Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde And Vondo And Maybe Others


  • Please log in to reply
19 replies to this topic

#1 jarmd

jarmd

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 02 August 2008 - 06:11 AM

IE is being hihacked with each keystroke to change browser site. Began weeks ago. Have run McAfee, Spybot, Spyhunter, MaxSecure, RegCure, AdAware multiple times (50 or more) without success. Each time McAfee and AdAware are run, the same infections are found indicating the presence of Virtumonde and Vondu, Ad-revolver and numerous cookies (which were already removed) to hijacked sites.

Deckard's System Scanner v20071014.68
Run by jrusca on 2008-08-02 06:49:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-02 06:52:00
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jrusca\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {0E72F52F-2BD0-49A0-9E2B-6F7AB66258CD} - (no file)
O2 - BHO: (no name) - {28DFADFE-7A91-4425-BCB8-8C8246B2CFF8} - (no file)
O2 - BHO: {068a33c4-5dcc-58eb-16c4-81033bdbe533} - {335ebdb3-3018-4c61-be85-ccd54c33a860} - C:\WINDOWS\SYSTEM32\rbfzdq.dll
O2 - BHO: (no name) - {39BFE0C7-FD0F-46CB-A472-126015BB610E} - C:\WINDOWS\SYSTEM32\cbXNDVLc.dll
O2 - BHO: (no name) - {49006F7A-DD5A-44BD-916C-5B4139044428} - (no file)
O2 - BHO: (no name) - {6A397BA5-C8B4-4985-BA21-6FA3E41A161D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {80B5960F-7AD0-4939-8958-5C2E8F90EA89} - (no file)
O2 - BHO: (no name) - {82DB49FC-CB30-4080-B2F5-B7E89BB65E4C} - (no file)
O2 - BHO: (no name) - {B59F7624-5FFC-4069-A6B2-D4B2382BE161} - (no file)
O2 - BHO: (no name) - {C7027DB9-98CC-477B-9906-E16686E5631D} - (no file)
O2 - BHO: (no name) - {F64674D4-7DE2-456B-8826-07AB4B022232} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {DD37233B-913F-4402-9328-D6844BB72F59} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [289a8f4f] rundll32.exe "C:\WINDOWS\system32\yqjyrxkg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mentorsolutions.webex.com/client/T2...bex/ieatgpc.cab
O17 - HKLM\Software\..\Telephony: DomainName = ias.operations
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ias.operations
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = ias.operations
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ias.operations
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL rbfzdq.dll
O20 - Winlogon Notify: wvUllkjK - C:\WINDOWS\system32\wvUllkjK.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\SYSTEM32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\SYSTEM32\S24EvMon.exe


--
End of file - 9686 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S2 SDService -


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-02 06:39:42 440 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-07-20 19:40:35 374 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-07-08 02:15:00 444 --a------ C:\WINDOWS\Tasks\SpyHunter Scanner.job
2008-07-01 01:47:27 354 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-06-13 21:30:06 378 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (LAPTOPDAD-John Armitage Rusca).job
2008-06-13 21:30:06 378 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (LAPTOPDAD-John Armitage Rusca).job
2007-06-21 10:11:25 352 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-01 10:31:39 129920 --a------ C:\WINDOWS\system32\rbfzdq.dll
2008-08-01 10:31:38 129920 --a------ C:\WINDOWS\system32\uowlufda.dll
2008-08-01 10:29:56 99200 --a------ C:\WINDOWS\system32\yqjyrxkg.dll
2008-07-31 19:31:03 120960 --a------ C:\WINDOWS\system32\lluduk.dll
2008-07-31 19:31:02 120960 --a------ C:\WINDOWS\system32\hyvicpim.dll
2008-07-31 10:38:25 120960 --a------ C:\WINDOWS\system32\ghmmgu.dll
2008-07-31 10:38:24 120960 --a------ C:\WINDOWS\system32\uxholvnr.dll
2008-07-30 16:57:24 99712 --a------ C:\WINDOWS\system32\seotuqxi.dll
2008-07-30 13:26:15 99712 --a------ C:\WINDOWS\system32\qlrisocx.dll
2008-07-30 13:24:32 120960 --a------ C:\WINDOWS\system32\wzyjbr.dll
2008-07-30 13:24:30 120960 --a------ C:\WINDOWS\system32\xscgnaan.dll
2008-07-29 11:46:38 120448 --a------ C:\WINDOWS\system32\hzawzj.dll
2008-07-29 11:46:37 120448 --a------ C:\WINDOWS\system32\yudwlbai.dll
2008-07-27 18:08:03 95360 --a------ C:\WINDOWS\system32\vylailtg.dll
2008-07-26 21:28:25 116864 --a------ C:\WINDOWS\system32\blzuwk.dll
2008-07-26 21:28:24 116864 --a------ C:\WINDOWS\system32\kfvfesvh.dll
2008-07-26 14:56:38 116864 --a------ C:\WINDOWS\system32\rdecnz.dll
2008-07-26 14:56:37 116864 --a------ C:\WINDOWS\system32\yfgqyboo.dll
2008-07-20 19:40:01 0 d-------- C:\Program Files\RegCure
2008-07-18 09:35:19 116864 --a------ C:\WINDOWS\system32\evascg.dll
2008-07-18 09:35:19 116864 --a------ C:\WINDOWS\system32\cphrmywm.dll


-- Find3M Report ---------------------------------------------------------------

2008-08-02 06:51:44 749357 --ahs---- C:\WINDOWS\system32\cLVDNXbc.ini2
2008-07-26 17:23:45 70 --ah----- C:\aaw7boot.cmd
2008-07-20 19:28:57 0 d-------- C:\Program Files\Quicken
2008-07-02 17:41:24 0 d-------- C:\Program Files\Agent
2008-06-27 16:24:48 0 d-------- C:\Program Files\Google
2008-06-27 16:22:36 0 d-------- C:\Program Files\Western Digital
2008-05-24 20:26:37 318336 --a------ C:\WINDOWS\system32\cbXNDVLc.dll
2008-05-24 20:17:56 695826 --ahs---- C:\WINDOWS\system32\xHNWHkkj.ini2
2008-05-24 13:33:28 699500 --ahs---- C:\WINDOWS\system32\BLVGOqru.ini2
2008-05-23 11:27:37 785098 --ahs---- C:\WINDOWS\system32\PrXxwyay.ini2
2008-05-21 17:26:18 780597 --ahs---- C:\WINDOWS\system32\jRssDfhk.ini2
2008-05-21 16:34:17 782015 --ahs---- C:\WINDOWS\system32\TEdcIRqr.ini2
2008-05-16 11:31:18 1224532 --ahs---- C:\WINDOWS\system32\lnUDNqru.ini2
2008-05-15 23:30:47 1222532 --ahs---- C:\WINDOWS\system32\TDMTstwa.ini2
2008-05-15 18:30:55 1431 --ahs---- C:\WINDOWS\system32\ppXHknmp.ini2
2008-05-15 17:03:02 1093552 --ahs---- C:\WINDOWS\system32\GffMVvut.ini2
2008-05-14 20:54:16 1091790 --ahs---- C:\WINDOWS\system32\ghhkQXbc.ini2
2008-05-14 20:04:30 1077235 --ahs---- C:\WINDOWS\system32\ycMWEfhk.ini2
2008-05-14 09:25:20 1072559 --ahs---- C:\WINDOWS\system32\UvELknmp.ini2
2008-05-13 16:34:50 1068876 --ahs---- C:\WINDOWS\system32\qqppsBeg.ini2
2008-05-13 14:43:10 665 --ahs---- C:\WINDOWS\system32\XFfeKkkj.ini2
2008-05-13 13:57:58 948006 --ahs---- C:\WINDOWS\system32\sCcLRqru.ini2
2008-05-13 10:50:29 948276 --ahs---- C:\WINDOWS\system32\TwDJQXyb.ini2
2008-05-12 22:48:12 102400 --a------ C:\WINDOWS\oadkxrts.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E72F52F-2BD0-49A0-9E2B-6F7AB66258CD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28DFADFE-7A91-4425-BCB8-8C8246B2CFF8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{335ebdb3-3018-4c61-be85-ccd54c33a860}]
08/01/2008 10:31 AM 129920 --a------ C:\WINDOWS\system32\rbfzdq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39BFE0C7-FD0F-46CB-A472-126015BB610E}]
05/24/2008 08:26 PM 318336 --a------ C:\WINDOWS\system32\cbXNDVLc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49006F7A-DD5A-44BD-916C-5B4139044428}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A397BA5-C8B4-4985-BA21-6FA3E41A161D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80B5960F-7AD0-4939-8958-5C2E8F90EA89}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82DB49FC-CB30-4080-B2F5-B7E89BB65E4C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B59F7624-5FFC-4069-A6B2-D4B2382BE161}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7027DB9-98CC-477B-9906-E16686E5631D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F64674D4-7DE2-456B-8826-07AB4B022232}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [08/21/2004 08:04 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/06/2004 11:10 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [09/27/2004 01:52 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [05/28/2003 07:32 PM]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [06/04/2003 04:00 AM]
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.exe" [04/26/2005 04:00 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [11/16/2004 01:05 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/03/2005 05:54 PM]
"289a8f4f"="C:\WINDOWS\system32\yqjyrxkg.dll" [08/01/2008 10:29 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 09:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\jrusca\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [4/4/2005 6:07:41 PM]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [7/29/2003 10:49:48 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [08/17/2006 02:57 PM 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 01/12/2004 08:55 AM 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUllkjK]
wvUllkjK.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL rbfzdq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\cbXNDVLc

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\289a8f4f]
rundll32.exe "C:\WINDOWS\system32\yjarrijk.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.test.com
127.0.0.1 www.ads.x10.com
127.0.0.1 www.600pics.com
127.0.0.1 www.doberman.befree.com
127.0.0.1 www.enews.bfast.com
127.0.0.1 www.etoys.bfast.com
127.0.0.1 www.falcon.bfast.com
127.0.0.1 www.ftp.befree.com
127.0.0.1 www.ftp.bfast.com
127.0.0.1 www.geocities.bfast.com

844 more entries in hosts file.Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 511.23 MiB / 150.18 MiB
Pagefile Memory (total/avail): 1248.43 MiB / 864.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.41 MiB

C: is Fixed (NTFS) - 53.08 GiB total, 23.63 GiB free.
D: is CDROM (No Media)
M: is Network (Unformatted)
O: is Network (Unformatted)
P: is Network (Unformatted)
Q: is Network (Unformatted)
R: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - TOSHIBA MK6026GAX - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 53.08 GiB - C:
\PARTITION2 - Unknown - 2.75 GiB



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares Ultra\\Ares Ultra.exe"="C:\\Program Files\\Ares Ultra\\Ares Ultra.exe:*:Enabled:Ares Ultra"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IMSI\\TCW70\\Program\\Tcw70.exe"="C:\\Program Files\\IMSI\\TCW70\\Program\\Tcw70.exe:*:Enabled:TurboCAD™ for Windows Application"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe:*:Enabled:hpgs2wnf Module"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\jrusca\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOPDAD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\jrusca
HOMESHARE=\\ias-control\jrusca
LOGONSERVER=\\IAS-CONTROL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\jrusca\LOCALS~1\Temp
TMP=C:\DOCUME~1\jrusca\LOCALS~1\Temp
USERDNSDOMAIN=IAS.OPERATIONS
USERDOMAIN=IAS-OPS
USERNAME=jrusca
USERPROFILE=C:\Documents and Settings\jrusca
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

John Armitage Rusca (admin)
Administrator (admin)
mulder09 (admin)
jrusca (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0\Uninst.dll"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Broadcom Management Programs --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2A6282FF-B75B-463F-90F5-0A43732F690D} /l1033
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Pro Trial --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON PhotoCenter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76E927F-E292-434B-9661-3858F5D7BF63}\Setup.EXE" -l0x9 anything
EPSON PhotoStarter3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5983C895-DDA4-45D9-A8D1-877D5DE7693E}\Setup.exe" uninst
EPSON Print CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\setup.exe" -l0x9 -SYSTEM
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON SPR340 User's Guide --> C:\Program Files\epson\guide\spr340_e\uninstall.exe
Eudora --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31779833-C366-4BEB-ACEE-461B3C71FDFE}\setup.exe" -l0x9
Family Tree Maker 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4004E8B-6A95-4FA4-AA05-731FC6510474}\setup.exe" -l0x9
Film Factory --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EPSON Software\Film Factory\Uninst.isu"
Forté Agent --> C:\PROGRA~1\Agent\UNWISE.EXE C:\PROGRA~1\Agent\INSTALL.LOG "Uninstall Forté Agent"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 6500 --> MsiExec.exe /X{3D50E33F-0DB8-4E3B-B75C-2B872A33D87B}
HP Photo and Imaging 1.2 - Scanjet 4570c Series --> MsiExec.exe /I{EF729AE1-4AE9-402A-AF64-5C5A8150F549}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
Intel® PROSet --> MsiExec.exe /I{2C351DB8-E088-41A2-9BF0-113727FBB697}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Quicken 2004 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8} anything
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.0.1 --> C:\Program Files\RegCure\uninst.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
TurboCAD v6 Symbols --> C:\WINDOWS\IsUninst.exe -fC:\IMSI\TCW60\Symbols\Uninst.isu
TurboCAD v7.1 --> MsiExec.exe /I{16B47724-A5D3-11D4-A5F2-00C0DF05DE71}
VideoLAN VLC media player 0.8.4a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}


-- Application Event Log -------------------------------------------------------

Event Record #/Type7668 / Error
Event Submitted/Written: 08/02/2008 06:39:51 AM / 08/02/2008 06:39:52 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type7664 / Error
Event Submitted/Written: 08/02/2008 06:38:51 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type7663 / Error
Event Submitted/Written: 08/02/2008 06:38:49 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type7662 / Error
Event Submitted/Written: 08/02/2008 06:31:36 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type7660 / Error
Event Submitted/Written: 08/01/2008 10:22:49 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3144 / Error
Event Submitted/Written: 08/02/2008 06:39:54 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SDService service failed to start due to the following error:
%%3

Event Record #/Type3143 / Error
Event Submitted/Written: 08/02/2008 06:39:54 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type3142 / Error
Event Submitted/Written: 08/02/2008 06:39:54 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Ati HotKey Poller service failed to start due to the following error:
%%3

Event Record #/Type3140 / Warning
Event Submitted/Written: 08/02/2008 06:39:38 AM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Event Record #/Type3137 / Error
Event Submitted/Written: 08/02/2008 06:39:20 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2008-08-02 06:54:17 ------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 02, 2008 02:17:16
Records in database: 1043134


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
M:\
O:\
P:\
Q:\
R:\

Scan statistics
Files scanned 96850
Threat name 12
Infected objects 82
Suspicious objects 0
Duration of the scan 02:48:16

File name Threat name Threats count
C:\WINDOWS\system32\rbfzdq.dll/C:\WINDOWS\system32\rbfzdq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 35

C:\WINDOWS\system32\cbXNDVLc.dll/C:\WINDOWS\system32\cbXNDVLc.dll Infected: Trojan.Win32.Monderb.gen 3

C:\WINDOWS\System32\rbfzdq.dll/C:\WINDOWS\System32\rbfzdq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 3

C:\WINDOWS\system32\yqjyrxkg.dll/C:\WINDOWS\system32\yqjyrxkg.dll Infected: Trojan.Win32.Monder.bwu 16

C:\Documents and Settings\jrusca\Local Settings\Temporary Internet Files\Content.IE5\9CL1N157\kb456456[1] Infected: Trojan.Win32.Monder.box 1

C:\Documents and Settings\jrusca\Local Settings\Temporary Internet Files\Content.IE5\9CL1N157\kb767887[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.bvc 1

C:\Documents and Settings\jrusca\Local Settings\Temporary Internet Files\Content.IE5\OUZISKUV\CAENCTQN Infected: Trojan.Win32.Monderb.gen 1

C:\Documents and Settings\jrusca\Local Settings\Temporary Internet Files\Content.IE5\VVLHXHDY\kb767887[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1

C:\WINDOWS\oadkxrts.exe Infected: Trojan.Win32.Vapsup.feu 1

C:\WINDOWS\SYSTEM32\blzuwk.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\SYSTEM32\cbXNDVLc.dll Infected: Trojan.Win32.Monderb.gen 1

C:\WINDOWS\SYSTEM32\cphrmywm.dll Infected: Trojan.Win32.Monder.axo 1

C:\WINDOWS\SYSTEM32\evascg.dll Infected: Trojan.Win32.Monder.axo 1

C:\WINDOWS\SYSTEM32\ghmmgu.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1

C:\WINDOWS\SYSTEM32\hyvicpim.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1

C:\WINDOWS\SYSTEM32\hzawzj.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bve 1

C:\WINDOWS\SYSTEM32\kfvfesvh.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\SYSTEM32\lluduk.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1

C:\WINDOWS\SYSTEM32\qlrisocx.dll Infected: Trojan.Win32.Monder.bvp 1

C:\WINDOWS\SYSTEM32\rbfzdq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

C:\WINDOWS\SYSTEM32\rdecnz.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\SYSTEM32\seotuqxi.dll Infected: Trojan.Win32.Monder.bvp 1

C:\WINDOWS\SYSTEM32\uowlufda.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1

C:\WINDOWS\SYSTEM32\uxholvnr.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1

C:\WINDOWS\SYSTEM32\wzyjbr.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\WINDOWS\SYSTEM32\xscgnaan.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1

C:\WINDOWS\SYSTEM32\yfgqyboo.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1

C:\WINDOWS\SYSTEM32\yqjyrxkg.dll Infected: Trojan.Win32.Monder.bwu 1

C:\WINDOWS\SYSTEM32\yudwlbai.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bve 1

The selected area was scanned.




-- End of Deckard's System Scanner: finished at 2008-08-02 06:54:17 ------------

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:25 PM

Posted 02 August 2008 - 06:17 AM

Welcome to BC! :thumbsup:

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 jarmd

jarmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 03 August 2008 - 03:38 PM

Cannot access Combofix. States 430 FORBIDDEN.

JARMD

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:25 PM

Posted 04 August 2008 - 04:15 AM

If you re-try the link for combofix, it should work now.. :thumbsup:

#5 jarmd

jarmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 04 August 2008 - 12:03 PM

ComboFix 08-08-03.05 - jrusca 2008-08-04 12:29:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -4:00]
Running from: C:\Documents and Settings\jrusca\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jrusca\Application Data\macromedia\Flash Player\#SharedObjects\8U8MGP3R\interclick.com
C:\Documents and Settings\jrusca\Application Data\macromedia\Flash Player\#SharedObjects\8U8MGP3R\interclick.com\ud.sol
C:\Documents and Settings\jrusca\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\jrusca\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\SYSTEM32\aorigqfc.ini
C:\WINDOWS\SYSTEM32\awmevmsx.ini
C:\WINDOWS\system32\aygyluci.ini
C:\WINDOWS\SYSTEM32\BLVGOqru.ini
C:\WINDOWS\SYSTEM32\BLVGOqru.ini2
C:\WINDOWS\system32\blzuwk.dll
C:\WINDOWS\system32\btfqqmln.ini
C:\WINDOWS\system32\cbXNDVLc.dll
C:\WINDOWS\system32\ceacwpfj.ini
C:\WINDOWS\SYSTEM32\chfsngma.ini
C:\WINDOWS\SYSTEM32\chhcaumt.ini
C:\WINDOWS\system32\cLVDNXbc.ini
C:\WINDOWS\SYSTEM32\cLVDNXbc.ini2
C:\WINDOWS\system32\cmsibbxx.ini
C:\WINDOWS\system32\cncqwocn.ini
C:\WINDOWS\system32\cphrmywm.dll
C:\WINDOWS\system32\dcegoojr.ini
C:\WINDOWS\system32\dcocshku.ini
C:\WINDOWS\system32\ejsmacuu.ini
C:\WINDOWS\system32\emmowkjf.ini
C:\WINDOWS\system32\evascg.dll
C:\WINDOWS\SYSTEM32\exhaudqb.ini
C:\WINDOWS\system32\fnroijic.ini
C:\WINDOWS\system32\fwdyjong.ini
C:\WINDOWS\system32\gcrjuoiw.ini
C:\WINDOWS\SYSTEM32\GffMVvut.ini2
C:\WINDOWS\SYSTEM32\ghhkQXbc.ini2
C:\WINDOWS\system32\ghjkeanq.ini
C:\WINDOWS\system32\ghmmgu.dll
C:\WINDOWS\system32\gkxryjqy.ini
C:\WINDOWS\system32\gngdhluu.ini
C:\WINDOWS\system32\gtlialyv.ini
C:\WINDOWS\system32\guwtoxfi.ini
C:\WINDOWS\system32\guypcwps.ini
C:\WINDOWS\system32\hdoidnji.ini
C:\WINDOWS\system32\hyvicpim.dll
C:\WINDOWS\system32\hzawzj.dll
C:\WINDOWS\system32\ihdofmve.ini
C:\WINDOWS\system32\iwibfhnb.ini
C:\WINDOWS\system32\jpnprdec.ini
C:\WINDOWS\SYSTEM32\jRssDfhk.ini
C:\WINDOWS\SYSTEM32\jRssDfhk.ini2
C:\WINDOWS\system32\kfvfesvh.dll
C:\WINDOWS\system32\kjirrajy.ini
C:\WINDOWS\system32\knvgbvuy.ini
C:\WINDOWS\system32\lluduk.dll
C:\WINDOWS\SYSTEM32\lnUDNqru.ini2
C:\WINDOWS\system32\lpilcjgn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\moaaeyor.ini
C:\WINDOWS\system32\msxvvrvd.ini
C:\WINDOWS\SYSTEM32\nbkiunvt.ini
C:\WINDOWS\SYSTEM32\nUtCcfii.ini
C:\WINDOWS\SYSTEM32\nUtCcfii.ini2
C:\WINDOWS\system32\nxubtsfd.ini
C:\WINDOWS\system32\oakstulv.ini
C:\WINDOWS\system32\obfvsotj.ini
C:\WINDOWS\system32\ofdegtvn.ini
C:\WINDOWS\system32\ogdjatpx.ini
C:\WINDOWS\system32\ogettkdy.ini
C:\WINDOWS\system32\omayapsw.ini
C:\WINDOWS\system32\oohwfvjd.ini
C:\WINDOWS\SYSTEM32\orotktww.ini
C:\WINDOWS\SYSTEM32\osspajyl.ini
C:\WINDOWS\system32\owyevepy.ini
C:\WINDOWS\system32\papncprx.ini
C:\WINDOWS\SYSTEM32\paybkrwv.ini
C:\WINDOWS\SYSTEM32\ppXHknmp.ini2
C:\WINDOWS\SYSTEM32\PrXxwyay.ini
C:\WINDOWS\SYSTEM32\PrXxwyay.ini2
C:\WINDOWS\system32\psdpqiui.ini
C:\WINDOWS\system32\qbpkdbis.ini
C:\WINDOWS\SYSTEM32\qimifypl.ini
C:\WINDOWS\SYSTEM32\qqppsBeg.ini2
C:\WINDOWS\system32\rdecnz.dll
C:\WINDOWS\SYSTEM32\sCcLRqru.ini2
C:\WINDOWS\system32\skiidyon.ini
C:\WINDOWS\SYSTEM32\sttrfjvx.ini
C:\WINDOWS\SYSTEM32\TDMTstwa.ini2
C:\WINDOWS\SYSTEM32\TEdcIRqr.ini
C:\WINDOWS\SYSTEM32\TEdcIRqr.ini2
C:\WINDOWS\SYSTEM32\tkihosxf.ini
C:\WINDOWS\system32\tmdmdcmv.ini
C:\WINDOWS\SYSTEM32\TwDJQXyb.ini2
C:\WINDOWS\SYSTEM32\UvELknmp.ini2
C:\WINDOWS\system32\uvppiqgo.ini
C:\WINDOWS\system32\uxholvnr.dll
C:\WINDOWS\SYSTEM32\vpyxqmwc.ini
C:\WINDOWS\system32\vtrucqmd.ini
C:\WINDOWS\system32\wpmdxqmk.ini
C:\WINDOWS\system32\wtcmyfik.ini
C:\WINDOWS\system32\wzyjbr.dll
C:\WINDOWS\SYSTEM32\XFfeKkkj.ini2
C:\WINDOWS\system32\xhejcfdv.ini
C:\WINDOWS\SYSTEM32\xHNWHkkj.ini
C:\WINDOWS\SYSTEM32\xHNWHkkj.ini2
C:\WINDOWS\system32\xscgnaan.dll
C:\WINDOWS\system32\xyyxjejl.ini
C:\WINDOWS\SYSTEM32\ycMWEfhk.ini2
C:\WINDOWS\system32\yfgqyboo.dll
C:\WINDOWS\SYSTEM32\ygxvdmoe.ini
C:\WINDOWS\system32\yrqtpyhg.ini
C:\WINDOWS\system32\yudwlbai.dll
C:\WINDOWS\SYSTEM32\yuvqhrix.ini
C:\WINDOWS\system32\yylovpkv.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-03 16:40 . 2008-08-03 16:39 130,432 --a------ C:\WINDOWS\SYSTEM32\dsrare.dll
2008-08-03 16:39 . 2008-08-03 16:39 130,432 --a------ C:\WINDOWS\SYSTEM32\xhdnklen.dll
2008-08-03 16:37 . 2008-08-03 16:37 98,688 --a------ C:\WINDOWS\SYSTEM32\vdfcjehx.dll
2008-08-02 15:34 . 2008-08-02 15:34 130,432 --a------ C:\WINDOWS\SYSTEM32\qsmtgc.dll
2008-08-02 15:34 . 2008-08-02 15:34 130,432 --a------ C:\WINDOWS\SYSTEM32\cujlihwo.dll
2008-08-02 06:48 . 2008-08-02 06:48 <DIR> d-------- C:\Deckard
2008-08-01 10:31 . 2008-08-01 10:31 129,920 --a------ C:\WINDOWS\SYSTEM32\uowlufda.dll
2008-08-01 10:31 . 2008-08-01 10:31 129,920 --a------ C:\WINDOWS\SYSTEM32\rbfzdq.dll
2008-07-30 16:57 . 2008-07-30 16:57 99,712 --a------ C:\WINDOWS\SYSTEM32\seotuqxi.dll
2008-07-30 13:26 . 2008-07-30 13:26 99,712 --a------ C:\WINDOWS\SYSTEM32\qlrisocx.dll
2008-07-27 18:08 . 2008-07-27 18:08 95,360 --a------ C:\WINDOWS\SYSTEM32\vylailtg.dll
2008-07-20 19:40 . 2008-07-20 20:06 <DIR> d-------- C:\Program Files\RegCure
2008-07-16 13:00 . 2008-07-16 13:00 294 --ahs---- C:\WINDOWS\SYSTEM32\textysqt.ini
2008-07-15 16:04 . 2008-07-31 14:53 754 --a------ C:\WINDOWS\WIN.INI
2008-07-15 11:50 . 2008-07-15 11:50 294 --ahs---- C:\WINDOWS\SYSTEM32\gnqburdd.ini
2008-07-08 14:45 . 2008-07-08 14:45 294 --ahs---- C:\WINDOWS\SYSTEM32\esiffxpg.ini
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 21:23 70 ---ha-w C:\aaw7boot.cmd
2008-07-20 23:28 --------- d-----w C:\Program Files\Quicken
2008-07-02 21:41 --------- d-----w C:\Program Files\Agent
2008-06-27 20:24 --------- d-----w C:\Program Files\Google
2008-06-27 20:22 --------- d-----w C:\Program Files\Western Digital
2008-05-13 02:48 102,400 ----a-w C:\WINDOWS\oadkxrts.exe
2006-07-04 22:49 348 ---ha-w C:\Documents and Settings\John Armitage Rusca\hpothb07.dat
2006-07-04 22:39 322 ---ha-w C:\Documents and Settings\jrusca\hpothb07.dat
2005-05-28 12:48 56 --sh--r C:\WINDOWS\SYSTEM32\EAF239780E.sys
2005-05-28 12:48 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3224351a-3c45-4834-bd35-30261173766d}]
2008-08-03 16:39 130432 --a------ C:\WINDOWS\system32\dsrare.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 20:04 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 23:10 344064]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-09-27 13:52 610304]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 19:32 86016]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 04:00 99840]
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE" [2005-04-26 04:00 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05 127035]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-03 17:54 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 22:49:48 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 08:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2004-04-11 13:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-06-27 16:29 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-03 23:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 08:58 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 08:58 135168 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-06-19 16:48 851968 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IMSI\\TCW70\\Program\\Tcw70.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2007-06-21 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-04 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-20 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-08 C:\WINDOWS\Tasks\SpyHunter Scanner.job
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-06-19 16:48]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-289a8f4f - C:\WINDOWS\system32\kifymctw.dll
Notify-wvUllkjK - wvUllkjK.dll
MSConfigStartUp-289a8f4f - C:\WINDOWS\system32\yjarrijk.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.msn.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &eBay Search - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 12:46:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-08-04 12:54:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-04 16:54:26

Pre-Run: 25,238,155,264 bytes free
Post-Run: 25,340,796,928 bytes free

280 --- E O F --- 2008-04-10 11:59:23

Deckard's System Scanner v20071014.68
Run by jrusca on 2008-08-04 12:56:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-04 12:57:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\RegSrvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\ZCfgSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\WINDOWS\SYSTEM32\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\jrusca\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: {d6673711-6203-53db-4384-54c3a1534223} - {3224351a-3c45-4834-bd35-30261173766d} - C:\WINDOWS\SYSTEM32\dsrare.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mentorsolutions.webex.com/client/T2...bex/ieatgpc.cab
O17 - HKLM\Software\..\Telephony: DomainName = ias.operations
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ias.operations
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = ias.operations
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ias.operations
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\SYSTEM32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\SYSTEM32\S24EvMon.exe


--
End of file - 8149 bytes

-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 12:50:27 0 d-------- C:\WINDOWS\LastGood
2008-08-04 12:43:07 0 d-------- U:\Deckard
2008-08-04 12:25:59 68096 --a------ C:\WINDOWS\zip.exe
2008-08-04 12:25:59 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-04 12:25:59 98816 --a------ C:\WINDOWS\sed.exe
2008-08-04 12:25:59 80412 --a------ C:\WINDOWS\grep.exe
2008-08-04 12:25:58 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-04 12:25:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-04 12:25:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-04 12:25:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-03 16:40:00 130432 --a------ C:\WINDOWS\system32\dsrare.dll
2008-08-03 16:39:57 130432 --a------ C:\WINDOWS\system32\xhdnklen.dll
2008-08-03 16:37:09 98688 --a------ C:\WINDOWS\system32\vdfcjehx.dll
2008-08-02 15:34:46 130432 --a------ C:\WINDOWS\system32\qsmtgc.dll
2008-08-02 15:34:42 130432 --a------ C:\WINDOWS\system32\cujlihwo.dll
2008-08-01 10:31:39 129920 --a------ C:\WINDOWS\system32\rbfzdq.dll
2008-08-01 10:31:38 129920 --a------ C:\WINDOWS\system32\uowlufda.dll
2008-07-30 16:57:24 99712 --a------ C:\WINDOWS\system32\seotuqxi.dll
2008-07-30 13:26:15 99712 --a------ C:\WINDOWS\system32\qlrisocx.dll
2008-07-27 18:08:03 95360 --a------ C:\WINDOWS\system32\vylailtg.dll
2008-07-20 19:40:01 0 d-------- C:\Program Files\RegCure


-- Find3M Report ---------------------------------------------------------------

2008-08-04 12:32:15 0 d-------- C:\Program Files\Common Files
2008-07-20 19:28:57 0 d-------- C:\Program Files\Quicken
2008-07-02 17:41:24 0 d-------- C:\Program Files\Agent
2008-06-27 16:24:48 0 d-------- C:\Program Files\Google
2008-06-27 16:22:36 0 d-------- C:\Program Files\Western Digital
2008-05-12 22:48:12 102400 --a------ C:\WINDOWS\oadkxrts.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3224351a-3c45-4834-bd35-30261173766d}]
08/03/2008 04:39 PM 130432 --a------ C:\WINDOWS\system32\dsrare.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [08/21/2004 08:04 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/06/2004 11:10 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [09/27/2004 01:52 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [05/28/2003 07:32 PM]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.exe" [06/04/2003 04:00 AM]
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.exe" [04/26/2005 04:00 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [11/16/2004 01:05 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/03/2005 05:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 09:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\jrusca\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [4/4/2005 6:07:41 PM]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [7/29/2003 10:49:48 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [08/17/2006 02:57 PM 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 01/12/2004 08:55 AM 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe




-- End of Deckard's System Scanner: finished at 2008-08-04 12:58:19 ------------

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:25 PM

Posted 04 August 2008 - 04:22 PM

Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

File::
C:\WINDOWS\SYSTEM32\dsrare.dll
C:\WINDOWS\SYSTEM32\xhdnklen.dll
C:\WINDOWS\SYSTEM32\vdfcjehx.dll
C:\WINDOWS\SYSTEM32\qsmtgc.dll
C:\WINDOWS\SYSTEM32\qsmtgc.dll
C:\WINDOWS\SYSTEM32\uowlufda.dll
C:\WINDOWS\SYSTEM32\rbfzdq.dll
C:\WINDOWS\SYSTEM32\seotuqxi.dll
C:\WINDOWS\SYSTEM32\qlrisocx.dll
C:\WINDOWS\SYSTEM32\vylailtg.dll
C:\WINDOWS\SYSTEM32\textysqt.ini
C:\WINDOWS\SYSTEM32\gnqburdd.ini
C:\WINDOWS\SYSTEM32\esiffxpg.ini
C:\WINDOWS\oadkxrts.exe

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#7 jarmd

jarmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 04 August 2008 - 09:12 PM

ComboFix 08-08-03.05 - jrusca 2008-08-04 18:33:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT -4:00]
Running from: C:\Documents and Settings\jrusca\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jrusca\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-04 12:50 . 2008-08-04 12:50 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-03 16:40 . 2008-08-03 16:39 130,432 --a------ C:\WINDOWS\SYSTEM32\dsrare.dll
2008-08-03 16:39 . 2008-08-03 16:39 130,432 --a------ C:\WINDOWS\SYSTEM32\xhdnklen.dll
2008-08-03 16:37 . 2008-08-03 16:37 98,688 --a------ C:\WINDOWS\SYSTEM32\vdfcjehx.dll
2008-08-02 15:34 . 2008-08-02 15:34 130,432 --a------ C:\WINDOWS\SYSTEM32\qsmtgc.dll
2008-08-02 15:34 . 2008-08-02 15:34 130,432 --a------ C:\WINDOWS\SYSTEM32\cujlihwo.dll
2008-08-02 06:48 . 2008-08-02 06:48 <DIR> d-------- C:\Deckard
2008-08-01 10:31 . 2008-08-01 10:31 129,920 --a------ C:\WINDOWS\SYSTEM32\uowlufda.dll
2008-08-01 10:31 . 2008-08-01 10:31 129,920 --a------ C:\WINDOWS\SYSTEM32\rbfzdq.dll
2008-07-30 16:57 . 2008-07-30 16:57 99,712 --a------ C:\WINDOWS\SYSTEM32\seotuqxi.dll
2008-07-30 13:26 . 2008-07-30 13:26 99,712 --a------ C:\WINDOWS\SYSTEM32\qlrisocx.dll
2008-07-27 18:08 . 2008-07-27 18:08 95,360 --a------ C:\WINDOWS\SYSTEM32\vylailtg.dll
2008-07-20 19:40 . 2008-07-20 20:06 <DIR> d-------- C:\Program Files\RegCure
2008-07-16 13:00 . 2008-07-16 13:00 294 --ahs---- C:\WINDOWS\SYSTEM32\textysqt.ini
2008-07-15 16:04 . 2008-07-31 14:53 754 --a------ C:\WINDOWS\WIN.INI
2008-07-15 11:50 . 2008-07-15 11:50 294 --ahs---- C:\WINDOWS\SYSTEM32\gnqburdd.ini
2008-07-08 14:45 . 2008-07-08 14:45 294 --ahs---- C:\WINDOWS\SYSTEM32\esiffxpg.ini
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 21:23 70 ---ha-w C:\aaw7boot.cmd
2008-07-20 23:28 --------- d-----w C:\Program Files\Quicken
2008-07-02 21:41 --------- d-----w C:\Program Files\Agent
2008-06-27 20:24 --------- d-----w C:\Program Files\Google
2008-06-27 20:22 --------- d-----w C:\Program Files\Western Digital
2008-05-13 02:48 102,400 ----a-w C:\WINDOWS\oadkxrts.exe
2006-07-04 22:49 348 ---ha-w C:\Documents and Settings\John Armitage Rusca\hpothb07.dat
2006-07-04 22:39 322 ---ha-w C:\Documents and Settings\jrusca\hpothb07.dat
2005-05-28 12:48 56 --sh--r C:\WINDOWS\SYSTEM32\EAF239780E.sys
2005-05-28 12:48 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_12.53.56.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-04 14:13:20 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-08-04 19:18:51 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-08-04 14:13:20 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-04 19:18:51 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3224351a-3c45-4834-bd35-30261173766d}]
2008-08-03 16:39 130432 --a------ C:\WINDOWS\system32\dsrare.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 20:04 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 23:10 344064]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-09-27 13:52 610304]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 19:32 86016]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 04:00 99840]
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE" [2005-04-26 04:00 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05 127035]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-03 17:54 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 22:49:48 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 08:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2004-04-11 13:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-06-27 16:29 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-03 23:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 08:58 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 08:58 135168 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-06-19 16:48 851968 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IMSI\\TCW70\\Program\\Tcw70.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2007-06-21 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-04 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-20 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-08 C:\WINDOWS\Tasks\SpyHunter Scanner.job
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-06-19 16:48]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 18:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-04 18:38:36
ComboFix-quarantined-files.txt 2008-08-04 22:38:16
ComboFix2.txt 2008-08-04 16:54:38

Pre-Run: 25,296,171,008 bytes free
Post-Run: 25,312,882,688 bytes free

142 --- E O F --- 2008-04-10 11:59:23
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 16:07:43
Records in database: 1053458
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
M:\
O:\
P:\
Q:\
R:\

Scan statistics:
Files scanned: 89482
Threat name: 11
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 02:22:05


File name / Threat name / Threats count
C:\WINDOWS\system32\dsrare.dll/C:\WINDOWS\system32\dsrare.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 2
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\blzuwk.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cphrmywm.dll.vir Infected: Trojan.Win32.Monder.axo 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\evascg.dll.vir Infected: Trojan.Win32.Monder.axo 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ghmmgu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hyvicpim.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hzawzj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bve 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kfvfesvh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lluduk.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rdecnz.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uxholvnr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bxz 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wzyjbr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xscgnaan.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bwj 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yfgqyboo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bvb 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yudwlbai.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bve 1
C:\QooBox\Quarantine\catchme2008-08-04_123816.69.zip Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\oadkxrts.exe Infected: Trojan.Win32.Vapsup.feu 1
C:\WINDOWS\SYSTEM32\cujlihwo.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\WINDOWS\SYSTEM32\dsrare.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\WINDOWS\SYSTEM32\qlrisocx.dll Infected: Trojan.Win32.Monder.bvp 1
C:\WINDOWS\SYSTEM32\qsmtgc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1
C:\WINDOWS\SYSTEM32\rbfzdq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1
C:\WINDOWS\SYSTEM32\seotuqxi.dll Infected: Trojan.Win32.Monder.bvp 1
C:\WINDOWS\SYSTEM32\uowlufda.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzu 1
C:\WINDOWS\SYSTEM32\vdfcjehx.dll Infected: Trojan.Win32.Monder.cet 1
C:\WINDOWS\SYSTEM32\xhdnklen.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.cas 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:26 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {d6673711-6203-53db-4384-54c3a1534223} - {3224351a-3c45-4834-bd35-30261173766d} - C:\WINDOWS\system32\dsrare.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mentorsolutions.webex.com/client/T2...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ias.operations
O17 - HKLM\Software\..\Telephony: DomainName = ias.operations
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ias.operations
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ias.operations
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

--
End of file - 6959 bytes

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:25 PM

Posted 05 August 2008 - 01:42 PM

Can you please repeat the CFScript step in my previous post, it appears as though the fix failed.
Ensure that the full contents of the quote box is copied to the notepad document.
I only need to see the combofix produced in the next post please.. :thumbsup:

#9 jarmd

jarmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 05 August 2008 - 04:18 PM

PLEASE CONFIRM THE NUMBER OF LINES IN THE QUOTE BOX TO BE 14 PLUS THE "FILE::" LINE.
Thanks for the help because I certainly could not do it myself!!!
jarmd




ComboFix 08-08-03.05 - jrusca 2008-08-05 16:58:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Running from: C:\Documents and Settings\jrusca\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jrusca\Desktop\CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-05 16:00 . 2008-08-05 17:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-04 18:57 . 2008-08-04 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 16:40 . 2008-08-03 16:39 130,432 --a------ C:\WINDOWS\SYSTEM32\dsrare.dll
2008-08-03 16:39 . 2008-08-03 16:39 130,432 --a------ C:\WINDOWS\SYSTEM32\xhdnklen.dll
2008-08-03 16:37 . 2008-08-03 16:37 98,688 --a------ C:\WINDOWS\SYSTEM32\vdfcjehx.dll
2008-08-02 15:34 . 2008-08-02 15:34 130,432 --a------ C:\WINDOWS\SYSTEM32\qsmtgc.dll
2008-08-02 15:34 . 2008-08-02 15:34 130,432 --a------ C:\WINDOWS\SYSTEM32\cujlihwo.dll
2008-08-02 06:48 . 2008-08-02 06:48 <DIR> d-------- C:\Deckard
2008-07-30 16:57 . 2008-07-30 16:57 99,712 --a------ C:\WINDOWS\SYSTEM32\seotuqxi.dll
2008-07-30 13:26 . 2008-07-30 13:26 99,712 --a------ C:\WINDOWS\SYSTEM32\qlrisocx.dll
2008-07-27 18:08 . 2008-07-27 18:08 95,360 --a------ C:\WINDOWS\SYSTEM32\vylailtg.dll
2008-07-20 19:40 . 2008-07-20 20:06 <DIR> d-------- C:\Program Files\RegCure
2008-07-16 13:00 . 2008-07-16 13:00 294 --ahs---- C:\WINDOWS\SYSTEM32\textysqt.ini
2008-07-15 16:04 . 2008-07-31 14:53 754 --a------ C:\WINDOWS\WIN.INI
2008-07-15 11:50 . 2008-07-15 11:50 294 --ahs---- C:\WINDOWS\SYSTEM32\gnqburdd.ini
2008-07-08 14:45 . 2008-07-08 14:45 294 --ahs---- C:\WINDOWS\SYSTEM32\esiffxpg.ini
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 06:41 --------- d-----w C:\Program Files\Agent
2008-07-26 21:23 70 ---ha-w C:\aaw7boot.cmd
2008-07-20 23:28 --------- d-----w C:\Program Files\Quicken
2008-06-27 20:24 --------- d-----w C:\Program Files\Google
2008-06-27 20:22 --------- d-----w C:\Program Files\Western Digital
2008-05-13 02:48 102,400 ----a-w C:\WINDOWS\oadkxrts.exe
2006-07-04 22:49 348 ---ha-w C:\Documents and Settings\John Armitage Rusca\hpothb07.dat
2006-07-04 22:39 322 ---ha-w C:\Documents and Settings\jrusca\hpothb07.dat
2005-05-28 12:48 56 --sh--r C:\WINDOWS\SYSTEM32\EAF239780E.sys
2005-05-28 12:48 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-04_12.53.56.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-07-08 06:54:35 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-08-05 13:25:30 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-07-08 06:54:35 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-08-05 13:25:30 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-08 06:54:35 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-08-05 13:25:30 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-07-08 06:54:34 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-08-05 13:25:29 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-07-08 06:54:36 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-08-05 13:25:30 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-07-08 06:54:36 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-08-05 13:25:30 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-07-08 06:54:36 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-08-05 13:25:30 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-07-08 06:54:37 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-08-05 13:25:31 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-07-08 06:54:35 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-08-05 13:25:30 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-07-08 06:54:35 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-08-05 13:25:29 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-07-08 06:54:37 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-08-05 13:25:31 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-08 06:54:33 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-08-05 13:25:29 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-08 06:54:32 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-08-05 13:25:29 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-08-04 14:13:20 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-08-05 18:28:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-08-04 14:13:20 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-05 18:28:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-04 11:00:00 561,179 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dao360.dll
- 2004-08-04 12:00:00 512,029 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexch40.dll
- 2004-08-04 12:00:00 319,517 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjet40.dll
- 2004-08-04 12:00:00 358,976 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjetol1.dll
- 2004-08-04 12:00:00 151,583 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
- 2004-08-04 12:00:00 53,279 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjter40.dll
- 2004-08-04 12:00:00 241,693 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msjtes40.dll
- 2004-08-04 12:00:00 213,023 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msltus40.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mspbde40.dll
- 2004-08-04 12:00:00 421,919 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrepl40.dll
- 2004-08-04 12:00:00 258,077 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstext40.dll
- 2004-08-04 12:00:00 831,519 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswdat10.dll
- 2004-08-04 12:00:00 614,429 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswstr10.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msxbde40.dll
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\SYSTEM32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\SYSTEM32\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\SYSTEM32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\SYSTEM32\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 ----a-w C:\WINDOWS\SYSTEM32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\SYSTEM32\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\SYSTEM32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\SYSTEM32\msjetoledb40.dll
- 2004-08-04 12:00:00 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\SYSTEM32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\SYSTEM32\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\SYSTEM32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\SYSTEM32\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\SYSTEM32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\SYSTEM32\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\SYSTEM32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\SYSTEM32\mspbde40.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\SYSTEM32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\SYSTEM32\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\SYSTEM32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\SYSTEM32\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\SYSTEM32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\SYSTEM32\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\SYSTEM32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\SYSTEM32\mstext40.dll
- 2004-08-04 12:00:00 831,519 ----a-w C:\WINDOWS\SYSTEM32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\SYSTEM32\mswdat10.dll
- 2004-08-04 12:00:00 614,429 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\SYSTEM32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\SYSTEM32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3224351a-3c45-4834-bd35-30261173766d}]
2008-08-03 16:39 130432 --a------ C:\WINDOWS\system32\dsrare.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 20:04 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 23:10 344064]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-09-27 13:52 610304]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 19:32 86016]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 04:00 99840]
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE" [2005-04-26 04:00 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05 127035]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-03 17:54 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 22:49:48 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 08:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2004-04-11 13:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-06-27 16:29 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-03 23:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 08:58 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 08:58 135168 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-06-19 16:48 851968 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IMSI\\TCW70\\Program\\Tcw70.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2007-06-21 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-05 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-20 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-08 C:\WINDOWS\Tasks\SpyHunter Scanner.job
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-06-19 16:48]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 17:07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-05 17:13:25
ComboFix-quarantined-files.txt 2008-08-05 21:13:03
ComboFix2.txt 2008-08-04 22:38:38
ComboFix3.txt 2008-08-04 16:54:38

Pre-Run: 24,190,853,120 bytes free
Post-Run: 24,449,912,832 bytes free

260 --- E O F --- 2008-08-05 13:25:34

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:25 PM

Posted 06 August 2008 - 01:41 PM

Sorry it took a while get back to you, I was trying to figure out why the fix we did wasn't working.
The version of combofix you download had a bug which meant the CFscript feature didn't successfully delete files.
The tool has been updated and the feature has been fixed, so delete the current version you have and download a new one here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Click start > run and type: notepad, then hit enter.
Copy and paste in the following text into the window.

File::
C:\WINDOWS\SYSTEM32\dsrare.dll
C:\WINDOWS\SYSTEM32\xhdnklen.dll
C:\WINDOWS\SYSTEM32\vdfcjehx.dll
C:\WINDOWS\SYSTEM32\qsmtgc.dll
C:\WINDOWS\SYSTEM32\qsmtgc.dll
C:\WINDOWS\SYSTEM32\uowlufda.dll
C:\WINDOWS\SYSTEM32\rbfzdq.dll
C:\WINDOWS\SYSTEM32\seotuqxi.dll
C:\WINDOWS\SYSTEM32\qlrisocx.dll
C:\WINDOWS\SYSTEM32\vylailtg.dll
C:\WINDOWS\SYSTEM32\textysqt.ini
C:\WINDOWS\SYSTEM32\gnqburdd.ini
C:\WINDOWS\SYSTEM32\esiffxpg.ini
C:\WINDOWS\oadkxrts.exe

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

#11 jarmd

jarmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 06 August 2008 - 04:46 PM

ComboFix 08-08-06.01 - jrusca 2008-08-06 17:27:12.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT -4:00]
Running from: C:\Documents and Settings\jrusca\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jrusca\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\SYSTEM32\dsrare.dll
C:\WINDOWS\SYSTEM32\esiffxpg.ini
C:\WINDOWS\SYSTEM32\gnqburdd.ini
C:\WINDOWS\SYSTEM32\qlrisocx.dll
C:\WINDOWS\SYSTEM32\qsmtgc.dll
C:\WINDOWS\SYSTEM32\rbfzdq.dll
C:\WINDOWS\SYSTEM32\seotuqxi.dll
C:\WINDOWS\SYSTEM32\textysqt.ini
C:\WINDOWS\SYSTEM32\uowlufda.dll
C:\WINDOWS\SYSTEM32\vdfcjehx.dll
C:\WINDOWS\SYSTEM32\vylailtg.dll
C:\WINDOWS\SYSTEM32\xhdnklen.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\SYSTEM32\dsrare.dll
C:\WINDOWS\SYSTEM32\esiffxpg.ini
C:\WINDOWS\SYSTEM32\gnqburdd.ini
C:\WINDOWS\SYSTEM32\qlrisocx.dll
C:\WINDOWS\SYSTEM32\qsmtgc.dll
C:\WINDOWS\SYSTEM32\seotuqxi.dll
C:\WINDOWS\SYSTEM32\textysqt.ini
C:\WINDOWS\SYSTEM32\vdfcjehx.dll
C:\WINDOWS\SYSTEM32\vylailtg.dll
C:\WINDOWS\SYSTEM32\xhdnklen.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 10:10 . 2008-08-06 10:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-06 10:10 . 2008-08-06 10:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-05 16:00 . 2008-08-05 17:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-05 15:58 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-08-05 15:58 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-04 18:57 . 2008-08-04 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-02 15:34 . 2008-08-02 15:34 130,432 --a------ C:\WINDOWS\SYSTEM32\cujlihwo.dll
2008-08-02 06:48 . 2008-08-02 06:48 <DIR> d-------- C:\Deckard
2008-07-20 19:40 . 2008-07-20 20:06 <DIR> d-------- C:\Program Files\RegCure
2008-07-15 16:04 . 2008-07-31 14:53 754 --a------ C:\WINDOWS\WIN.INI
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-07-08 02:54 . 2004-08-12 09:56 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 06:41 --------- d-----w C:\Program Files\Agent
2008-07-26 21:23 70 ---ha-w C:\aaw7boot.cmd
2008-07-20 23:28 --------- d-----w C:\Program Files\Quicken
2008-06-27 20:24 --------- d-----w C:\Program Files\Google
2008-06-27 20:22 --------- d-----w C:\Program Files\Western Digital
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2006-07-04 22:49 348 ---ha-w C:\Documents and Settings\John Armitage Rusca\hpothb07.dat
2006-07-04 22:39 322 ---ha-w C:\Documents and Settings\jrusca\hpothb07.dat
2005-05-28 12:48 56 --sh--r C:\WINDOWS\SYSTEM32\EAF239780E.sys
2005-05-28 12:48 1,890 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-05_17.12.34.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2008-08-05 13:25:30 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-08-06 02:00:09 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-08-05 13:25:30 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-08-06 02:00:10 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-08-05 13:25:30 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-08-06 02:00:10 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-08-05 13:25:29 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-08-06 02:00:09 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-08-05 13:25:30 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-08-06 02:00:10 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-08-05 13:25:30 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-08-06 02:00:10 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-08-05 13:25:30 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-08-06 02:00:10 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-08-05 13:25:31 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-08-06 02:00:10 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-08-05 13:25:30 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-08-06 02:00:09 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-08-05 13:25:29 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-08-06 02:00:09 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-08-05 13:25:31 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-08-06 02:00:10 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-08-05 13:25:29 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-08-06 02:00:09 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-08-05 13:25:29 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-08-06 02:00:09 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
- 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
- 2008-08-05 18:28:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-08-06 18:29:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-08-05 18:28:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-06 18:29:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-06 18:29:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
- 2004-08-04 12:00:00 138,496 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
+ 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
- 2008-02-16 08:59:34 1,023,488 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
- 2008-02-16 08:59:35 151,040 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
+ 2008-04-21 07:03:56 151,040 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
- 2008-02-16 08:59:35 1,054,208 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
+ 2008-04-21 07:03:57 1,054,208 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
- 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
- 2008-02-16 08:59:35 357,888 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2008-02-16 08:59:35 55,808 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-04-21 07:03:57 55,808 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2008-02-15 09:23:37 18,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
+ 2008-04-17 10:52:54 18,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
- 2008-02-16 08:59:35 251,392 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
+ 2008-04-21 07:03:58 251,392 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
- 2008-02-16 08:59:35 96,256 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
+ 2008-04-21 07:03:58 96,256 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
- 2008-02-16 08:59:35 16,384 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2008-02-16 22:29:38 3,059,712 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
- 2008-02-16 08:59:37 449,024 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2008-02-16 08:59:37 146,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-04-21 07:03:59 146,432 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2008-02-16 08:59:37 532,480 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-04-21 07:03:59 532,480 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2004-08-04 12:00:00 245,248 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
- 2008-02-16 08:59:37 39,424 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
- 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
- 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
- 2008-02-16 08:59:38 1,494,528 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
- 2008-02-16 08:59:38 474,112 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
- 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
- 2008-02-16 08:59:38 615,936 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-04-21 07:04:00 615,936 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2008-02-16 08:59:39 659,456 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-04-21 07:04:00 659,456 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
- 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rmcast.sys
- 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
- 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
- 2006-12-10 18:10:02 14,640 ----a-w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
- 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2008-02-16 08:59:39 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
- 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 20:04 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 23:10 344064]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-09-27 13:52 610304]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 19:32 86016]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 04:00 99840]
"EPSON Stylus Photo R340 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE" [2005-04-26 04:00 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05 127035]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-03 17:54 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-29 22:49:48 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-12 08:55 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a------ 2004-04-11 13:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-06-27 16:29 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2007-08-03 23:33 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-03-15 08:58 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2005-03-15 08:58 135168 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-06-19 16:48 851968 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IMSI\\TCW70\\Program\\Tcw70.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2008-06-14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (LAPTOPDAD-John Armitage Rusca).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2007-06-21 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-07-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-06 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-20 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-07-08 C:\WINDOWS\Tasks\SpyHunter Scanner.job
- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-06-19 16:48]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 17:31:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 17:32:56
ComboFix-quarantined-files.txt 2008-08-06 21:32:50
ComboFix2.txt 2008-08-05 21:13:27
ComboFix3.txt 2008-08-04 22:38:38
ComboFix4.txt 2008-08-04 16:54:38

Pre-Run: 24,291,442,688 bytes free
Post-Run: 24,281,493,504 bytes free

294 --- E O F --- 2008-08-06 02:00:16

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:25 PM

Posted 06 August 2008 - 05:18 PM

Great, that worked a treat! :thumbsup:

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\WINDOWS\SYSTEM32\cujlihwo.dll

Allow the PC to reboot, if it doesn't do it automatically, please reboot manually.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation finishes, leave both 'Update' and 'Launch' checked. Click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here.

On the Scanner tab, ensure the "Perform Quick Scan" option is selected, then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
When the scan finishes, a box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

#13 jarmd

jarmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 06 August 2008 - 06:20 PM

Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 2

7:19:13 PM 8/6/2008
mbam-log-8-6-2008 (19-19-13).txt

Scan type: Quick Scan
Objects scanned: 48168
Time elapsed: 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0cd8dfb8-0c1a-40f8-be85-03a01944af32} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f6852161-bba1-4d75-bf1e-f0fda639a7a3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\stfngdvw.bqxp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\cujlihwo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:25 PM

Posted 06 August 2008 - 06:25 PM

How is the PC running now? I see clean logs all round.. :thumbsup:

#15 jarmd

jarmd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 06 August 2008 - 06:46 PM

A quick skip around the internet shows no hijacking so far. Let me work with it for the next 24 hrs and get back to you. The whole computer function seems to be back to working faster. THANKS SOOOOOOOOO MUCH!

Back to you tomorrow.
jarmd




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users