Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).
      
2 Pages V   1 2 >  
 Closed TopicStart new topic
PSW.DELF.2AQ [CLOSED], need to get rid of this
teebau
post Oct 6 2008, 11:19 AM
Post #1


Member
**
Posts: 10
OS: windows xp
I need some help getting rid of this if possible. I am a novice computer guy. It looks like the files that are being infected are:

C:/windows/system32/comre.dll
Go to the top of the page
 
+Quote Post
Rorschach112
post Oct 6 2008, 12:07 PM
Post #2


GeekU Teacher
Group Icon
Posts: 19,788
From: Dublin
OS: XP
Read the Sticky Threads and post the required logs
Go to the top of the page
 
+Quote Post
teebau
post Oct 6 2008, 12:32 PM
Post #3


Member
**
Posts: 10
OS: windows xp
not to sound stupid but...what r sticky threads?..thanks
Go to the top of the page
 
+Quote Post
Rorschach112
post Oct 6 2008, 12:38 PM
Post #4


GeekU Teacher
Group Icon
Posts: 19,788
From: Dublin
OS: XP
They are threads that you must read before posting at forums. Read and do the steps here

http://www.geekstogo.com/forum/Must-Read-B...-Log-t2852.html

Then post the logs from it
Go to the top of the page
 
+Quote Post
teebau
post Oct 6 2008, 03:23 PM
Post #5


Member
**
Posts: 10
OS: windows xp
I am trying to run Sys Restore. I have downloaded it and unzipped it...click on it to run and a error message pops up:
.NET Framework Initialization Error:
to run this application you must first install one of the following versions of .NET Framework V2.0.50727 Contact your publisher for instructions about obtaining appropriate version of .NET Framework
Go to the top of the page
 
+Quote Post
Rorschach112
post Oct 6 2008, 04:11 PM
Post #6


GeekU Teacher
Group Icon
Posts: 19,788
From: Dublin
OS: XP
Go onto the other steps
Go to the top of the page
 
+Quote Post
teebau
post Oct 7 2008, 10:35 AM
Post #7


Member
**
Posts: 10
OS: windows xp
here is my HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:41 PM, on 10/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\System32\umonit.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dell4me.com/mywaybiz
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AEF0344E-98FD-42EF-9ADF-A9C91DBFBB39} - C:\WINDOWS\system32\comre.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129663773234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139946607135
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8331 bytes
Go to the top of the page
 
+Quote Post
Rorschach112
post Oct 7 2008, 10:55 AM
Post #8


GeekU Teacher
Group Icon
Posts: 19,788
From: Dublin
OS: XP
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Go to the top of the page
 
+Quote Post
teebau
post Oct 8 2008, 01:50 PM
Post #9


Member
**
Posts: 10
OS: windows xp
Here is the combofix log:

ComboFix 08-10-08.01 - Tim 2008-10-08 15:40:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.216 [GMT -4:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tim\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-07 12:30 . 2008-10-07 12:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-07 11:58 . 2008-10-07 11:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-07 11:58 . 2008-10-07 11:58 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Malwarebytes
2008-10-07 11:58 . 2008-10-07 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-07 11:58 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-07 11:58 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-07 11:57 . 2008-10-07 11:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-10-07 11:53 . 2008-10-07 11:53 <DIR> d-------- C:\Program Files\ERUNT
2008-09-22 11:49 . 2008-09-29 12:20 <DIR> d-------- C:\Documents and Settings\Tim\Contacts
2008-09-22 11:47 . 2008-09-22 11:47 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-09-22 11:43 . 2008-09-22 11:46 <DIR> d-------- C:\Program Files\Windows Live
2008-09-22 11:43 . 2008-09-22 11:45 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-22 11:43 . 2008-09-22 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-11 09:27 . 2008-09-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-11 09:27 . 2008-09-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-11 09:27 . 2008-09-11 09:27 <DIR> d-------- C:\WINDOWS\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 14:38 --------- d-----w C:\Program Files\Image-Line
2008-10-06 14:36 --------- d-----w C:\Program Files\VstPlugins
2008-10-06 13:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-06 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-03 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-09-25 19:20 --------- d-----w C:\Program Files\Corel
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2005-09-26 14:58 2,855,552 ----a-w C:\Program Files\PPView97.exe
2005-09-22 16:00 381,480 ----a-w C:\Program Files\msgr7us.exe
2005-07-14 20:07 513,648 ----a-w C:\Program Files\msgr6suite.exe
2005-03-30 15:35 7,493 ----a-w C:\Program Files\ClipArt.mpf
2005-03-24 18:20 3,095,680 ----a-w C:\Program Files\ypsr_setup_cnetf_ppd.exe
2005-03-02 19:40 2,636,408 ----a-w C:\Program Files\aawsepersonal.exe
2005-03-02 19:22 7,698,552 ----a-w C:\Program Files\prevxhomedownload.exe
2005-03-02 19:13 10,156,943 ----a-w C:\Program Files\avg70free_289a392.exe
2005-01-25 15:26 534,104 ----a-w C:\Program Files\psa2011_ytb01_DLM_enu_full.exe
2004-11-08 16:43 3,597,968 ----a-w C:\Program Files\aimUK55.exe
2004-09-02 18:50 4,342,088 ----a-w C:\Program Files\Acro-Reader_6.0.2_Update.exe
2004-09-01 20:31 9,143,000 ----a-w C:\Program Files\AdbeRdr60_enu.exe
2005-05-04 12:23 56 --sh--r C:\WINDOWS\SYSTEM32\F3865C8B08.sys
2005-06-10 14:48 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-06_ 9.59.48.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\erdnt\10-7-2008\ERDNT.EXE
+ 2008-10-07 15:54:52 7,061,504 ----a-w C:\WINDOWS\erdnt\10-7-2008\Users\00000001\NTUSER.DAT
+ 2008-10-07 15:54:52 159,744 ----a-w C:\WINDOWS\erdnt\10-7-2008\Users\00000002\UsrClass.dat
- 2007-08-20 21:37:34 1,469,312 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEF0344E-98FD-42EF-9ADF-A9C91DBFBB39}]
2004-08-04 03:56 84992 --a------ C:\WINDOWS\system32\comre.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 118784]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-11 26112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"UMonit"="C:\WINDOWS\System32\umonit.exe" [2003-04-21 49152]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-02 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-23 219136]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlexiSIGN-PRO 7.0v2\\Program\\App.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\FlexiSIGN-PRO 7.0v2\\Program\\App2.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-10-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2004-08-14 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE [2008-04-13 20:12]

2008-10-08 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\cec26yg6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://broadband.zoomtown.com/index.php
FF -: plugin - C:\PROGRA~1\Yahoo!\common\npyaxmpb.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-08 15:43:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = C:\WINDOWS\System32\umonit.exe?mi_01?USB\Vid_413c&Pid_5107&M????8???D?USB\ROOT_H??????\?pj?????? ???????8???????l??????wpj???????????b@????????w???????????w???????wP??w??@????w????????@???????????????????????????x????????????H?w?:?w???????w???w??????????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\xkkyxkdo]
"ImagePath"="system32\drivers\hrvmfynu.dat"
.
Completion time: 2008-10-08 15:46:57
ComboFix-quarantined-files.txt 2008-10-08 19:46:32
ComboFix2.txt 2008-10-06 14:01:00

Pre-Run: 54,277,689,344 bytes free
Post-Run: 54,252,236,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

169 --- E O F --- 2008-10-08 05:54:24
Go to the top of the page
 
+Quote Post
teebau
post Oct 8 2008, 01:53 PM
Post #10


Member
**
Posts: 10
OS: windows xp
new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:15 PM, on 10/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\WINDOWS\System32\umonit.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dell4me.com/mywaybiz
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AEF0344E-98FD-42EF-9ADF-A9C91DBFBB39} - C:\WINDOWS\system32\comre.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129663773234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139946607135
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8153 bytes
Go to the top of the page
 
+Quote Post
Rorschach112
post Oct 8 2008, 05:11 PM
Post #11


GeekU Teacher
Group Icon
Posts: 19,788
From: Dublin
OS: XP
Hello

Open notepad and copy/paste the text in the quotebox below into it:
CODE
http://www.geekstogo.com/forum/PSW-DELF-2AQ-t213869.html

Collect::
C:\WINDOWS\system32\comre.dll
C:\WINDOWS\system32\hrvmfynu.dat

KillAll::

Sysrst::

Driver::
xkkyxkdo


Suspect::

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
Go to the top of the page
 
+Quote Post
teebau
post Oct 9 2008, 08:57 AM
Post #12


Member
**
Posts: 10
OS: windows xp
New Combofix log:


ComboFix 08-10-08.05 - Tim 2008-10-09 10:38:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.244 [GMT -4:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tim\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XKKYXKDO
-------\Service_xkkyxkdo


((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-07 12:30 . 2008-10-07 12:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-07 11:58 . 2008-10-07 11:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-07 11:58 . 2008-10-07 11:58 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Malwarebytes
2008-10-07 11:58 . 2008-10-07 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-07 11:58 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-07 11:58 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-07 11:57 . 2008-10-07 11:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-10-07 11:53 . 2008-10-07 11:53 <DIR> d-------- C:\Program Files\ERUNT
2008-09-22 11:49 . 2008-09-29 12:20 <DIR> d-------- C:\Documents and Settings\Tim\Contacts
2008-09-22 11:47 . 2008-09-22 11:47 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2008-09-22 11:43 . 2008-09-22 11:46 <DIR> d-------- C:\Program Files\Windows Live
2008-09-22 11:43 . 2008-09-22 11:45 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-22 11:43 . 2008-09-22 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-09-11 09:27 . 2008-09-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-09-11 09:27 . 2008-09-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-09-11 09:27 . 2008-09-11 09:27 <DIR> d-------- C:\WINDOWS\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 14:38 --------- d-----w C:\Program Files\Image-Line
2008-10-06 14:36 --------- d-----w C:\Program Files\VstPlugins
2008-10-06 13:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-06 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-03 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-09-25 19:20 --------- d-----w C:\Program Files\Corel
2005-09-26 14:58 2,855,552 ----a-w C:\Program Files\PPView97.exe
2005-09-22 16:00 381,480 ----a-w C:\Program Files\msgr7us.exe
2005-07-14 20:07 513,648 ----a-w C:\Program Files\msgr6suite.exe
2005-03-30 15:35 7,493 ----a-w C:\Program Files\ClipArt.mpf
2005-03-24 18:20 3,095,680 ----a-w C:\Program Files\ypsr_setup_cnetf_ppd.exe
2005-03-02 19:40 2,636,408 ----a-w C:\Program Files\aawsepersonal.exe
2005-03-02 19:22 7,698,552 ----a-w C:\Program Files\prevxhomedownload.exe
2005-03-02 19:13 10,156,943 ----a-w C:\Program Files\avg70free_289a392.exe
2005-01-25 15:26 534,104 ----a-w C:\Program Files\psa2011_ytb01_DLM_enu_full.exe
2004-11-08 16:43 3,597,968 ----a-w C:\Program Files\aimUK55.exe
2004-09-02 18:50 4,342,088 ----a-w C:\Program Files\Acro-Reader_6.0.2_Update.exe
2004-09-01 20:31 9,143,000 ----a-w C:\Program Files\AdbeRdr60_enu.exe
2005-05-04 12:23 56 --sh--r C:\WINDOWS\SYSTEM32\F3865C8B08.sys
2005-06-10 14:48 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-06_ 9.59.48.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\erdnt\10-7-2008\ERDNT.EXE
+ 2008-10-07 15:54:52 7,061,504 ----a-w C:\WINDOWS\erdnt\10-7-2008\Users\00000001\NTUSER.DAT
+ 2008-10-07 15:54:52 159,744 ----a-w C:\WINDOWS\erdnt\10-7-2008\Users\00000002\UsrClass.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-08-20 21:37:34 1,469,312 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cfx1\Assoc.cmd
2000-08-31 08:00 3241 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022645.cmd

C:\cfx1\Boot.bat
2000-08-31 08:00 7040 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022646.bat

C:\cfx1\C.bat
2008-10-06 21:18 584612 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022647.bat

C:\cfx1\chcp.bat
2008-10-06 09:50 15 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022648.bat

2000-08-31 08:00 1024 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022649.sys

C:\cfx1\Combobatch.bat
2000-08-31 08:00 6650 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022640.bat

C:\cfx1\ComboFix-Download.exe
2000-08-31 08:00 61440 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022650.exe

C:\cfx1\comspec.bat
2008-10-06 09:50 151 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022651.bat

C:\cfx1\CregC.cmd
2000-08-31 08:00 3197 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022652.cmd

C:\cfx1\DelClsid.bat
2000-08-31 08:00 1763 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022653.bat

C:\cfx1\Exe.reg
2000-08-31 08:00 7109 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022654.reg

C:\cfx1\FIND3M.bat
2000-08-31 08:00 99381 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022655.bat

C:\cfx1\FIXLSP.bat
2000-08-31 08:00 3849 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022656.bat

C:\cfx1\FProps.vbs
2000-08-31 08:00 15388 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022657.vbs

C:\cfx1\hidec.exe
2005-08-16 01:54 1536 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022658.exe

C:\cfx1\history.bat
2000-08-31 08:00 2117 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022659.bat

C:\cfx1\Lang.bat
2000-08-31 08:00 119822 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022660.bat

C:\cfx1\LFN.vbs
2000-08-31 08:00 349 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022661.vbs

C:\cfx1\List-C.bat
2000-08-31 08:00 235990 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022639.bat

C:\cfx1\lnkread.vbs
2000-08-31 08:00 1528 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022662.vbs

C:\cfx1\LocalDrive.vbs
2000-08-31 08:00 805 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022663.vbs

C:\cfx1\MoveIt.bat
2000-08-31 08:00 3278 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022664.bat

C:\cfx1\ND_.bat
2000-08-31 08:00 2978 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022665.bat

C:\cfx1\nircmd.com
2000-08-31 08:00 28672 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022666.com

C:\cfx1\OSid.vbs
2000-08-31 08:00 657 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022667.vbs

C:\cfx1\Qoo.bat
2000-08-31 08:00 3535 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022668.bat

C:\cfx1\restore_pt.vbs
2000-08-31 08:00 232 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022637.vbs

C:\cfx1\RestoreO4.bat
2000-08-31 08:00 1681 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022669.bat

C:\cfx1\SafeBootRepair.bat
2000-08-31 08:00 15317 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022670.bat

C:\cfx1\SetEnvmt.bat
2000-08-31 08:00 11918 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022671.bat

C:\cfx1\sfx.cmd
2008-10-06 09:50 14 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022672.cmd

C:\cfx1\SvcDrv.vbs
2000-08-31 08:00 1128 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022673.vbs

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C7C338E6-D1DD-456D-B90E-BA3875BF167D}\mpengine.dll
2008-09-23 20:33 3834960 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0023654.dll

2008-09-23 20:33 3834960 C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2008-08-26 02:20 3434576 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0023653.dll

2007-02-02 15:57 110592 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\ComponentLauncher.exe
2007-02-02 15:57 110592 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0023596.exe
2007-02-02 15:57 110592 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0024777.exe

2007-02-02 15:59 2457600 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Photoshop Album Starter Edition.exe
2007-02-02 15:59 2457600 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0023595.exe
2007-02-02 15:59 2457600 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0024776.exe

C:\WINDOWS\_000000_.tmp.dll
2008-03-20 18:06 9452 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0023612.dll

C:\WINDOWS\_000001_.tmp.dll
2008-03-20 18:06 9452 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0023619.dll

C:\WINDOWS\SYSTEM32\dlh9jkdq8.exe
2006-05-12 13:54 16 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0022638.exe

C:\WINDOWS\SYSTEM32\DRIVERS\cmIvtcu.sys
2008-10-07 12:10 61440 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0023604.sys

2008-03-20 18:06 1480232 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
2007-08-20 17:37 1469312 {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0023620.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEF0344E-98FD-42EF-9ADF-A9C91DBFBB39}]
2004-08-04 03:56 84992 --a------ C:\WINDOWS\system32\comre.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 118784]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-08-11 26112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"UMonit"="C:\WINDOWS\System32\umonit.exe" [2003-04-21 49152]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-10-02 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-23 219136]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-08-11 36953]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2004-08-14 233472]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2005-03-03 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlexiSIGN-PRO 7.0v2\\Program\\App.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\FlexiSIGN-PRO 7.0v2\\Program\\App2.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\