINDOWS\system32\pmnNfGAp.dll
C:\WINDOWS\system32\pmnnNeDT.dll
C:\WINDOWS\system32\pmnoMcYR.dll
C:\WINDOWS\system32\qocscwth.dll
C:\WINDOWS\system32\qoMcabxX.dll
C:\WINDOWS\system32\qoMdAQgE.dll
C:\WINDOWS\system32\qoMdCSjH.dll
C:\WINDOWS\system32\qoMeFxvW.dll
C:\WINDOWS\system32\rdhheamx.dll
C:\WINDOWS\system32\retofbqa.dll
C:\WINDOWS\system32\rqRHwTLb.dll
C:\WINDOWS\system32\rqRHYPHX.dll
C:\WINDOWS\system32\rqRIyvUo.dll
C:\WINDOWS\system32\rqRJBUlJ.dll
C:\WINDOWS\system32\rysuvfdh.dll
C:\WINDOWS\system32\ssqOFVOI.dll
C:\WINDOWS\system32\ssqRHXOh.dll
C:\WINDOWS\system32\stxeblfa.dll
C:\WINDOWS\system32\tuvSifdD.dll
C:\WINDOWS\system32\tuvTklKa.dll
C:\WINDOWS\system32\tuvTllkk.dll
C:\WINDOWS\system32\tuvUMffG.dll
C:\WINDOWS\system32\tuvuRIcD.dll
C:\WINDOWS\system32\urqNEuRi.dll
C:\WINDOWS\system32\urqQgdbc.dll
C:\WINDOWS\system32\urqQkHXQ.dll
C:\WINDOWS\system32\vpmjhguo.dll
C:\WINDOWS\system32\vtUklkKa.dll
C:\WINDOWS\system32\vtUlkJDW.dll
C:\WINDOWS\system32\vtUnlkJB.dll
C:\WINDOWS\system32\wvUkKExv.dll
C:\WINDOWS\system32\wvUnOGwW.dll
C:\WINDOWS\system32\xxyaabxV.dll
C:\WINDOWS\system32\xxyvUKBR.dll
C:\WINDOWS\system32\xxyxXRjg.dll
C:\WINDOWS\system32\yayaATmJ.dll
C:\WINDOWS\system32\yayvTjhH.dll
C:\WINDOWS\system32\yayvWQGx.dll
C:\WINDOWS\system32\yayWoPjk.dll
C:\WINDOWS\system32\yaywuuTn.dll
C:\WINDOWS\system32\yayxywTj.dll
C:\WINDOWS\system32\ykpoovdj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\awtqRJcB.dll
C:\WINDOWS\system32\awtrrOfG.dll
C:\WINDOWS\system32\awtsPiig.dll
C:\WINDOWS\system32\awttuurQ.dll
C:\WINDOWS\system32\awtuvUMc.dll
C:\WINDOWS\system32\awtuvWoO.dll
C:\WINDOWS\system32\ayeaivxp.dll
C:\WINDOWS\system32\byXNFyvU.dll
C:\WINDOWS\system32\byXNgeCv.dll
C:\WINDOWS\system32\cbXNDVOg.dll
C:\WINDOWS\system32\cbXNHXQJ.dll
C:\WINDOWS\system32\cbXOHAtu.dll
C:\WINDOWS\system32\cbXQJBRi.dll
C:\WINDOWS\system32\ddcAtTLf.dll
C:\WINDOWS\system32\ddcBSJbc.dll
C:\WINDOWS\system32\ddcBUnkk.dll
C:\WINDOWS\system32\ddcddbcy.dll
C:\WINDOWS\system32\efcaawxv.dll
C:\WINDOWS\system32\efcAPhgH.dll
C:\WINDOWS\system32\efcARljJ.dll
C:\WINDOWS\system32\efcCtrQI.dll
C:\WINDOWS\system32\efcDVOfg.dll
C:\WINDOWS\system32\egntiikj.dll
C:\WINDOWS\system32\fccaXOEU.dll
C:\WINDOWS\system32\fccdbCSK.dll
C:\WINDOWS\system32\geBroMCT.dll
C:\WINDOWS\system32\geBTnLbX.dll
C:\WINDOWS\system32\geBuSKEV.dll
C:\WINDOWS\system32\hgGvspME.dll
C:\WINDOWS\system32\hgGwVLeB.dll
C:\WINDOWS\system32\hgGxWppM.dll
C:\WINDOWS\system32\hgGxXppo.dll
C:\WINDOWS\system32\hgGyaxya.dll
C:\WINDOWS\system32\hgGyaYpm.dll
C:\WINDOWS\system32\hgGyxUMD.dll
C:\WINDOWS\system32\iifcAqRK.dll
C:\WINDOWS\system32\iifcBuTn.dll
C:\WINDOWS\system32\iifecaba.dll
C:\WINDOWS\system32\iifeffDs.dll
C:\WINDOWS\system32\iiffETjj.dll
C:\WINDOWS\system32\iifgHATj.dll
C:\WINDOWS\system32\jkkKcDTm.dll
C:\WINDOWS\system32\khfCuSjk.dll
C:\WINDOWS\system32\khfcyVPF.dll
C:\WINDOWS\system32\khfDuUOF.dll
C:\WINDOWS\system32\khfEUkKe.dll
C:\WINDOWS\system32\khfFVOfG.dll
C:\WINDOWS\system32\khfFYSJC.dll
C:\WINDOWS\system32\ljJBqqPH.dll
C:\WINDOWS\system32\ljJBrQig.dll
C:\WINDOWS\system32\ljJBrRkl.dll
C:\WINDOWS\system32\ljJBuroM.dll
C:\WINDOWS\system32\ljJCtrop.dll
C:\WINDOWS\system32\ljJCvWqr.dll
C:\WINDOWS\system32\ljJYPfgh.dll
C:\WINDOWS\system32\ljJYpPjG.dll
C:\WINDOWS\system32\ljJYSjhi.dll
C:\WINDOWS\system32\lokucrdy.dll
C:\WINDOWS\system32\mlJdBSih.dll
C:\WINDOWS\system32\mnbygmdl.dll
C:\WINDOWS\system32\nmwlpqry.dll
C:\WINDOWS\system32\nnnmnnmn.dll
C:\WINDOWS\system32\nnnnOFUK.dll
C:\WINDOWS\system32\nojlgdey.dll
C:\WINDOWS\system32\opnnmLFv.dll
C:\WINDOWS\system32\opnOIxVm.dll
C:\WINDOWS\system32\opnolICS.dll
C:\WINDOWS\system32\pmnkkhiF.dll
C:\WINDOWS\system32\pmnNfGAp.dll
C:\WINDOWS\system32\pmnnNeDT.dll
C:\WINDOWS\system32\pmnoMcYR.dll
C:\WINDOWS\system32\qocscwth.dll
C:\WINDOWS\system32\qoMcabxX.dll
C:\WINDOWS\system32\qoMdAQgE.dll
C:\WINDOWS\system32\qoMdCSjH.dll
C:\WINDOWS\system32\qoMeFxvW.dll
C:\WINDOWS\system32\rdhheamx.dll
C:\WINDOWS\system32\retofbqa.dll
C:\WINDOWS\system32\rqRHwTLb.dll
C:\WINDOWS\system32\rqRHYPHX.dll
C:\WINDOWS\system32\rqRIyvUo.dll
C:\WINDOWS\system32\rqRJBUlJ.dll
C:\WINDOWS\system32\rysuvfdh.dll
C:\WINDOWS\system32\ssqOFVOI.dll
C:\WINDOWS\system32\ssqRHXOh.dll
C:\WINDOWS\system32\stxeblfa.dll
C:\WINDOWS\system32\tuvSifdD.dll
C:\WINDOWS\system32\tuvTklKa.dll
C:\WINDOWS\system32\tuvTllkk.dll
C:\WINDOWS\system32\tuvUMffG.dll
C:\WINDOWS\system32\tuvuRIcD.dll
C:\WINDOWS\system32\urqNEuRi.dll
C:\WINDOWS\system32\urqQgdbc.dll
C:\WINDOWS\system32\urqQkHXQ.dll
C:\WINDOWS\system32\vpmjhguo.dll
C:\WINDOWS\system32\vtUklkKa.dll
C:\WINDOWS\system32\vtUlkJDW.dll
C:\WINDOWS\system32\vtUnlkJB.dll
C:\WINDOWS\system32\wvUkKExv.dll
C:\WINDOWS\system32\wvUnOGwW.dll
C:\WINDOWS\system32\xxyaabxV.dll
C:\WINDOWS\system32\xxyvUKBR.dll
C:\WINDOWS\system32\xxyxXRjg.dll
C:\WINDOWS\system32\yayaATmJ.dll
C:\WINDOWS\system32\yayvTjhH.dll
C:\WINDOWS\system32\yayvWQGx.dll
C:\WINDOWS\system32\yayWoPjk.dll
C:\WINDOWS\system32\yaywuuTn.dll
C:\WINDOWS\system32\yayxywTj.dll
C:\WINDOWS\system32\ykpoovdj.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-01 17:09 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-01 17:09 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-01 16:25 . 2008-08-01 16:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-31 15:17 . 2008-07-31 15:17 15 --a------ C:\WINDOWS\system32\6850397f
2008-07-31 15:03 . 2008-07-31 15:03 <DIR> d-------- C:\Program Files\Avira
2008-07-31 15:03 . 2008-07-31 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-29 15:57 . 2008-07-29 15:57 <DIR> d-------- C:\Deckard
2008-07-29 14:48 . 2008-07-31 14:58 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 12:08 --------- d-----w C:\Program Files\FirstClass
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-10-26 03:57 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-01_17.08.21.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
+ 2008-04-21 06:56:54 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\browseui.dll
+ 2008-04-21 06:56:54 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\cdfview.dll
+ 2008-04-21 06:56:55 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\danim.dll
+ 2008-04-21 06:56:55 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\dxtmsft.dll
+ 2008-04-21 06:56:55 205,312 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\dxtrans.dll
+ 2008-04-21 06:56:55 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\extmgr.dll
+ 2008-04-17 10:46:59 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\iedw.exe
+ 2008-04-21 06:56:56 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\iepeers.dll
+ 2008-04-21 06:56:56 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\inseng.dll
+ 2008-04-21 06:56:56 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\jsproxy.dll
+ 2008-04-21 06:56:57 3,066,880 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mshtml.dll
+ 2008-04-21 06:56:57 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mshtmled.dll
+ 2008-04-21 06:56:57 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\msrating.dll
+ 2008-04-21 06:56:58 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\mstime.dll
+ 2008-04-21 06:56:58 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\pngfilt.dll
+ 2008-04-21 06:56:58 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\shdocvw.dll
+ 2008-04-21 06:56:58 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\shlwapi.dll
+ 2008-04-21 06:56:58 618,496 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\urlmon.dll
+ 2008-04-21 06:56:59 666,624 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\wininet.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP2QFE\xpsp3res.dll
+ 2008-04-21 06:44:29 3,066,880 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\mshtml.dll
+ 2008-04-21 06:44:29 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3GDR\wininet.dll
+ 2008-04-21 06:24:01 3,067,392 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\mshtml.dll
+ 2008-04-21 06:24:02 666,624 ----a-w C:\WINDOWS\$hf_mig$\KB950759\SP3QFE\wininet.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB950759\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB950759\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB950759\update\updspapi.dll
+ 2008-05-07 04:55:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
+ 2006-08-16 12:08:32 100,352 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\6to4svc.dll
+ 2008-06-20 10:44:08 138,368 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
+ 2008-06-20 17:36:11 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\dnsapi.dll
+ 2008-06-20 17:36:11 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll
+ 2008-06-20 10:44:42 360,960 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
+ 2008-06-20 09:32:39 225,920 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip6.sys
+ 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\dnsapi.dll
+ 2008-06-20 17:46:57 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll
+ 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
+ 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip6.sys
+ 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2007-08-22 13:12:15 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-08-22 13:12:15 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-08-22 13:12:16 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-06-20 10:44:38 138,368 -c----w C:\WINDOWS\system32\dllcache\afd.sys
- 2007-08-22 13:12:15 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-08-22 13:12:15 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-04-21 07:03:56 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-08-22 13:12:16 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-04-21 07:03:57 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-03-25 04:50:25 554,008 -c----w C:\WINDOWS\system32\dllcache\dao360.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2007-08-22 13:12:16 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-22 13:12:16 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-22 13:12:16 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-21 07:03:57 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-21 10:30:45 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-04-17 10:52:54 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-08-22 13:12:16 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-04-21 07:03:58 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-08-22 13:12:16 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-04-21 07:03:58 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-08-22 13:12:16 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-25 04:50:28 518,944 -c----w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:30 326,432 -c----w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2007-08-22 13:12:17 3,058,176 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-22 13:12:17 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-25 04:50:34 1,516,568 -c----w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:40 355,112 -c----w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-27 08:12:54 151,583 -c----w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-25 04:50:42 60,192 -c----w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 248,608 -c----w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:44 219,936 -c----w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:45 355,104 -c----w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2007-08-22 13:12:17 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-21 07:03:59 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-25 04:50:47 432,928 -c----w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:49 322,336 -c----w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:52 559,904 -c----w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:55 264,992 -c----w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2007-08-22 13:12:17 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-21 07:03:59 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-25 04:50:57 838,432 -c----w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-06-20 17:41:10 245,248 -c----w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-03-25 04:50:58 621,344 -c----w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 355,104 -c----w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2007-08-22 13:12:17 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-05-07 05:18:48 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2007-08-22 13:12:18 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-08-22 13:12:18 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2006-04-20 11:51:50 359,808 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2007-08-22 13:12:18 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-21 07:04:00 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-22 13:12:18 658,944 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-21 07:04:00 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-27 22:40:30 222,720 -c----w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2007-08-22 13:12:16 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-22 13:12:16 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-22 13:12:16 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-22 13:12:16 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-08-22 13:12:16 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-08-22 13:12:16 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2007-08-22 13:12:17 3,058,176 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-22 13:12:17 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-04 12:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 12:00:00 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2007-08-22 13:12:17 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2007-08-22 13:12:17 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2004-08-04 12:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 12:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
- 2007-08-22 13:12:17 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-08-22 13:12:18 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-08-22 13:12:18 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-09-25 22:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-07-18 12:42:22 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2008-03-27 09:24:20 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2007-08-22 13:12:18 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-22 13:12:18 658,944 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
- 2006-10-19 02:47:18 222,208 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 22:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SybaseCentral43"="C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2004-10-13 14:50 102400]
"DBISQL9"="C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2004-10-19 17:45 131072]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Gadwin PrintScreen 3.1"="C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2005-09-26 19:18 1073152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GA311 Smart Wizard Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GA311 Smart Wizard Utility.lnk
backup=C:\WINDOWS\pss\GA311 Smart Wizard Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 20:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-11-01 04:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
--------- 2005-03-14 00:01 360448 C:\WINDOWS\Samsung\ComSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-12 00:18 135168 C:\Program Files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-07-03 04:49 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-07-06 03:05 2550272 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-18 03:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-18 00:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 18:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-07-01 20:58 73728 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SharedAccess"=2 (0x2)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtLmSsp"=3 (0x3)
"MSIServer"=3 (0x3)
"iPod Service"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"BITS"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\DSV_Football\\rteng6.exe"=
"C:\\DSV_Football2\\rteng6.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"C:\\Program Files\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-08-15 02:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657c461a-41b3-11db-8c35-000000000000}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b2c938a-c0fa-11db-8c50-0011116b783d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b14375-2628-11db-8c25-0011116b783d}]
\Shell\AutoRun\command - M:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2007-11-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 07:22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-04 7:24:10
ComboFix-quarantined-files.txt 2008-08-04 12:24:08
ComboFix2.txt 2008-08-01 22:08:44

Pre-Run: 113,412,325,376 bytes free
Post-Run: 113,398,804,480 bytes free

590 --- E O F --- 2008-08-02 10:02:12

#11 sms7204

sms7204
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 04 August 2008 - 01:04 PM

HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:10 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SybaseCentral43] "C:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{72C1B883-BC67-485D-AB81-C6D6EB6B479F}: NameServer = 172.16.6.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CCDF2B8-5BD0-4921-8FD4-00D805E91A86}: NameServer = 172.16.6.30
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4297 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:25 PM

Posted 04 August 2008 - 01:13 PM

Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Then,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 sms7204

sms7204
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 05 August 2008 - 02:32 PM

miekiemos,
Hey, thanks for the help thus far. Everything seems to be smooth, and I installed the new Java update. Haven't uninstalled ComboFix yet though.

Only thing is, the Avira has found a Trojan a couple of times today. It's called "TR/Lowzones.SG [trojan]"

Is this a problem?? I've deleted it both times. No popups or malware seems to be present though.

Thanks so much!!!

Spencer

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:25 PM

Posted 05 August 2008 - 02:39 PM

Hi,

Haven't uninstalled ComboFix yet though.

And that's why your Avira found infections again, because it most probably found it in the C:\Qoobox\Quarantine folder, which is created by Combofix and that's where it quarantined the files.
If you uninstall Combofix, it will also delete the Qoobox folder.
In anyway, please don't keep Combofix on your system; because it's updated everyday, so there's really no need to keep it. If you need it again, just redownload it the time ypu need it. That's why we always recommend that you uninstall Combofix :-)

Anyway, good to hear everything is running OK again.

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:25 PM

Posted 08 August 2008 - 12:56 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users