Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Artemis Infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 Shiza

Shiza

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 03 November 2008 - 10:27 AM

Some malware infected the computer yesterday. In task manager, it kept showing up as La02eMA1.exe, and I deleted whatever instances I could find through regedit. It comes back under different names, as well, such as 6l6g4f86. The names appear to be very random. AdAware caught it the first time as a "suspicious program" and requested that I send the info to their lab.

I've run all the requested scans, since then. Installed the firewall. Did Windows Update and cleaned out the cache. Here are the logs. Thank you in advance for the help. I'll be checking back to see if you've gotten a chance to eyeball the problem. :thumbsup:

Stinger

McAfee® Stinger Version 10.0.1.602 built on Sep 18 2008

Copyright © 2008 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Sep 18 2008.

Ready to scan for 236 viruses, trojans and variants.



Scan initiated on Mon Nov 03 07:17:02 2008

Number of clean files: 44053

Scan initiated on Mon Nov 03 07:24:10 2008

C:\WINDOWS\system32\LaO2eMA1.exe

Found trojan or variant Generic!Artemis

C:\WINDOWS\system32\LaO2eMA1.exe could not be repaired.

C:\WINDOWS\system32\LaO2eMA1.zip\LaO2eMA1.exe

Found trojan or variant Generic!Artemis

C:\WINDOWS\system32\LaO2eMA1.zip\LaO2eMA1.exe_

Found trojan or variant Generic!Artemis

C:\WINDOWS\system32\LaO2eMA1.zip could not be repaired.

Number of clean files: 198522

Number of Trojans: 3


Panda's Free Readout

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-11-03 00:48:31
PROTECTIONS: 1
MALWARE: 18
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 7.5.549 7.5.549 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@www.burstbeacon[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@media.adrevolver[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@zedo[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\NetworkService\Cookies\system@adrevolver[2].txt
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
Yes C:\hp\bin\KillIt.exe 
Yes C:\hp\bin\TrialHTML\Office 2003 Edition 60 Day Trial.exe 
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================


HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:07 AM, on 11/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19061CD5-2EEF-407F-8015-765824705E98} - C:\Program Files\ComPlus Applications\kymoqywih89104.dll (file missing)
O2 - BHO: 0 - {347288ED-FC94-4A04-CC8B-0268C4503109} - C:\Program Files\Windows NT\lavuhavon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\system32\opnmkhh.dll (file missing)
O2 - BHO: (no name) - {FFC8A3B5-A096-46AE-9696-CCAB3E5BCC65} - C:\WINDOWS\system32\awvvw.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AutoTBar] h=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22AUTOTBAR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/39.24/uploader2.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: opnmkhh - opnmkhh.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7663 bytes

BC AdBot (Login to Remove)

 


#2 Shiza

Shiza
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 04 November 2008 - 02:18 PM

I dunno if me replying will bump this back up the list, but it's worth a try. :thumbsup:

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:15 AM

Posted 04 November 2008 - 05:17 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Shiza

Shiza
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 04 November 2008 - 07:15 PM

Thanks for the response. I'm scanning with the program now and will let you know what comes up. :thumbsup:

#5 Shiza

Shiza
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 04 November 2008 - 07:25 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1366
Windows 5.1.2600 Service Pack 3

11/4/2008 6:20:58 PM
mbam-log-2008-11-04 (18-20-58).txt

Scan type: Quick Scan
Objects scanned: 56069
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnmkhh (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1c2e5d27-a17c-4d89-85dd-3553c189380d} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NoDNS (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ed120d76-bf31-412c-a99b-783c6676e128} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Program Files\NoDNS (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\opnmkhh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\NoDNS\UnInstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6l6g4F86.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LaO2eMA1.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.

#6 Shiza

Shiza
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 05 November 2008 - 01:16 AM

I just wanted to add that despite the Malwarebyte's listing that La02eMA1.exe file as being deleted/fixed, it continues to pop up.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:15 AM

Posted 05 November 2008 - 07:28 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Shiza

Shiza
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 05 November 2008 - 12:55 PM

SDFix: Version 1.239
Run by Owner on Wed 11/05/2008 at 11:44 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\sanR24 - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 11:50:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000007a
"TracesSuccessful"=dword:00000058

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 5 Sep 2004 196 A.SHR --- "C:\BOOT.BAK"
Sat 17 Jul 2004 19,528 A..H. --- "C:\WINDOWS\002365_.tmp"
Mon 5 Apr 2004 64,512 A..H. --- "C:\WINDOWS\agrsmdel.exe"
Tue 29 Jun 2004 88,363 A..H. --- "C:\WINDOWS\AGRSMMSG.exe"
Tue 7 Sep 2004 57,344 A..H. --- "C:\WINDOWS\ALCXMNTR.EXE"
Wed 12 May 2004 90,112 A..HR --- "C:\WINDOWS\bwUnin-6.2.3.66.exe"
Sun 13 Apr 2008 10,752 A..H. --- "C:\WINDOWS\hh.exe"
Mon 3 Mar 2003 33,792 A..H. --- "C:\WINDOWS\ieuninst.exe"
Sun 13 Apr 2008 69,120 A..H. --- "C:\WINDOWS\notepad.exe"
Sun 13 Apr 2008 146,432 A..H. --- "C:\WINDOWS\regedit.exe"
Sun 13 Apr 2008 32,866 ...H. --- "C:\WINDOWS\slrundll.exe"
Thu 29 Aug 2002 15,360 A..H. --- "C:\WINDOWS\TASKMAN.EXE"
Thu 29 Aug 2002 94,784 A..H. --- "C:\WINDOWS\twain.dll"
Sun 13 Apr 2008 50,688 A..H. --- "C:\WINDOWS\twain_32.dll"
Thu 29 Aug 2002 49,680 A..H. --- "C:\WINDOWS\twunk_16.exe"
Thu 29 Aug 2002 25,600 A..H. --- "C:\WINDOWS\twunk_32.exe"
Wed 10 Nov 1999 86,016 A..H. --- "C:\WINDOWS\unvise32qt.exe"
Thu 29 Aug 2002 18,944 A..H. --- "C:\WINDOWS\vmmreg32.dll"
Thu 29 Aug 2002 256,192 A..H. --- "C:\WINDOWS\winhelp.exe"
Sun 13 Apr 2008 283,648 A..H. --- "C:\WINDOWS\winhlp32.exe"
Thu 29 Aug 2002 707 A..H. --- "C:\WINDOWS\_default.pif"
Sun 2 Mar 2008 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Fri 24 Oct 2008 31,744 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0612.tmp"
Sat 25 Oct 2008 30,208 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1301.tmp"
Tue 30 Nov 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\spmsg.dll"
Tue 30 Nov 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\spuninst.exe"
Tue 30 Nov 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\spmsg.dll"
Tue 30 Nov 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\spuninst.exe"
Thu 14 Oct 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB873339\spmsg.dll"
Thu 14 Oct 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB873339\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\spuninst.exe"
Tue 30 Nov 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB885250\spmsg.dll"
Tue 30 Nov 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB885250\spuninst.exe"
Thu 14 Oct 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\spmsg.dll"
Thu 14 Oct 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\spuninst.exe"
Thu 14 Oct 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB885836\spmsg.dll"
Thu 14 Oct 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB885836\spuninst.exe"
Thu 14 Oct 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB886185\spmsg.dll"
Thu 14 Oct 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB886185\spuninst.exe"
Thu 14 Oct 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB887472\spmsg.dll"
Thu 14 Oct 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB887472\spuninst.exe"
Thu 14 Oct 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB887742\spmsg.dll"
Thu 14 Oct 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB887742\spuninst.exe"
Thu 14 Oct 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB888113\spmsg.dll"
Thu 14 Oct 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB888113\spuninst.exe"
Tue 30 Nov 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB888302\spmsg.dll"
Tue 30 Nov 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB888302\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB890046\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB890046\spuninst.exe"
Tue 30 Nov 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB890047\spmsg.dll"
Tue 30 Nov 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB890047\spuninst.exe"
Tue 30 Nov 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB890175\spmsg.dll"
Tue 30 Nov 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB890175\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\spuninst.exe"
Tue 30 Nov 2004 7,168 A..H. --- "C:\WINDOWS\$hf_mig$\KB891781\spmsg.dll"
Tue 30 Nov 2004 169,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB891781\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB893066\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB893066\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB893086\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB893086\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB893756\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB893756\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896422\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB896422\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896423\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB896423\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896428\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB896428\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB898461\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB898461\spuninst.exe"
Thu 24 Feb 2005 22,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB898461\spupdsvc.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB899587\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB899587\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB899588\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB899588\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB899591\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB899591\spuninst.exe"
Wed 12 Oct 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB900485\spmsg.dll"
Wed 12 Oct 2005 213,216 A..H. --- "C:\WINDOWS\$hf_mig$\KB900485\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB901017\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB901017\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB901214\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB901214\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB904706\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB904706\spuninst.exe"
Wed 12 Oct 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB904942\spmsg.dll"
Wed 12 Oct 2005 213,216 A..H. --- "C:\WINDOWS\$hf_mig$\KB904942\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB905414\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB905414\spuninst.exe"
Thu 24 Feb 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB905749\spmsg.dll"
Thu 24 Feb 2005 209,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB905749\spuninst.exe"
Wed 12 Oct 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\spmsg.dll"
Wed 12 Oct 2005 213,216 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\spuninst.exe"
Wed 12 Oct 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB908519\spmsg.dll"
Wed 12 Oct 2005 213,216 A..H. --- "C:\WINDOWS\$hf_mig$\KB908519\spuninst.exe"
Wed 12 Oct 2005 14,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB908531\spmsg.dll"
Wed 12 Oct 2005 213,216 A..H. --- "C:\WINDOWS\$hf_mig$\KB908531\spuninst.exe"
Thu 27 Jan 2005 1,016,832 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\browseui.dll"
Thu 27 Jan 2005 151,040 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\cdfview.dll"
Thu 27 Jan 2005 249,856 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\iepeers.dll"
Thu 27 Jan 2005 96,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\inseng.dll"
Thu 27 Jan 2005 3,008,000 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\mshtml.dll"
Thu 27 Jan 2005 1,484,288 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\shdocvw.dll"
Thu 27 Jan 2005 473,600 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\shlwapi.dll"
Thu 27 Jan 2005 607,744 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\urlmon.dll"
Thu 27 Jan 2005 657,920 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll"
Tue 30 Nov 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\update\spcustom.dll"
Tue 30 Nov 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB867282\update\update.exe"
Fri 14 Jan 2005 1,285,120 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2GDR\ole32.dll"
Fri 14 Jan 2005 74,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2GDR\olecli32.dll"
Fri 14 Jan 2005 37,888 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2GDR\olecnv32.dll"
Fri 14 Jan 2005 395,776 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2GDR\rpcss.dll"
Thu 13 Jan 2005 1,284,608 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\ole32.dll"
Thu 13 Jan 2005 74,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\olecli32.dll"
Thu 13 Jan 2005 37,376 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\olecnv32.dll"
Thu 13 Jan 2005 395,776 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\SP2QFE\rpcss.dll"
Tue 30 Nov 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\update\spcustom.dll"
Tue 30 Nov 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB873333\update\update.exe"
Wed 17 Nov 2004 347,136 A..H. --- "C:\WINDOWS\$hf_mig$\KB873339\SP2GDR\hypertrm.dll"
Wed 17 Nov 2004 347,136 A..H. --- "C:\WINDOWS\$hf_mig$\KB873339\SP2QFE\hypertrm.dll"
Thu 14 Oct 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB873339\update\spcustom.dll"
Thu 14 Oct 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB873339\update\update.exe"
Mon 2 May 2005 1,019,904 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\browseui.dll"
Mon 2 May 2005 151,040 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\cdfview.dll"
Sat 30 Apr 2005 18,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\iedw.exe"
Mon 2 May 2005 250,880 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\iepeers.dll"
Mon 2 May 2005 96,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\inseng.dll"
Mon 2 May 2005 3,014,144 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\mshtml.dll"
Mon 2 May 2005 448,512 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\mshtmled.dll"
Mon 2 May 2005 146,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\msrating.dll"
Mon 2 May 2005 39,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\pngfilt.dll"
Mon 2 May 2005 1,484,800 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\shdocvw.dll"
Mon 2 May 2005 473,600 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\shlwapi.dll"
Mon 2 May 2005 608,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\urlmon.dll"
Mon 2 May 2005 658,944 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB883939\update\updspapi.dll"
Tue 18 Jan 2005 451,584 A..H. --- "C:\WINDOWS\$hf_mig$\KB885250\SP2GDR\mrxsmb.sys"
Tue 18 Jan 2005 451,584 A..H. --- "C:\WINDOWS\$hf_mig$\KB885250\SP2QFE\mrxsmb.sys"
Tue 30 Nov 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB885250\update\spcustom.dll"
Tue 30 Nov 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB885250\update\update.exe"
Wed 27 Oct 2004 721,920 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\SP2GDR\lsasrv.dll"
Wed 27 Oct 2004 448,128 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\SP2GDR\mrxsmb.sys"
Wed 27 Oct 2004 174,592 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\SP2GDR\rdbss.sys"
Wed 27 Oct 2004 721,920 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\lsasrv.dll"
Wed 27 Oct 2004 448,128 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys"
Wed 27 Oct 2004 174,592 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\SP2QFE\rdbss.sys"
Thu 14 Oct 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\update\spcustom.dll"
Thu 14 Oct 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB885835\update\update.exe"
Thu 14 Oct 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB885836\update\spcustom.dll"
Thu 14 Oct 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB885836\update\update.exe"
Wed 29 Sep 2004 134,912 A..H. --- "C:\WINDOWS\$hf_mig$\KB886185\SP2QFE\ipnat.sys"
Thu 14 Oct 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB886185\update\spcustom.dll"
Thu 14 Oct 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB886185\update\update.exe"
Wed 13 Oct 2004 1,694,208 A..H. --- "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
Thu 14 Oct 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB887472\update\spcustom.dll"
Thu 14 Oct 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB887472\update\update.exe"
Fri 8 Oct 2004 262,272 A..H. --- "C:\WINDOWS\$hf_mig$\KB887742\SP2QFE\http.sys"
Thu 14 Oct 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB887742\update\spcustom.dll"
Thu 14 Oct 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB887742\update\update.exe"
Tue 16 Nov 2004 68,096 A..H. --- "C:\WINDOWS\$hf_mig$\KB888113\SP2GDR\hlink.dll"
Tue 16 Nov 2004 68,096 A..H. --- "C:\WINDOWS\$hf_mig$\KB888113\SP2QFE\hlink.dll"
Thu 14 Oct 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB888113\update\spcustom.dll"
Thu 14 Oct 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB888113\update\update.exe"
Tue 7 Dec 2004 96,768 A..H. --- "C:\WINDOWS\$hf_mig$\KB888302\SP2GDR\srvsvc.dll"
Tue 7 Dec 2004 96,768 A..H. --- "C:\WINDOWS\$hf_mig$\KB888302\SP2QFE\srvsvc.dll"
Tue 30 Nov 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB888302\update\spcustom.dll"
Tue 30 Nov 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB888302\update\update.exe"
Thu 21 Apr 2005 57,344 A..H. --- "C:\WINDOWS\$hf_mig$\KB890046\SP2QFE\agentdpv.dll"
Mon 16 May 2005 17,920 A..H. --- "C:\WINDOWS\$hf_mig$\KB890046\SP2QFE\xpsp3res.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB890046\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB890046\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB890046\update\updspapi.dll"
Tue 21 Dec 2004 8,450,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB890047\SP2GDR\shell32.dll"
Tue 21 Dec 2004 8,451,072 A..H. --- "C:\WINDOWS\$hf_mig$\KB890047\SP2QFE\shell32.dll"
Tue 30 Nov 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB890047\update\spcustom.dll"
Tue 30 Nov 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB890047\update\update.exe"
Tue 30 Nov 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB890175\update\spcustom.dll"
Tue 30 Nov 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB890175\update\update.exe"
Wed 2 Mar 2005 62,464 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\authz.dll"
Tue 1 Mar 2005 2,135,552 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlmp.exe"
Tue 1 Mar 2005 2,056,832 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe"
Tue 1 Mar 2005 2,015,232 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrpamp.exe"
Tue 1 Mar 2005 2,179,456 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe"
Wed 2 Mar 2005 577,024 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll"
Tue 1 Mar 2005 1,836,160 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\win32k.sys"
Wed 2 Mar 2005 291,328 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\winsrv.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB890859\update\updspapi.dll"
Thu 10 Mar 2005 1,016,832 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\browseui.dll"
Thu 10 Mar 2005 151,040 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\cdfview.dll"
Thu 10 Mar 2005 250,880 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\iepeers.dll"
Thu 10 Mar 2005 96,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\inseng.dll"
Thu 10 Mar 2005 3,011,072 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\mshtml.dll"
Thu 10 Mar 2005 146,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\msrating.dll"
Thu 10 Mar 2005 1,484,288 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\shdocvw.dll"
Thu 10 Mar 2005 473,600 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\shlwapi.dll"
Thu 10 Mar 2005 607,744 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\urlmon.dll"
Thu 10 Mar 2005 657,920 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB890923\update\updspapi.dll"
Tue 30 Nov 2004 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB891781\update\spcustom.dll"
Tue 30 Nov 2004 654,848 A..H. --- "C:\WINDOWS\$hf_mig$\KB891781\update\update.exe"
Wed 25 May 2005 359,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB893066\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB893066\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB893066\update\updspapi.dll"
Mon 28 Feb 2005 8,451,584 A..H. --- "C:\WINDOWS\$hf_mig$\KB893086\SP2QFE\shell32.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB893086\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB893086\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB893086\update\updspapi.dll"
Fri 8 Jul 2005 249,344 A..H. --- "C:\WINDOWS\$hf_mig$\KB893756\SP2QFE\tapisrv.dll"
Thu 7 Jul 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB893756\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB893756\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB893756\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB893756\update\updspapi.dll"
Thu 28 Apr 2005 1,286,144 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\ole32.dll"
Thu 28 Apr 2005 74,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\olecli32.dll"
Thu 28 Apr 2005 37,376 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\olecnv32.dll"
Thu 28 Apr 2005 396,288 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB894391\update\updspapi.dll"
Thu 26 May 2005 10,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hh.exe"
Thu 26 May 2005 41,472 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hhsetup.dll"
Thu 26 May 2005 155,136 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itircl.dll"
Thu 26 May 2005 137,216 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itss.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB896358\update\updspapi.dll"
Mon 9 May 2005 332,544 A..H. --- "C:\WINDOWS\$hf_mig$\KB896422\SP2QFE\srv.sys"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB896422\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896422\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB896422\update\updspapi.dll"
Fri 10 Jun 2005 57,856 A..H. --- "C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe"
Wed 29 Jun 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB896423\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB896423\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896423\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB896423\update\updspapi.dll"
Wed 5 Oct 2005 280,064 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\gdi32.dll"
Wed 5 Oct 2005 1,839,360 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\win32k.sys"
Wed 5 Oct 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB896424\update\updspapi.dll"
Tue 10 May 2005 75,776 A..H. --- "C:\WINDOWS\$hf_mig$\KB896428\SP2QFE\telnet.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB896428\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896428\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB896428\update\updspapi.dll"
Fri 2 Sep 2005 1,019,904 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\browseui.dll"
Fri 2 Sep 2005 151,040 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\cdfview.dll"
Fri 2 Sep 2005 1,053,696 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\danim.dll"
Fri 2 Sep 2005 205,312 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\dxtrans.dll"
Fri 2 Sep 2005 55,808 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\extmgr.dll"
Fri 2 Sep 2005 18,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\iedw.exe"
Fri 2 Sep 2005 251,904 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\iepeers.dll"
Fri 2 Sep 2005 96,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\inseng.dll"
Tue 4 Oct 2005 3,017,728 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\mshtml.dll"
Fri 2 Sep 2005 448,512 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\mshtmled.dll"
Fri 2 Sep 2005 146,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\msrating.dll"
Fri 2 Sep 2005 530,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\mstime.dll"
Fri 2 Sep 2005 39,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\pngfilt.dll"
Fri 2 Sep 2005 1,485,824 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\shdocvw.dll"
Fri 2 Sep 2005 474,112 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\shlwapi.dll"
Fri 2 Sep 2005 609,280 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\urlmon.dll"
Fri 2 Sep 2005 660,480 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll"
Tue 4 Oct 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB896688\update\updspapi.dll"
Sat 2 Jul 2005 1,019,904 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\browseui.dll"
Sat 2 Jul 2005 151,040 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\cdfview.dll"
Sat 2 Jul 2005 18,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\iedw.exe"
Sat 2 Jul 2005 251,904 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\iepeers.dll"
Sat 2 Jul 2005 96,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\inseng.dll"
Tue 19 Jul 2005 3,016,192 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\mshtml.dll"
Sat 2 Jul 2005 448,512 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\mshtmled.dll"
Sat 2 Jul 2005 146,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\msrating.dll"
Sat 2 Jul 2005 39,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\pngfilt.dll"
Sat 2 Jul 2005 1,485,312 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\shdocvw.dll"
Sat 2 Jul 2005 473,600 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\shlwapi.dll"
Sat 2 Jul 2005 608,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\urlmon.dll"
Sat 2 Jul 2005 659,456 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll"
Tue 19 Jul 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB896727\update\updspapi.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB898461\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB898461\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB898461\update\updspapi.dll"
Wed 15 Jun 2005 297,984 A..H. --- "C:\WINDOWS\$hf_mig$\KB899587\SP2QFE\kerberos.dll"
Wed 29 Jun 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB899587\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB899587\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB899587\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB899587\update\updspapi.dll"
Wed 29 Jun 2005 118,272 A..H. --- "C:\WINDOWS\$hf_mig$\KB899588\SP2QFE\umpnpmgr.dll"
Wed 29 Jun 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB899588\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB899588\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB899588\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB899588\update\updspapi.dll"
Thu 9 Jun 2005 139,528 A..H. --- "C:\WINDOWS\$hf_mig$\KB899591\SP2QFE\rdpwd.sys"
Wed 29 Jun 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB899591\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB899591\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB899591\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB899591\update\updspapi.dll"
Tue 14 Feb 2006 142,464 A..H. --- "C:\WINDOWS\$hf_mig$\KB900485\SP2QFE\aec.sys"
Wed 12 Oct 2005 22,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB900485\update\spcustom.dll"
Wed 12 Oct 2005 716,000 A..H. --- "C:\WINDOWS\$hf_mig$\KB900485\update\update.exe"
Wed 12 Oct 2005 371,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB900485\update\updspapi.dll"
Wed 31 Aug 2005 19,968 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\linkinfo.dll"
Thu 22 Sep 2005 8,452,608 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\shell32.dll"
Fri 2 Sep 2005 474,112 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\shlwapi.dll"
Wed 31 Aug 2005 291,840 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\winsrv.dll"
Mon 26 Sep 2005 21,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\xpsp3res.dll"
Mon 26 Sep 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB900725\update\updspapi.dll"
Fri 9 Sep 2005 2,068,480 A..H. --- "C:\WINDOWS\$hf_mig$\KB901017\SP2QFE\cdosys.dll"
Fri 9 Sep 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB901017\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB901017\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB901017\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB901017\update\updspapi.dll"
Tue 28 Jun 2005 254,976 A..H. --- "C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\icm32.dll"
Tue 28 Jun 2005 73,728 A..H. --- "C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\mscms.dll"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB901214\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB901214\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB901214\update\updspapi.dll"
Mon 25 Jul 2005 225,792 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrv.dll"
Mon 25 Jul 2005 625,152 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrvut.dll"
Mon 25 Jul 2005 110,080 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll"
Mon 25 Jul 2005 498,688 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll"
Mon 25 Jul 2005 60,416 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\colbact.dll"
Mon 25 Jul 2005 195,072 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comadmin.dll"
Mon 25 Jul 2005 97,792 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comrepl.dll"
Mon 25 Jul 2005 1,267,200 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comsvcs.dll"
Mon 25 Jul 2005 540,160 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comuid.dll"
Mon 25 Jul 2005 243,200 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll"
Mon 25 Jul 2005 8,704 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\migregdb.exe"
Mon 25 Jul 2005 425,472 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcprx.dll"
Mon 25 Jul 2005 945,152 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtctm.dll"
Mon 25 Jul 2005 161,280 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcuiu.dll"
Mon 25 Jul 2005 66,560 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxclu.dll"
Mon 25 Jul 2005 91,136 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxoci.dll"
Mon 25 Jul 2005 1,285,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\ole32.dll"
Mon 25 Jul 2005 74,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecli32.dll"
Mon 25 Jul 2005 37,376 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecnv32.dll"
Mon 25 Jul 2005 398,336 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll"
Mon 25 Jul 2005 101,376 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\txflog.dll"
Mon 25 Jul 2005 11,776 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\xolehlp.dll"
Mon 25 Jul 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB902400\update\updspapi.dll"
Mon 29 Aug 2005 1,287,680 A..H. --- "C:\WINDOWS\$hf_mig$\KB904706\SP2QFE\quartz.dll"
Mon 29 Aug 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB904706\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB904706\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB904706\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB904706\update\updspapi.dll"
Thu 23 Mar 2006 49,152 A..H. --- "C:\WINDOWS\$hf_mig$\KB904942\SP2QFE\wdigest.dll"
Wed 12 Oct 2005 22,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB904942\update\spcustom.dll"
Wed 12 Oct 2005 716,000 A..H. --- "C:\WINDOWS\$hf_mig$\KB904942\update\update.exe"
Wed 12 Oct 2005 371,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB904942\update\updspapi.dll"
Mon 22 Aug 2005 197,632 A..H. --- "C:\WINDOWS\$hf_mig$\KB905414\SP2QFE\netman.dll"
Fri 19 Aug 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB905414\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB905414\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB905414\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB905414\update\updspapi.dll"
Mon 22 Aug 2005 123,392 A..H. --- "C:\WINDOWS\$hf_mig$\KB905749\SP2QFE\umpnpmgr.dll"
Mon 22 Aug 2005 30,720 A..H. --- "C:\WINDOWS\$hf_mig$\KB905749\update\arpidfix.exe"
Thu 24 Feb 2005 22,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB905749\update\spcustom.dll"
Thu 24 Feb 2005 718,048 A..H. --- "C:\WINDOWS\$hf_mig$\KB905749\update\update.exe"
Thu 24 Feb 2005 371,936 A..H. --- "C:\WINDOWS\$hf_mig$\KB905749\update\updspapi.dll"
Wed 23 Nov 2005 1,022,464 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\browseui.dll"
Thu 20 Oct 2005 151,040 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\cdfview.dll"
Fri 4 Nov 2005 1,054,208 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\danim.dll"
Thu 20 Oct 2005 205,312 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\dxtrans.dll"
Thu 20 Oct 2005 55,808 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\extmgr.dll"
Thu 20 Oct 2005 18,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\iedw.exe"
Thu 20 Oct 2005 251,904 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\iepeers.dll"
Thu 20 Oct 2005 96,256 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\inseng.dll"
Wed 23 Nov 2005 3,018,240 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\mshtml.dll"
Thu 20 Oct 2005 448,512 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\mshtmled.dll"
Thu 20 Oct 2005 146,432 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\msrating.dll"
Thu 20 Oct 2005 530,944 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\mstime.dll"
Thu 20 Oct 2005 39,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\pngfilt.dll"
Wed 30 Nov 2005 1,495,040 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\shdocvw.dll"
Thu 20 Oct 2005 474,112 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\shlwapi.dll"
Fri 4 Nov 2005 610,304 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\urlmon.dll"
Thu 20 Oct 2005 661,504 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll"
Wed 12 Oct 2005 22,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\update\spcustom.dll"
Wed 12 Oct 2005 716,000 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\update\update.exe"
Wed 12 Oct 2005 371,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB905915\update\updspapi.dll"
Mon 17 Oct 2005 80,896 A..H. --- "C:\WINDOWS\$hf_mig$\KB908519\SP2QFE\fontsub.dll"
Mon 17 Oct 2005 117,760 A..H. --- "C:\WINDOWS\$hf_mig$\KB908519\SP2QFE\t2embed.dll"
Wed 12 Oct 2005 22,752 A..H. --- "C:\WINDOWS\$hf_mig$\KB908519\update\spcustom.dll"
Wed 12 Oct 2005 716,000 A..H. --- "C:\WINDOWS\$hf_mig$\KB908519\update\update.exe"
Wed 12 Oct 2005 371,424 A..H. --- "C:\WINDOWS\$hf_mig$\KB908519\update\updspapi.dll"
Thu 16 Mar 2006 8,454,656 A..H. --- "C:\WINDOWS\$hf_mig$\KB908531\SP2QFE\shell32.dll"
Thu 14 Jun 2007 2,038 A..H. --- "C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\OffF1.tmp"

Finished!

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:15 AM

Posted 05 November 2008 - 01:08 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Shiza

Shiza
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 06 November 2008 - 09:56 AM

ComboFix 08-11-05.02 - Owner 2008-11-06 10:02:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.140 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\program files\smbols~1
c:\windows\IA
c:\windows\system32\LaO2eMA1.exe.a_a
c:\windows\system32\MSINET.oca
c:\windows\system32\wvvwa.ini
c:\windows\system32\wvvwa.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-05 11:43 . 2008-11-05 11:43 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-05 11:41 . 2008-11-05 11:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 11:31 . 2008-11-05 11:52 <DIR> d-------- C:\SDFix
2008-11-04 18:13 . 2008-11-04 18:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-04 18:13 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-04 18:12 . 2008-11-04 18:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-04 18:12 . 2008-11-04 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-04 18:12 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-04 12:15 . 2008-11-05 12:14 41,474 --a------ c:\windows\system32\LaO2eMA1.exe
2008-11-03 08:33 . 2008-11-03 08:33 <DIR> d-------- c:\program files\Sygate
2008-11-03 08:33 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-03 08:33 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-03 08:33 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-11-02 23:50 . 2008-11-02 23:50 <DIR> d-------- c:\program files\Panda Security
2008-11-02 23:50 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-02 23:09 . 2008-11-02 23:09 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-02 22:07 . 2008-11-02 23:49 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6
2008-11-02 16:35 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-02 16:35 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-02 16:35 . 2008-04-13 13:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-02 16:35 . 2008-04-13 13:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-02 14:31 . 2008-11-02 14:31 31,744 --a------ c:\windows\system32\6l6g4F86.exe
2008-10-23 22:53 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 14:17 . 2008-10-23 14:17 46,828 --ah----- c:\windows\system32\mlfcache.dat
2008-10-21 02:31 . 2008-06-10 01:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-16 18:56 . 2008-10-16 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Anvsoft
2008-10-16 18:53 . 2008-10-16 18:54 <DIR> d-------- c:\program files\DVD Photo Slideshow Professional
2008-10-16 14:00 . 2008-10-16 14:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-15 07:55 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 07:54 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 07:54 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 07:54 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 07:54 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 07:54 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 14:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 14:00 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2008-11-05 07:05 --------- d-----w c:\program files\SpywareBlaster
2008-11-04 01:03 13,966 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-10-23 19:03 --------- d-----w c:\program files\Common Files\HP
2008-10-23 19:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-23 18:58 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2008-10-23 18:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-23 18:55 --------- d-----w c:\program files\Quicken
2008-10-23 18:52 --------- d-----w c:\program files\Hewlett-Packard
2008-10-21 08:31 --------- d-----w c:\program files\Java
2008-10-19 19:53 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-10-16 20:00 --------- d-----w c:\program files\Lavasoft
2008-10-16 19:59 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-16 14:00 --------- d-----w c:\program files\HP
2008-09-16 14:12 --------- d-----w c:\documents and settings\Owner\Application Data\HP
2008-09-15 17:17 --------- d-----w c:\documents and settings\Owner\Application Data\Image Zone Express
2008-09-15 17:01 --------- d-----w c:\documents and settings\LocalService\Application Data\HP
2008-09-15 17:00 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2005-10-23 00:45 65,304 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-08-05 14:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080520080806\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-04-20 118784]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-02 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=c:\windows\pss\IMStart.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=c:\windows\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cgw]
c:\program files\s?mbols\r?ndll.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 16:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 04:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 16:57 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2004-05-12 05:26 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 14:43 233472 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--ah----- 2004-06-29 08:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--ah----- 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 usbohcii;usbohcii;c:\windows\system32\drivers\usbohcii.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\At1.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-06 c:\windows\Tasks\At10.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-06 c:\windows\Tasks\At11.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At12.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At13.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At14.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At15.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At16.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At17.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At18.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At19.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At2.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At20.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At21.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At22.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At23.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-04 c:\windows\Tasks\At24.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At25.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At26.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-04 c:\windows\Tasks\At27.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At28.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At29.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-04 c:\windows\Tasks\At3.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At30.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At31.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At32.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-06 c:\windows\Tasks\At33.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-06 c:\windows\Tasks\At34.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-06 c:\windows\Tasks\At35.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At36.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At37.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At38.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At39.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At4.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At40.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At41.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At42.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At43.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At44.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At45.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At46.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At47.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-04 c:\windows\Tasks\At48.job
- c:\windows\system32\LaO2eMA1.exe [2008-11-05 12:14]

2008-11-05 c:\windows\Tasks\At5.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At6.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At7.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-05 c:\windows\Tasks\At8.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]

2008-11-06 c:\windows\Tasks\At9.job
- c:\windows\system32\6l6g4F86.exe [2008-11-02 14:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{19061CD5-2EEF-407F-8015-765824705E98} - c:\program files\ComPlus Applications\kymoqywih89104.dll
BHO-{347288ED-FC94-4A04-CC8B-0268C4503109} - c:\program files\Windows NT\lavuhavon.dll
BHO-{FFC8A3B5-A096-46AE-9696-CCAB3E5BCC65} - c:\windows\system32\awvvw.dll
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
HKCU-Run-BackupNotify - c:\program files\HP\Digital Imaging\bin\backupnotify.exe
HKLM-Run-AutoTBar - h=c:\windows\system32;c:\windows;c:\WINDOWS\System32\Wbem;c:\Python22AUTOTBAR.EXE
MSConfigStartUp-NAV CfgWiz - c:\program files\Common Files\Symantec Shared\CfgWiz.exe
MSConfigStartUp-WebBuying - c:\program files\Web Buying\v1.8.8\webbuying.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gmail.com/
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 10:07:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sygate\SPF\Smc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-11-06 10:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-06 16:10:48

Pre-Run: 139,624,906,752 bytes free
Post-Run: 139,662,200,832 bytes free

310 --- E O F --- 2008-10-24 08:01:06 :thumbsup:

Edited by Shiza, 06 November 2008 - 11:14 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:15 AM

Posted 06 November 2008 - 04:25 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\6l6g4F86.exe
c:\windows\system32\LaO2eMA1.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===============


Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\Tasks\At??.job
    c:\windows\Tasks\At?.job
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


================


Update Malwarebytes and run another quick scan just like before.
Please post the resulting log in your next reply along with all others.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Shiza

Shiza
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 06 November 2008 - 09:39 PM

ComboFix 08-11-05.02 - Owner 2008-11-06 20:20:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.144 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\6l6g4F86.exe
c:\windows\system32\LaO2eMA1.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\windows\system32\6l6g4F86.exe
c:\windows\system32\LaO2eMA1.exe
c:\windows\system32\LaO2eMA1.exe.a_a
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-05 11:43 . 2008-11-05 11:43 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-05 11:41 . 2008-11-05 11:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 11:31 . 2008-11-05 11:52 <DIR> d-------- C:\SDFix
2008-11-04 18:13 . 2008-11-04 18:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-04 18:13 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-04 18:12 . 2008-11-04 18:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-04 18:12 . 2008-11-04 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-04 18:12 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 08:33 . 2008-11-03 08:33 <DIR> d-------- c:\program files\Sygate
2008-11-03 08:33 . 2004-10-15 18:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-11-03 08:33 . 2004-10-15 18:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-11-03 08:33 . 2004-10-15 18:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-11-03 08:33 . 2004-10-15 18:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-11-02 23:50 . 2008-11-02 23:50 <DIR> d-------- c:\program files\Panda Security
2008-11-02 23:50 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-02 23:09 . 2008-11-02 23:09 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-02 22:07 . 2008-11-02 23:49 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6
2008-11-02 16:35 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-02 16:35 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-02 16:35 . 2008-04-13 13:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-02 16:35 . 2008-04-13 13:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-10-23 22:53 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 14:17 . 2008-10-23 14:17 46,828 --ah----- c:\windows\system32\mlfcache.dat
2008-10-21 02:31 . 2008-06-10 01:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-16 18:56 . 2008-10-16 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Anvsoft
2008-10-16 18:53 . 2008-10-16 18:54 <DIR> d-------- c:\program files\DVD Photo Slideshow Professional
2008-10-16 14:00 . 2008-10-16 14:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-15 07:55 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 07:54 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 07:54 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 07:54 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 07:54 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-15 07:54 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 20:34 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2008-11-06 18:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 18:07 --------- d-----w c:\program files\SpywareBlaster
2008-11-04 01:03 13,966 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-10-23 19:03 --------- d-----w c:\program files\Common Files\HP
2008-10-23 19:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-23 18:58 --------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2008-10-23 18:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-23 18:55 --------- d-----w c:\program files\Quicken
2008-10-23 18:52 --------- d-----w c:\program files\Hewlett-Packard
2008-10-21 08:31 --------- d-----w c:\program files\Java
2008-10-19 19:53 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2008-10-16 20:00 --------- d-----w c:\program files\Lavasoft
2008-10-16 19:59 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-16 14:00 --------- d-----w c:\program files\HP
2008-09-16 14:12 --------- d-----w c:\documents and settings\Owner\Application Data\HP
2008-09-15 17:17 --------- d-----w c:\documents and settings\Owner\Application Data\Image Zone Express
2008-09-15 17:01 --------- d-----w c:\documents and settings\LocalService\Application Data\HP
2008-09-15 17:00 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
2005-10-23 00:45 65,304 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-08-05 14:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080520080806\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-04-20 118784]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-02 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=c:\windows\pss\IMStart.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=c:\windows\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cgw]
c:\program files\s?mbols\r?ndll.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 16:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 04:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 16:57 81920 c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2004-05-12 05:26 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 14:43 233472 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--ah----- 2004-06-29 08:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--ah----- 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-10-22 11:53 53248 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 usbohcii;usbohcii;c:\windows\system32\drivers\usbohcii.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\At10.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-06 c:\windows\Tasks\At11.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-06 c:\windows\Tasks\At12.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-06 c:\windows\Tasks\At13.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At14.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At15.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-06 c:\windows\Tasks\At16.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At17.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-06 c:\windows\Tasks\At18.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At19.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At2.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At20.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At21.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At22.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At23.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-04 c:\windows\Tasks\At24.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At25.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At26.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-04 c:\windows\Tasks\At27.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At28.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At29.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-04 c:\windows\Tasks\At3.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At30.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At31.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At32.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-06 c:\windows\Tasks\At33.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-06 c:\windows\Tasks\At34.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-06 c:\windows\Tasks\At35.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-06 c:\windows\Tasks\At36.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-06 c:\windows\Tasks\At37.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At38.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At39.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At4.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-06 c:\windows\Tasks\At40.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At41.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-06 c:\windows\Tasks\At42.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At43.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At44.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At45.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At46.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At47.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-04 c:\windows\Tasks\At48.job
- c:\windows\system32\LaO2eMA1.exe []

2008-11-05 c:\windows\Tasks\At5.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At6.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At7.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-05 c:\windows\Tasks\At8.job
- c:\windows\system32\6l6g4F86.exe []

2008-11-06 c:\windows\Tasks\At9.job
- c:\windows\system32\6l6g4F86.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 20:22:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-11-06 20:23:39
ComboFix-quarantined-files.txt 2008-11-07 02:23:29
ComboFix2.txt 2008-11-06 16:10:53

Pre-Run: 139,589,189,632 bytes free
Post-Run: 139,577,098,240 bytes free

285 --- E O F --- 2008-10-24 08:01:06


OT report

========== FILES ==========
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At44.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At46.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At48.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
File/Folder c:\windows\Tasks\At?.job not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_RPoDn3m4NFygp935teNu scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\urlclassifier3.sqlite-journal scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11062008_202600

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_RPoDn3m4NFygp935teNu not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\urlclassifier3.sqlite moved successfully.
File C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\urlclassifier3.sqlite-journal not found!
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\blze73wy.default\XUL.mfl moved successfully.

Malwarebytes' Anti-Malware 1.30
Database version: 1370
Windows 5.1.2600 Service Pack 3

11/6/2008 8:38:43 PM
mbam-log-2008-11-06 (20-38-42).txt

Scan type: Quick Scan
Objects scanned: 50739
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
:thumbsup:

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:15 AM

Posted 07 November 2008 - 05:40 AM

Just a little more and you should be good to go.

Copy this into OTMoveIt3 just like before.

:reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cgw]



Assuming everything is running well, let's finish up.

It's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt3.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:15 AM

Posted 21 November 2008 - 06:51 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users