Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ultimate cleaner, Zedo, proNomgr, system32, trojan.qhost.abh [RESOLVED


  • This topic is locked This topic is locked

#1
ztastorm

ztastorm

    Member

  • Member
  • PipPip
  • 86 posts
Hi,
Please help..It took me so long to download AVG and run all of the anti spyware programs before posting these logs because these relentless pop up ads are taking over my computer!!! Any help would be appreciated!!

AVG log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:58:12 PM 1/30/2008

+ Scan result:



C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020228.exe -> Adware.CommAd : Cleaned.
C:\WINDOWS\Downloaded Program Files\vzbb.dll -> Adware.MegaSearch : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M1C147Q5\tk58[1].exe -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020232.exe -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020242.exe -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021251.exe -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021261.exe -> Adware.ZQuest : Cleaned.
C:\WINDOWS\tk58.exe -> Adware.ZQuest : Cleaned.
C:\sysvxfc.exe -> Downloader.Agent.dmx : Cleaned.
C:\WINDOWS\b151.exe -> Downloader.Agent.fjn : Cleaned.
C:\sysbmqr.exe -> Downloader.Agent.ftu : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021271.exe -> Downloader.Small.buy : Cleaned.
C:\Program Files\Windows Media Player\zyqokuhde.html -> Hijacker.IFrame.dn : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2LUZ6FQ1\83122[1].exe -> Hijacker.Small.jf : Cleaned.
C:\Program Files\Windows Media Player\vihivynu.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021265.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021266.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021267.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021268.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021473.dll -> Hijacker.StartPage : Cleaned.
C:\Program Files\ISM\BndDrive3.dll -> Not-A-Virus.Adware.AdBand : Cleaned.
C:\Program Files\ISM\BndDrive6.dll -> Not-A-Virus.Adware.AdBand : Cleaned.
C:\Program Files\ISM\ism.exe -> Not-A-Virus.Adware.Agent : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GZYX27KP\TTC-4444[1].exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\Program Files\ComPlus Applications\ryvyci4444.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\Program Files\ComPlus Applications\ryvyci83122.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020231.exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020234.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020241.exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020244.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021250.exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021253.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021260.exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021522.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022259.exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022261.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\WINDOWS\TTC-4444.exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\WINDOWS\system32\knis6\enamd83122.exe -> Not-A-Virus.Adware.TTC : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temp\removalfile.bat -> Not-A-Virus.Adware.Virtumonde : Cleaned.
C:\Program Files\ISM\bndloader.exe -> Not-A-Virus.Downloader.Win32.Agent.q : Cleaned.
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0020229.vbs -> Trojan.Small : Cleaned.
C:\WINDOWS\uninstall_nmon.vbs -> Trojan.Small : Cleaned.


::Report end

HiJack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:18 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
O21 - SSODL: zip - {153b0fc1-810b-4ac5-849b-9e41c95c0f25} - C:\WINDOWS\Installer\{153b0fc1-810b-4ac5-849b-9e41c95c0f25}\zip.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: (Network Monitor) - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\zyqokuhde.html

--
End of file - 4653 bytes
thanks,
alisha
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello ztastorm

Welcome to G2Go. :)
=======================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-02 17:03:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-02-02 22:03:57 UTC - RP261 - Deckard's System Scanner Restore Point
3: 2008-02-02 04:45:18 UTC - RP260 - System Checkpoint
2: 2008-02-01 01:22:11 UTC - RP259 - System Checkpoint
1: 2008-01-30 23:39:36 UTC - RP258 - before it broke


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:38 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Owner\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {071FA964-BB02-4D2C-8791-F80A4DC13291} - C:\Program Files\ComPlus Applications\ryvyci83122.dll (file missing)
O2 - BHO: (no name) - {0C8589E7-48EE-46E7-8F85-937EB7B981C9} - C:\WINDOWS\system32\mljgf.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - (no file)
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\byxvtro.dll
O2 - BHO: 0 - {9C5600F1-200C-44D7-DB96-0314F277B157} - C:\Program Files\Windows Media Player\vihivynu.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\omcxsbxm.dll
O2 - BHO: H - {B61C6CA3-77BF-4299-AB70-5019FCD4AF09} - park31.dll (file missing)
O2 - BHO: (no name) - {C160AC8D-E7E5-405A-85C3-87DB015D8238} - C:\Program Files\ComPlus Applications\ryvyci4444.dll (file missing)
O2 - BHO: {8455f430-cde1-690b-3254-5f178f551aae} - {eaa155f8-71f5-4523-b096-1edc034f5548} - C:\WINDOWS\system32\gbmalprl.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [00501034] rundll32.exe "C:\WINDOWS\system32\sbjetysq.dll",b
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: byxvtro - C:\WINDOWS\SYSTEM32\byxvtro.dll
O20 - Winlogon Notify: omcxsbxm - C:\WINDOWS\SYSTEM32\omcxsbxm.dll
O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
O21 - SSODL: zip - {a802e95b-1663-4fa0-85d3-87a9dfdb2041} - C:\WINDOWS\Installer\{a802e95b-1663-4fa0-85d3-87a9dfdb2041}\zip.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: (Network Monitor) - Unknown owner - C:\WINDOWS\.exe (file missing)
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\zyqokuhde.html

--
End of file - 6950 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 RMCastt - c:\windows\system32\drivers\rmcastt.sys

S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RP_FWS (Verizon Internet Security Suite Firewall) - c:\program files\verizon\verizon internet security suite\fws.exe <Not Verified; Radialpoint Inc.; Radialpoint Security Services 5.3.4>

S2 Network Monitor -
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)
S3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe (file missing)
S3 NetSvc (Intel NCS NetService) - c:\program files\intel\ncs\sync\netsvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&29817089&0&10F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200014F1&REV_00\4&29817089&0&10F0
Service:

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_2010107B&REV_02\3&267A616A&0&FD
Manufacturer: Realtek
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_2010107B&REV_02\3&267A616A&0&FD
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-02-02 17:00:00 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-02-02 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-02-02 15:00:00 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-02-02 07:00:00 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-02-02 06:00:00 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-02-02 05:00:00 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-02-02 04:00:00 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-02-02 03:00:00 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-02-02 02:00:00 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-02-02 01:00:00 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-02-02 00:00:00 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-02-01 23:00:09 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-02-01 22:00:04 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-02-01 21:00:00 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-02-01 20:00:00 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-02-01 19:00:00 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-02-01 18:00:00 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-02-01 14:00:00 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-02-01 13:00:00 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-02-01 12:00:02 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-02-01 11:00:00 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-02-01 10:00:00 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-02-01 09:00:00 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-02-01 08:00:00 350 --a------ C:\WINDOWS\Tasks\At9.job


-- Files created between 2008-01-02 and 2008-02-02 -----------------------------

2008-02-02 17:06:24 0 d-------- C:\Program Files\Trend Micro
2008-02-02 15:47:47 106 --a------ C:\temp.bat
2008-02-02 15:32:24 11776 --a------ C:\Program Files\smss.exe <Not Verified; Search2find LLC; Search2find>
2008-02-01 20:56:50 92224 --a------ C:\WINDOWS\system32\sbjetysq.dll
2008-02-01 20:56:42 92736 --a------ C:\WINDOWS\system32\gbmalprl.dll
2008-02-01 15:48:02 0 d-------- C:\WINDOWS\Prefetch
2008-02-01 11:12:03 0 d-------- C:\Program Files\Ultimate Defender
2008-02-01 11:07:05 0 d-------- C:\Program Files\Ultimate Cleaner
2008-02-01 11:01:43 10240 --a------ C:\Program Files\spoolsv.exe <Not Verified; NoName Corp.; NNC module>
2008-01-31 21:03:19 90688 --a------ C:\WINDOWS\system32\qrlogshq.dll
2008-01-31 21:00:20 94784 --a------ C:\WINDOWS\system32\ecgwnony.dll
2008-01-31 20:57:22 163904 --a------ C:\WINDOWS\system32\omcxsbxm.dll
2008-01-31 20:57:19 163904 --a------ C:\WINDOWS\system32\htmlbjef.dll
2008-01-31 16:27:59 9728 --a------ C:\WINDOWS\shell.exe
2008-01-31 16:27:58 9728 --a------ C:\WINDOWS\system32\spoolvs.exe
2008-01-31 16:27:58 9728 --a------ C:\WINDOWS\system32\printer.exe
2008-01-31 16:27:47 9728 --a------ C:\Documents and Settings\Owner\Application Data\printer.exe
2008-01-30 20:59:05 87616 --a------ C:\WINDOWS\system32\gfcplfmc.dll
2008-01-30 20:56:07 163904 --a------ C:\WINDOWS\system32\blbwjfev.dll
2008-01-30 20:56:05 163904 --a------ C:\WINDOWS\system32\wwlocmoh.dll
2008-01-30 19:09:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-01-30 19:07:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-30 06:35:59 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-01-30 06:35:53 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-30 06:34:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-01-29 23:21:19 394088 --ahs---- C:\WINDOWS\system32\fgjlm.ini2
2008-01-29 23:21:03 332288 --a------ C:\WINDOWS\system32\mljgf.dll
2008-01-29 23:20:11 38400 --a------ C:\WINDOWS\system32\ssqpnkj.dll
2008-01-29 23:19:20 0 d-------- C:\Program Files\Dot1XCfg
2008-01-29 23:19:19 0 d-------- C:\Program Files\Temporary
2008-01-29 23:16:35 38400 --a------ C:\WINDOWS\system32\efcyyww.dll
2008-01-29 23:16:09 0 d-------- C:\Program Files\?ymantec
2008-01-29 23:15:48 0 d-------- C:\Documents and Settings\NetworkService\Application Data\NetMon
2008-01-29 23:15:43 0 d-------- C:\Program Files\Network Monitor
2008-01-29 23:15:38 86016 --a------ C:\WINDOWS\system32\drivers\RMCastt.sys
2008-01-29 23:15:31 0 d-------- C:\WINDOWS\system32\wts1
2008-01-29 23:15:31 0 d-------- C:\WINDOWS\system32\vip4
2008-01-29 23:15:31 0 d-------- C:\WINDOWS\system32\knis6
2008-01-29 23:15:19 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-01-29 23:15:19 38400 --a------ C:\WINDOWS\system32\byxvtro.dll
2008-01-22 17:11:28 0 d-------- C:\Documents and Settings\All Users\Application Data\ThumbnailCache4R
2008-01-21 07:52:50 0 d-------- C:\Program Files\Coupons
2008-01-20 11:40:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Lexmark Productivity Studio
2008-01-20 11:39:32 0 d-------- C:\Documents and Settings\All Users\Lx_cats
2008-01-16 10:05:39 0 d-------- C:\Documents and Settings\Owner\Application Data\5300 Series
2008-01-16 09:34:45 0 d-------- C:\Program Files\Java
2008-01-16 09:33:49 0 d-------- C:\Program Files\Common Files\Java
2008-01-15 19:24:46 0 d-------- C:\logs
2008-01-15 19:22:29 45056 --a------ C:\WINDOWS\system32\LXDKPMON.DLL
2008-01-15 19:22:29 32768 --a------ C:\WINDOWS\system32\LXDKFXPU.DLL
2008-01-15 19:22:09 69632 --a------ C:\WINDOWS\system32\lxdkoem.dll
2008-01-15 19:22:09 98345 --a------ C:\WINDOWS\system32\IMHOST32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-01-15 19:22:09 339968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL <Not Verified; Data Techniques, Inc.; ImageMan Image Processing Toolkit>
2008-01-15 19:21:55 0 d-------- C:\Documents and Settings\All Users\Application Data\5300 Series
2008-01-15 19:12:47 348160 --a------ C:\WINDOWS\system32\lxdkinst.dll
2008-01-15 19:11:56 0 d-------- C:\Program Files\Lexmark 5300 Series
2008-01-13 12:38:58 0 d-------- C:\Program Files\QdrDrive
2008-01-11 23:55:04 9292 --a------ C:\WINDOWS\system32\000070.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-30 17:13:13 0 d-------- C:\Program Files\Intel
2008-01-30 17:04:35 0 d-------- C:\Program Files\Verizon
2008-01-30 07:03:59 0 d-------- C:\Program Files\Google
2008-01-30 07:00:43 0 d-------- C:\Program Files\Common Files
2008-01-30 07:00:37 0 d-------- C:\Program Files\?ymantec
2008-01-19 02:33:23 0 d-------- C:\Program Files\Common Files\Command Software
2008-01-18 17:32:51 0 d-------- C:\Program Files\Common Files\PestPatrol
2008-01-15 17:12:11 0 d-------- C:\Documents and Settings\Owner\Application Data\CowboysScreenServer
2008-01-15 17:11:37 0 d-------- C:\Program Files\AIM
2008-01-15 17:11:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-01-15 17:10:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 17:09:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Games
2007-12-27 21:42:00 0 d-------- C:\Program Files\Disney
2007-12-23 21:41:31 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2007-12-22 00:54:36 286288 --a------ C:\WINDOWS\system32\000080.exe
2007-12-13 19:00:27 0 d-------- C:\Program Files\Yahoo!
2007-12-09 23:20:46 0 d-------- C:\Program Files\AOD


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{071FA964-BB02-4D2C-8791-F80A4DC13291}]
C:\Program Files\ComPlus Applications\ryvyci83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C8589E7-48EE-46E7-8F85-937EB7B981C9}]
01/29/2008 11:21 PM 332288 --a------ C:\WINDOWS\system32\mljgf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F9E2BE3-766D-4831-BB0E-766D5B819995}]
12/14/2007 09:26 PM 192512 --a------ C:\Program Files\QdrDrive\QdrDrive9.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
01/29/2008 11:15 PM 38400 --a------ C:\WINDOWS\system32\byxvtro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C5600F1-200C-44D7-DB96-0314F277B157}]
C:\Program Files\Windows Media Player\vihivynu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
01/31/2008 08:57 PM 163904 --a------ C:\WINDOWS\system32\omcxsbxm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B61C6CA3-77BF-4299-AB70-5019FCD4AF09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C160AC8D-E7E5-405A-85C3-87DB015D8238}]
C:\Program Files\ComPlus Applications\ryvyci4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eaa155f8-71f5-4523-b096-1edc034f5548}]
02/01/2008 08:56 PM 92736 --a------ C:\WINDOWS\system32\gbmalprl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Printer"="C:\WINDOWS\system32\printer.exe" [06/02/2005 04:36 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"00501034"="C:\WINDOWS\system32\sbjetysq.dll" [02/01/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spoolsv"="C:\WINDOWS\system32\spoolvs.exe" [06/02/2005 09:14 PM]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
findfast.exe [6/2/2005 9:14:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autorun.exe [6/2/2005 9:22:00 PM]
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [5/10/2007 5:21:16 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Media Player\zyqokuhde.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"= C:\WINDOWS\system32\byxvtro.dll [01/29/2008 11:15 PM 38400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KbdVolume"= {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll [01/30/2008 05:47 PM 12838]
"zip"= {a802e95b-1663-4fa0-85d3-87a9dfdb2041} - C:\WINDOWS\Installer\{a802e95b-1663-4fa0-85d3-87a9dfdb2041}\zip.dll [01/31/2008 04:20 PM 38950]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvtro]
byxvtro.dll 01/29/2008 11:15 PM 38400 C:\WINDOWS\system32\byxvtro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\omcxsbxm]
omcxsbxm.dll 01/31/2008 08:57 PM 163904 C:\WINDOWS\system32\omcxsbxm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgf

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00501034]
rundll32.exe "C:\WINDOWS\system32\gfcplfmc.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CowboysScreenServer]
"C:\Program Files\CowboysScreenServer\CowboysScreenServer.exe" -tb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5300 Series Fax Server]
"C:\Program Files\Lexmark 5300 Series\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkamon]
"C:\Program Files\Lexmark 5300 Series\lxdkamon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkmon.exe]
"C:\Program Files\Lexmark 5300 Series\lxdkmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
"C:\Program Files\QdrModule\QdrModule11.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
"C:\Program Files\QdrModule\QdrModule12.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
"C:\Program Files\QdrPack\QdrPack12.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]
"C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe




-- End of Deckard's System Scanner: finished at 2008-02-02 17:08:00 ------------













Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 246.73 MiB / 75.51 MiB
Pagefile Memory (total/avail): 723.59 MiB / 448.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.35 MiB

C: is Fixed (NTFS) - 57.26 GiB total, 48.47 GiB free.
D: is CDROM (CDFS)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
J: is Removable (FAT)

\\.\PHYSICALDRIVE0 - HDS722580VLAT20 - 57.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 57.26 GiB - C:

\\.\PHYSICALDRIVE5 - USB Flash Memory USB Device - 972.69 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 978.98 MiB - J:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Verizon Internet Security Suite Firewall v5.3.4 (Verizon)
AV: Verizon Internet Security Suite Anti-Virus v5.3.4 (Verizon) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"="C:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe:*:Enabled:Printer Device Monitor"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe:*:Enabled:Printer Status Window Interface"
"C:\\WINDOWS\\system32\\lxdkcoms.exe"="C:\\WINDOWS\\system32\\lxdkcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"="C:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 5300 Series\\FRun.exe"="C:\\Program Files\\Lexmark 5300 Series\\FRun.exe:*:Enabled:Lexmark Productivity Studio"
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"="C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe:*:Enabled:ABBYY FineReader"
"C:\\Program Files\\Lexmark 5300 Series\\lxdkfax.exe"="C:\\Program Files\\Lexmark 5300 Series\\lxdkfax.exe:*:Enabled:Fax software"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe:*:Enabled:Lexmark Connect Time Executable"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe:*:Enabled:Job Status Window Interface"
"C:\\Documents and Settings\\Owner\\Application Data\\printer.exe"="C:\\Documents and Settings\\Owner\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SINON
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\SINON
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=SINON
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Disney Flix 3.0 --> MsiExec.exe /I{A0D14CE3-52F4-415C-9454-C8991722A723}
Dot1XCfg --> "C:\Program Files\Dot1XCfg\Dot1XCfg.exe" -uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{EF4EF65F-4D62-44D7-82C9-1AECCBA74C50}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Lexmark 5300 Series --> C:\Program Files\Lexmark 5300 Series\Install\x86\Uninst.exe
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Media Video 9 VCM --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmv9vcm.inf, Uninstall
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\unins000.exe"
SanDisk TransferMate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{601C6E14-DF1E-4113-A8C8-F9DB90CB0D88}\Setup.exe" -l0x9
Verizon Broadband Toolbar --> C:\Program Files\VZBB Toolbar\Uninstall.exe
Verizon Internet Security Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{73EA3762-43D0-4B56-9DC8-0E373D0FE12B}
Verizon Online DSL --> C:\Program Files\Common Files\SupportSoft\Verizon\vzuninstall.exe /starthidden
Verizon Online Help and Support --> C:\PROGRA~1\Verizon\UNWISE.EXE C:\PROGRA~1\Verizon\INSTALL.LOG
Verizon Servicepoint 1.3.21 --> "C:\Program Files\Verizon\Servicepoint\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
WinWay Resume Deluxe --> MsiExec.exe /x{39203477-F4E4-4E90-8472-116B2908B746}
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\cache\YINSTH~1.DLL


-- Application Event Log -------------------------------------------------------

Event Record #/Type5071 / Error
Event Submitted/Written: 02/02/2008 05:02:34 PM
Event ID/Source: 0 / .NET Runtime
Event Description:
Shim database version C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 doesn't have a matching runtime directory

Event Record #/Type5070 / Error
Event Submitted/Written: 02/02/2008 04:59:09 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.

Event Record #/Type5069 / Error
Event Submitted/Written: 02/02/2008 04:59:06 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type5068 / Error
Event Submitted/Written: 02/02/2008 04:48:24 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.

Event Record #/Type5067 / Error
Event Submitted/Written: 02/02/2008 04:48:12 PM / 02/02/2008 04:48:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14531 / Error
Event Submitted/Written: 02/02/2008 05:02:58 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.

Event Record #/Type14530 / Error
Event Submitted/Written: 02/02/2008 05:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At18.job command failed to start due to the following error:
%%2147942402

Event Record #/Type14528 / Warning
Event Submitted/Written: 02/02/2008 04:47:24 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type14521 / Error
Event Submitted/Written: 02/02/2008 04:16:33 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type14520 / Error
Event Submitted/Written: 02/02/2008 04:16:10 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The dvpapi service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-02-02 17:08:00 ------------

please help! 40+ IE windows popping up at once?! I'm about to throw this computer out the window....
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\byxvtro.dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\sbjetysq.dll
C:\WINDOWS\SYSTEM32\omcxsbxm.dll
C:\Program Files\Windows Media Player\zyqokuhde.html
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At9.job
C:\Program Files\smss.exe
C:\WINDOWS\system32\gbmalprl.dll
C:\Program Files\spoolsv.exe
C:\WINDOWS\system32\qrlogshq.dll
C:\WINDOWS\system32\ecgwnony.dll
C:\WINDOWS\system32\htmlbjef.dll
C:\Documents and Settings\Owner\Application Data\printer.exe
C:\WINDOWS\system32\gfcplfmc.dll
C:\WINDOWS\system32\blbwjfev.dll
C:\WINDOWS\system32\wwlocmoh.dll
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\ssqpnkj.dll
C:\WINDOWS\system32\efcyyww.dll
C:\WINDOWS\system32\byxvtro.dll
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\000080.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\pss\autorun.exe
C:\WINDOWS\pss\findfast.exe
C:\WINDOWS\system32\spoolvs.exe

Folders to delete:
C:\Program Files\QdrDrive
C:\Program Files\Ultimate Defender
C:\Program Files\Ultimate Cleaner
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Dot1XCfg
C:\Program Files\Temporary
C:\Program Files\Network Monitor
C:\WINDOWS\system32\wts1
C:\WINDOWS\system32\vip4
C:\WINDOWS\system32\knis6
C:\WINDOWS\system32\nGpxx01
C:\Program Files\Coupons
C:\Program Files\QdrModule

Drivers to unload:
"Network Monitor"
"RMCastt"


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
===========================
Next:

Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Avenger Log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rprbwfvv

*******************

Script file located at: \??\C:\Documents and Settings\xgpdrkgk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\shell.exe not found!
Deletion of file C:\WINDOWS\shell.exe failed!

Could not process line:
C:\WINDOWS\shell.exe
Status: 0xc0000034



File C:\WINDOWS\system32\mljgf.dll not found!
Deletion of file C:\WINDOWS\system32\mljgf.dll failed!

Could not process line:
C:\WINDOWS\system32\mljgf.dll
Status: 0xc0000034



File C:\WINDOWS\system32\byxvtro.dll not found!
Deletion of file C:\WINDOWS\system32\byxvtro.dll failed!

Could not process line:
C:\WINDOWS\system32\byxvtro.dll
Status: 0xc0000034



File C:\WINDOWS\system32\printer.exe not found!
Deletion of file C:\WINDOWS\system32\printer.exe failed!

Could not process line:
C:\WINDOWS\system32\printer.exe
Status: 0xc0000034



File C:\WINDOWS\system32\sbjetysq.dll not found!
Deletion of file C:\WINDOWS\system32\sbjetysq.dll failed!

Could not process line:
C:\WINDOWS\system32\sbjetysq.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\omcxsbxm.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\omcxsbxm.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\omcxsbxm.dll
Status: 0xc0000034



File C:\Program Files\Windows Media Player\zyqokuhde.html not found!
Deletion of file C:\Program Files\Windows Media Player\zyqokuhde.html failed!

Could not process line:
C:\Program Files\Windows Media Player\zyqokuhde.html
Status: 0xc0000034

File C:\WINDOWS\Tasks\At18.job deleted successfully.
File C:\WINDOWS\Tasks\At17.job deleted successfully.
File C:\WINDOWS\Tasks\At16.job deleted successfully.
File C:\WINDOWS\Tasks\At8.job deleted successfully.
File C:\WINDOWS\Tasks\At7.job deleted successfully.
File C:\WINDOWS\Tasks\At6.job deleted successfully.
File C:\WINDOWS\Tasks\At5.job deleted successfully.
File C:\WINDOWS\Tasks\At4.job deleted successfully.
File C:\WINDOWS\Tasks\At3.job deleted successfully.
File C:\WINDOWS\Tasks\At2.job deleted successfully.
File C:\WINDOWS\Tasks\At1.job deleted successfully.
File C:\WINDOWS\Tasks\At24.job deleted successfully.
File C:\WINDOWS\Tasks\At23.job deleted successfully.
File C:\WINDOWS\Tasks\At22.job deleted successfully.
File C:\WINDOWS\Tasks\At21.job deleted successfully.
File C:\WINDOWS\Tasks\At20.job deleted successfully.
File C:\WINDOWS\Tasks\At19.job deleted successfully.
File C:\WINDOWS\Tasks\At15.job deleted successfully.
File C:\WINDOWS\Tasks\At14.job deleted successfully.
File C:\WINDOWS\Tasks\At13.job deleted successfully.
File C:\WINDOWS\Tasks\At12.job deleted successfully.
File C:\WINDOWS\Tasks\At11.job deleted successfully.
File C:\WINDOWS\Tasks\At10.job deleted successfully.
File C:\WINDOWS\Tasks\At9.job deleted successfully.


File C:\Program Files\smss.exe not found!
Deletion of file C:\Program Files\smss.exe failed!

Could not process line:
C:\Program Files\smss.exe
Status: 0xc0000034



File C:\WINDOWS\system32\gbmalprl.dll not found!
Deletion of file C:\WINDOWS\system32\gbmalprl.dll failed!

Could not process line:
C:\WINDOWS\system32\gbmalprl.dll
Status: 0xc0000034



File C:\Program Files\spoolsv.exe not found!
Deletion of file C:\Program Files\spoolsv.exe failed!

Could not process line:
C:\Program Files\spoolsv.exe
Status: 0xc0000034



File C:\WINDOWS\system32\qrlogshq.dll not found!
Deletion of file C:\WINDOWS\system32\qrlogshq.dll failed!

Could not process line:
C:\WINDOWS\system32\qrlogshq.dll
Status: 0xc0000034



File C:\WINDOWS\system32\ecgwnony.dll not found!
Deletion of file C:\WINDOWS\system32\ecgwnony.dll failed!

Could not process line:
C:\WINDOWS\system32\ecgwnony.dll
Status: 0xc0000034



File C:\WINDOWS\system32\htmlbjef.dll not found!
Deletion of file C:\WINDOWS\system32\htmlbjef.dll failed!

Could not process line:
C:\WINDOWS\system32\htmlbjef.dll
Status: 0xc0000034



File C:\Documents and Settings\Owner\Application Data\printer.exe not found!
Deletion of file C:\Documents and Settings\Owner\Application Data\printer.exe failed!

Could not process line:
C:\Documents and Settings\Owner\Application Data\printer.exe
Status: 0xc0000034



File C:\WINDOWS\system32\gfcplfmc.dll not found!
Deletion of file C:\WINDOWS\system32\gfcplfmc.dll failed!

Could not process line:
C:\WINDOWS\system32\gfcplfmc.dll
Status: 0xc0000034



File C:\WINDOWS\system32\blbwjfev.dll not found!
Deletion of file C:\WINDOWS\system32\blbwjfev.dll failed!

Could not process line:
C:\WINDOWS\system32\blbwjfev.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wwlocmoh.dll not found!
Deletion of file C:\WINDOWS\system32\wwlocmoh.dll failed!

Could not process line:
C:\WINDOWS\system32\wwlocmoh.dll
Status: 0xc0000034



File C:\WINDOWS\system32\fgjlm.ini2 not found!
Deletion of file C:\WINDOWS\system32\fgjlm.ini2 failed!

Could not process line:
C:\WINDOWS\system32\fgjlm.ini2
Status: 0xc0000034



File C:\WINDOWS\system32\ssqpnkj.dll not found!
Deletion of file C:\WINDOWS\system32\ssqpnkj.dll failed!

Could not process line:
C:\WINDOWS\system32\ssqpnkj.dll
Status: 0xc0000034



File C:\WINDOWS\system32\efcyyww.dll not found!
Deletion of file C:\WINDOWS\system32\efcyyww.dll failed!

Could not process line:
C:\WINDOWS\system32\efcyyww.dll
Status: 0xc0000034



File C:\WINDOWS\system32\byxvtro.dll not found!
Deletion of file C:\WINDOWS\system32\byxvtro.dll failed!

Could not process line:
C:\WINDOWS\system32\byxvtro.dll
Status: 0xc0000034



File C:\WINDOWS\system32\000070.exe not found!
Deletion of file C:\WINDOWS\system32\000070.exe failed!

Could not process line:
C:\WINDOWS\system32\000070.exe
Status: 0xc0000034



File C:\WINDOWS\system32\000080.exe not found!
Deletion of file C:\WINDOWS\system32\000080.exe failed!

Could not process line:
C:\WINDOWS\system32\000080.exe
Status: 0xc0000034



File C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe not found!
Deletion of file C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe failed!

Could not process line:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
Status: 0xc0000034



File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe not found!
Deletion of file C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe failed!

Could not process line:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
Status: 0xc0000034



Could not open file C:\WINDOWS\pss\autorun.exe for deletion
Deletion of file C:\WINDOWS\pss\autorun.exe failed!

Could not process line:
C:\WINDOWS\pss\autorun.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\pss\findfast.exe for deletion
Deletion of file C:\WINDOWS\pss\findfast.exe failed!

Could not process line:
C:\WINDOWS\pss\findfast.exe
Status: 0xc000003a



File C:\WINDOWS\system32\spoolvs.exe not found!
Deletion of file C:\WINDOWS\system32\spoolvs.exe failed!

Could not process line:
C:\WINDOWS\system32\spoolvs.exe
Status: 0xc0000034



Folder C:\Program Files\QdrDrive not found!
Deletion of folder C:\Program Files\QdrDrive failed!

Could not process line:
C:\Program Files\QdrDrive
Status: 0xc0000034



Folder C:\Program Files\Ultimate Defender not found!
Deletion of folder C:\Program Files\Ultimate Defender failed!

Could not process line:
C:\Program Files\Ultimate Defender
Status: 0xc0000034



Folder C:\Program Files\Ultimate Cleaner not found!
Deletion of folder C:\Program Files\Ultimate Cleaner failed!

Could not process line:
C:\Program Files\Ultimate Cleaner
Status: 0xc0000034



Folder C:\Documents and Settings\LocalService\Application Data\NetMon not found!
Deletion of folder C:\Documents and Settings\LocalService\Application Data\NetMon failed!

Could not process line:
C:\Documents and Settings\LocalService\Application Data\NetMon
Status: 0xc0000034

Folder C:\Program Files\Dot1XCfg deleted successfully.


Folder C:\Program Files\Temporary not found!
Deletion of folder C:\Program Files\Temporary failed!

Could not process line:
C:\Program Files\Temporary
Status: 0xc0000034



Folder C:\Program Files\Network Monitor not found!
Deletion of folder C:\Program Files\Network Monitor failed!

Could not process line:
C:\Program Files\Network Monitor
Status: 0xc0000034

Folder C:\WINDOWS\system32\wts1 deleted successfully.
Folder C:\WINDOWS\system32\vip4 deleted successfully.
Folder C:\WINDOWS\system32\knis6 deleted successfully.
Folder C:\WINDOWS\system32\nGpxx01 deleted successfully.
Folder C:\Program Files\Coupons deleted successfully.


Folder C:\Program Files\QdrModule not found!
Deletion of folder C:\Program Files\QdrModule failed!

Could not process line:
C:\Program Files\QdrModule
Status: 0xc0000034



Registry key \Registry\Machine\System\CurrentControlSet\Services\Network Monitor not found!
Unload of driver Network Monitor failed!

Could not process line:
Network Monitor
Status: 0xc0000034

Driver RMCastt unloaded successfully.

Completed script processing.

*******************

Finished! Terminate.


ComboFix Log:

ComboFix 08-02.03.1 - Owner 2008-02-02 19:03:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\M1C147Q5\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\byxvtro.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\omcxsbxm.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\printer.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\ISM
C:\Program Files\ISM\archupd.exe
C:\Program Files\ISM\BndDrive7.dll
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ISMModule7.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\network monitor
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\spoolsv.exe
C:\Program Files\Temporary
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\Ultimate Defender
C:\Program Files\ymante~1
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\000070.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\blbwjfev.dll
C:\WINDOWS\system32\byxvtro.dll
C:\WINDOWS\system32\cmflpcfg.ini
C:\WINDOWS\system32\cookie.dat
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ecgwnony.dll
C:\WINDOWS\system32\efcyyww.dll
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\gbmalprl.dll
C:\WINDOWS\system32\gfcplfmc.dll
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\htmlbjef.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\omcxsbxm.dll
C:\WINDOWS\system32\omcxsbxm.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\system32\qhsgolrq.ini
C:\WINDOWS\system32\qrlogshq.dll
C:\WINDOWS\system32\qsytejbs.ini
C:\WINDOWS\system32\sbjetysq.dll
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\ssqpnkj.dll
C:\WINDOWS\system32\wwlocmoh.dll
C:\WINDOWS\wr.txt

----- BITS: Possible infected sites -----

hxxp://80.93.59.108
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 19:11 . 2008-02-02 19:11 0 --a------ C:\backup.reg
2008-02-02 18:49 . 2008-02-02 18:49 126,976 --a------ C:\zip.exe
2008-02-02 18:49 . 2008-02-02 18:49 60,416 --a------ C:\WINDOWS\system32\drivers\ldtgfqmj.sys
2008-02-02 18:49 . 2008-02-02 18:49 19,814 --a------ C:\reboot.exe
2008-02-02 18:49 . 2008-02-02 18:49 1,080 --a------ C:\vbnymnoj.bat
2008-02-02 18:49 . 2008-02-02 18:49 357 --a------ C:\reboot.bat
2008-02-02 18:49 . 2008-02-02 18:49 204 --a------ C:\avexport.bat
2008-02-02 17:06 . 2008-02-02 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 17:03 . 2008-02-02 17:03 <DIR> d-------- C:\Deckard
2008-02-02 15:47 . 2008-02-02 15:47 106 --a------ C:\temp.bat
2008-02-01 11:12 . 2008-02-02 15:42 160,560 --a------ C:\Program Files\udefender_setup.exe
2008-01-30 19:09 . 2008-01-30 19:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-01-30 19:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-30 19:07 . 2008-01-30 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-29 23:19 . 2008-01-29 23:19 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-29 23:15 . 2008-01-29 23:15 <DIR> d-------- C:\WINDOWS\system32\wts1
2008-01-29 23:15 . 2008-01-30 17:21 <DIR> d-------- C:\WINDOWS\system32\vip4
2008-01-29 23:15 . 2008-01-31 16:57 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-29 23:15 . 2008-01-30 19:56 <DIR> d-------- C:\WINDOWS\system32\knis6
2008-01-29 23:15 . 2008-01-29 23:15 86,016 --a------ C:\WINDOWS\system32\drivers\RMCastt.sys
2008-01-22 17:11 . 2008-01-22 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ThumbnailCache4R
2008-01-21 07:52 . 2008-01-21 07:52 <DIR> d-------- C:\Program Files\Coupons
2008-01-21 07:52 . 2008-01-21 07:52 193,880 --a------ C:\WINDOWS\system32\cpnprt2.cid
2008-01-21 07:52 . 2008-01-21 07:52 193,880 -rah----- C:\WINDOWS\cpnprt2.cid
2008-01-20 11:40 . 2008-01-20 15:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lexmark Productivity Studio
2008-01-20 11:39 . 2008-01-30 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2008-01-16 10:05 . 2008-01-20 11:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\5300 Series
2008-01-16 09:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 09:34 . 2008-01-16 09:35 <DIR> d-------- C:\Program Files\Java
2008-01-16 09:33 . 2008-01-16 09:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-15 19:24 . 2008-01-15 19:24 <DIR> d-------- C:\logs
2008-01-15 19:24 . 2007-05-03 10:50 348,160 --a------ C:\WINDOWS\system32\lxdkcoin.dll
2008-01-15 19:24 . 2006-07-31 20:53 40,960 --a------ C:\WINDOWS\system32\lxdkvs.dll
2008-01-15 19:23 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-15 19:23 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-15 19:23 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-15 19:23 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-15 19:21 . 2008-01-15 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\5300 Series
2008-01-15 19:19 . 2007-01-07 23:49 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-15 19:13 . 2007-01-21 23:53 60 --a------ C:\WINDOWS\system32\lxdkrwrd.ini
2008-01-15 19:11 . 2008-01-20 12:00 <DIR> d-------- C:\Program Files\Lexmark 5300 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 22:13 --------- d-----w C:\Program Files\Intel
2008-01-30 22:04 --------- d-----w C:\Program Files\Verizon
2008-01-30 12:03 --------- d-----w C:\Program Files\Google
2008-01-19 07:33 --------- d-----w C:\Program Files\Common Files\Command Software
2008-01-18 22:32 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-01-15 22:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\CowboysScreenServer
2008-01-15 22:11 --------- d-----w C:\Program Files\AIM
2008-01-15 22:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Aim
2008-01-15 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 22:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Games
2008-01-15 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Games
2007-12-28 02:42 --------- d-----w C:\Program Files\Disney
2007-12-14 00:00 --------- d-----w C:\Program Files\Yahoo!
2007-12-10 04:20 --------- d-----w C:\Program Files\AOD
2007-12-10 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{071FA964-BB02-4D2C-8791-F80A4DC13291}]
C:\Program Files\ComPlus Applications\ryvyci83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C5600F1-200C-44D7-DB96-0314F277B157}]
C:\Program Files\Windows Media Player\vihivynu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B61C6CA3-77BF-4299-AB70-5019FCD4AF09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C160AC8D-E7E5-405A-85C3-87DB015D8238}]
C:\Program Files\ComPlus Applications\ryvyci4444.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"nwidwlbg"="C:\vbnymnoj.bat" [2008-02-02 18:49 1080]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-05-10 17:21:16 114688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Windows Media Player\zyqokuhde.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KbdVolume"= {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll [2008-01-30 17:47 12838]
"zip"= {a802e95b-1663-4fa0-85d3-87a9dfdb2041} - C:\WINDOWS\Installer\{a802e95b-1663-4fa0-85d3-87a9dfdb2041}\zip.dll [2008-01-31 16:20 38950]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00501034]
C:\WINDOWS\system32\gfcplfmc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CowboysScreenServer]
C:\Program Files\CowboysScreenServer\CowboysScreenServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
--a------ 2008-01-29 23:19 61440 C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5300 Series Fax Server]
--a------ 2007-06-21 22:18 307888 C:\Program Files\Lexmark 5300 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkamon]
--a------ 2007-06-01 03:06 20480 C:\Program Files\Lexmark 5300 Series\lxdkamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkmon.exe]
--a------ 2007-06-21 22:17 455344 C:\Program Files\Lexmark 5300 Series\lxdkmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 10:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
C:\Program Files\QdrModule\QdrModule12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
C:\Program Files\QdrPack\QdrPack12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]
--a------ 2006-10-20 12:46 237568 C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

R2 lxdk_device;lxdk_device;C:\WINDOWS\system32\lxdkcoms.exe [2007-06-14 03:15]
S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe [2007-06-14 03:15]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-15 23:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 05:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-01 14:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-01 15:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-01 16:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-01 17:00:02 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-01 18:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-01 19:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 20:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 21:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 22:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 23:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 06:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-03 00:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 01:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 02:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 03:00:04 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 04:00:09 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 07:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 08:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 09:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 10:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 11:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-02 12:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\r61EnfSW.exe
"2008-02-01 13:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\r61EnfSW.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 19:11:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-02-02 19:14:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 00:14:19


Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:10 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {071FA964-BB02-4D2C-8791-F80A4DC13291} - C:\Program Files\ComPlus Applications\ryvyci83122.dll (file missing)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: 0 - {9C5600F1-200C-44D7-DB96-0314F277B157} - C:\Program Files\Windows Media Player\vihivynu.dll (file missing)
O2 - BHO: H - {B61C6CA3-77BF-4299-AB70-5019FCD4AF09} - park31.dll (file missing)
O2 - BHO: (no name) - {C160AC8D-E7E5-405A-85C3-87DB015D8238} - C:\Program Files\ComPlus Applications\ryvyci4444.dll (file missing)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
O21 - SSODL: zip - {a802e95b-1663-4fa0-85d3-87a9dfdb2041} - C:\WINDOWS\Installer\{a802e95b-1663-4fa0-85d3-87a9dfdb2041}\zip.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\zyqokuhde.html

--
End of file - 5713 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {071FA964-BB02-4D2C-8791-F80A4DC13291} - C:\Program Files\ComPlus Applications\ryvyci83122.dll (file missing)
O2 - BHO: 0 - {9C5600F1-200C-44D7-DB96-0314F277B157} - C:\Program Files\Windows Media Player\vihivynu.dll (file missing)
O2 - BHO: H - {B61C6CA3-77BF-4299-AB70-5019FCD4AF09} - park31.dll (file missing)
O2 - BHO: (no name) - {C160AC8D-E7E5-405A-85C3-87DB015D8238} - C:\Program Files\ComPlus Applications\ryvyci4444.dll (file missing)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\zyqokuhde.html



Now click on Fix Checked and then close Hijackthis.
=====================================
AFter that 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\ldtgfqmj.sys
C:\Program Files\udefender_setup.exe
C:\WINDOWS\system32\drivers\RMCastt.sys
C:\WINDOWS\system32\r61EnfSW.exe
C:\Program Files\Windows Media Player\zyqokuhde.html
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\pss\autorun.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
C:\WINDOWS\pss\findfast.exe
C:\WINDOWS\system32\gfcplfmc.dll
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At9.job
Folder::
C:\Avenger
C:\Deckard
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\wts1
C:\WINDOWS\system32\vip4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\knis6
C:\Program Files\Coupons
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\QdrModule
C:\Program Files\QdrPack
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{071FA964-BB02-4D2C-8791-F80A4DC13291}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C5600F1-200C-44D7-DB96-0314F277B157}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B61C6CA3-77BF-4299-AB70-5019FCD4AF09}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C160AC8D-E7E5-405A-85C3-87DB015D8238}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwidwlbg"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"= "="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00501034]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
COMBOFIX LOG:

ComboFix 08-02.03.1 - Owner 2008-02-02 20:38:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe
C:\Program Files\udefender_setup.exe
C:\Program Files\Windows Media Player\zyqokuhde.html
C:\WINDOWS\pss\autorun.exe
C:\WINDOWS\pss\findfast.exe
C:\WINDOWS\system32\drivers\ldtgfqmj.sys
C:\WINDOWS\system32\drivers\RMCastt.sys
C:\WINDOWS\system32\gfcplfmc.dll
C:\WINDOWS\system32\r61EnfSW.exe
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Avenger
C:\Avenger\backup.zip
C:\Deckard
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\udefender_setup.exe
C:\WINDOWS\system32\drivers\RMCastt.sys

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 17:06 . 2008-02-02 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-02 15:47 . 2008-02-02 15:47 106 --a------ C:\temp.bat
2008-01-30 19:09 . 2008-01-30 19:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-01-30 19:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-30 19:07 . 2008-01-30 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-22 17:11 . 2008-01-22 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ThumbnailCache4R
2008-01-21 07:52 . 2008-01-21 07:52 193,880 --a------ C:\WINDOWS\system32\cpnprt2.cid
2008-01-21 07:52 . 2008-01-21 07:52 193,880 -rah----- C:\WINDOWS\cpnprt2.cid
2008-01-20 11:40 . 2008-01-20 15:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lexmark Productivity Studio
2008-01-20 11:39 . 2008-01-30 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2008-01-16 10:05 . 2008-01-20 11:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\5300 Series
2008-01-16 09:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 09:34 . 2008-01-16 09:35 <DIR> d-------- C:\Program Files\Java
2008-01-16 09:33 . 2008-01-16 09:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-15 19:24 . 2008-01-15 19:24 <DIR> d-------- C:\logs
2008-01-15 19:24 . 2007-05-03 10:50 348,160 --a------ C:\WINDOWS\system32\lxdkcoin.dll
2008-01-15 19:24 . 2006-07-31 20:53 40,960 --a------ C:\WINDOWS\system32\lxdkvs.dll
2008-01-15 19:23 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-15 19:23 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-15 19:23 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-15 19:23 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-15 19:21 . 2008-01-15 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\5300 Series
2008-01-15 19:19 . 2007-01-07 23:49 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-15 19:13 . 2007-01-21 23:53 60 --a------ C:\WINDOWS\system32\lxdkrwrd.ini
2008-01-15 19:11 . 2008-01-20 12:00 <DIR> d-------- C:\Program Files\Lexmark 5300 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 22:13 --------- d-----w C:\Program Files\Intel
2008-01-30 22:04 --------- d-----w C:\Program Files\Verizon
2008-01-30 12:03 --------- d-----w C:\Program Files\Google
2008-01-19 07:33 --------- d-----w C:\Program Files\Common Files\Command Software
2008-01-18 22:32 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-01-15 22:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\CowboysScreenServer
2008-01-15 22:11 --------- d-----w C:\Program Files\AIM
2008-01-15 22:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Aim
2008-01-15 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 22:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Games
2008-01-15 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Games
2007-12-28 02:42 --------- d-----w C:\Program Files\Disney
2007-12-14 00:00 --------- d-----w C:\Program Files\Yahoo!
2007-12-10 04:20 --------- d-----w C:\Program Files\AOD
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-05-10 17:21:16 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KbdVolume"= {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll [2008-01-30 17:47 12838]
"zip"= {a802e95b-1663-4fa0-85d3-87a9dfdb2041} - C:\WINDOWS\Installer\{a802e95b-1663-4fa0-85d3-87a9dfdb2041}\zip.dll [2008-01-31 16:20 38950]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CowboysScreenServer]
C:\Program Files\CowboysScreenServer\CowboysScreenServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5300 Series Fax Server]
--a------ 2007-06-21 22:18 307888 C:\Program Files\Lexmark 5300 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkamon]
--a------ 2007-06-01 03:06 20480 C:\Program Files\Lexmark 5300 Series\lxdkamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkmon.exe]
--a------ 2007-06-21 22:17 455344 C:\Program Files\Lexmark 5300 Series\lxdkmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 10:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]
--a------ 2006-10-20 12:46 237568 C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

R2 lxdk_device;lxdk_device;C:\WINDOWS\system32\lxdkcoms.exe [2007-06-14 03:15]
S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe [2007-06-14 03:15]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-15 23:11]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 20:47:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 20:48:23
ComboFix-quarantined-files.txt 2008-02-03 01:48:14
ComboFix2.txt 2008-02-03 00:14:58


HIJACK THIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:47 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
O21 - SSODL: zip - {a802e95b-1663-4fa0-85d3-87a9dfdb2041} - C:\WINDOWS\Installer\{a802e95b-1663-4fa0-85d3-87a9dfdb2041}\zip.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe

--
End of file - 4169 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 03, 2008 3:29:45 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 546149
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan Statistics:
Total number of scanned objects: 37560
Number of viruses found: 19
Number of infected objects: 121
Number of suspicious objects: 0
Duration of the scan process: 01:01:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\logs\FirewallService02-02-2008--19-23-30.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\avenger\backup.zip.vir/avenger/Dot1XCfg/Dot1XCfg.exe Infected: Trojan-Downloader.Win32.Adload.pr skipped
C:\QooBox\Quarantine\C\avenger\backup.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\16syn.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\32server.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\lookmon.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\poweragent.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\serverhost.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\serverlook.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\servermon.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\snapsnet.exe.vir/data0006 Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\snapsnet.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\syn16.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\sys64.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\syssv.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\winpower.exe.vir Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\yazzsnet.exe.vir/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\yazzsnet.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir Infected: Trojan.Win32.Qhost.aes skipped
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Application Data\printer.exe.vir Infected: Trojan.Win32.Qhost.aes skipped
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe.vir Infected: Trojan.Win32.Qhost.aes skipped
C:\QooBox\Quarantine\C\Program Files\ISM\archupd.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\QooBox\Quarantine\C\Program Files\ISM\archupd.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\QooBox\Quarantine\C\Program Files\ISM\archupd.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\ISM\ISMModule7.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\QooBox\Quarantine\C\Program Files\spoolsv.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\QooBox\Quarantine\C\Program Files\ucleaner_setup.exe.vir Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\QooBox\Quarantine\C\Program Files\udefender_setup.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\QooBox\Quarantine\C\WINDOWS\shell.exe.vir Infected: Trojan.Win32.Qhost.aes skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000070.exe.vir Infected: Trojan-Downloader.Win32.Small.hqc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\blbwjfev.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\RMCastt.sys.vir Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efcyyww.dll.vir Infected: Trojan.Win32.BHO.auf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\htmlbjef.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\omcxsbxm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\printer.exe.vir Infected: Trojan.Win32.Qhost.aes skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir Infected: Trojan.Win32.Qhost.aes skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqpnkj.dll.vir Infected: Trojan.Win32.BHO.auf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wwlocmoh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\QooBox\Quarantine\catchme2008-02-02_191129.98.zip/byxvtro.dll Infected: Trojan.Win32.BHO.auf skipped
C:\QooBox\Quarantine\catchme2008-02-02_191129.98.zip/mljgf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped
C:\QooBox\Quarantine\catchme2008-02-02_191129.98.zip/omcxsbxm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\QooBox\Quarantine\catchme2008-02-02_191129.98.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021262.exe Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021263.exe Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021264.exe Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021269.exe Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\Fifoed\A0021270.exe Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022290.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022300.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022317.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022320.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP259\A0022593.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP259\A0023298.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP259\A0023301.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023315.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023316.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023317.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023318.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023320.exe Infected: Trojan.Win32.Agent.edq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023321.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023333.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023334.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023336.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023337.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023340.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023341.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023342.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023343.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023344.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023346.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP261\A0023348.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP261\A0023349.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP261\A0023350.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP261\A0023351.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023369.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023369.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023369.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023371.exe Infected: not-a-virus:AdWare.Win32.Agent.qi skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023375.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023376.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023377.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023379.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023380.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023381.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023382.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023383.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023386.exe Infected: Trojan-Downloader.Win32.Small.hqc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023387.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023387.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023387.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023388.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023390.dll Infected: Trojan.Win32.BHO.auf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023396.dll Infected: Trojan.Win32.BHO.auf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023397.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023407.dll Infected: Trojan.Win32.BHO.auf skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023409.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023413.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023482.exe Infected: Trojan-Downloader.Win32.Adload.pr skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023505.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023507.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023513.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023517.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023519.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023520.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023521.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023523.exe/data0006 Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023523.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023527.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023528.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023529.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023532.exe Infected: Trojan-Clicker.Win32.Small.pq skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023535.exe/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023535.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023649.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023650.sys Infected: Rootkit.Win32.Agent.to skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll Infected: Trojan.Win32.Agent.eld skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll"


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

Advertisements


#11
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Combofix:

ComboFix 08-02.03.1 - Owner 2008-02-03 9:43:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.65 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFSCRIPT.lnk
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\Ultimate Defender

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 08:27 . 2008-02-03 08:27 160,560 --a------ C:\Program Files\udefender_setup.exe
2008-02-03 08:16 . 2008-02-03 08:16 10,240 --a------ C:\Program Files\tmp46395875.exe
2008-02-02 21:13 . 2008-02-02 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-02 21:12 . 2008-02-02 21:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-02 21:12 . 2008-02-02 21:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-02 17:06 . 2008-02-02 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-30 19:09 . 2008-01-30 19:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-01-30 19:08 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-30 19:07 . 2008-01-30 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-22 17:11 . 2008-01-22 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ThumbnailCache4R
2008-01-21 07:52 . 2008-01-21 07:52 193,880 --a------ C:\WINDOWS\system32\cpnprt2.cid
2008-01-21 07:52 . 2008-01-21 07:52 193,880 -rah----- C:\WINDOWS\cpnprt2.cid
2008-01-20 11:40 . 2008-01-20 15:14 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lexmark Productivity Studio
2008-01-20 11:39 . 2008-01-30 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2008-01-16 10:05 . 2008-01-20 11:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\5300 Series
2008-01-16 09:35 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 09:34 . 2008-01-16 09:35 <DIR> d-------- C:\Program Files\Java
2008-01-16 09:33 . 2008-01-16 09:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-15 19:24 . 2008-01-15 19:24 <DIR> d-------- C:\logs
2008-01-15 19:24 . 2007-05-03 10:50 348,160 --a------ C:\WINDOWS\system32\lxdkcoin.dll
2008-01-15 19:24 . 2006-07-31 20:53 40,960 --a------ C:\WINDOWS\system32\lxdkvs.dll
2008-01-15 19:23 . 2001-08-17 22:36 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2008-01-15 19:23 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-01-15 19:23 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-15 19:23 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-15 19:21 . 2008-01-15 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\5300 Series
2008-01-15 19:19 . 2007-01-07 23:49 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-15 19:13 . 2007-01-21 23:53 60 --a------ C:\WINDOWS\system32\lxdkrwrd.ini
2008-01-15 19:11 . 2008-01-20 12:00 <DIR> d-------- C:\Program Files\Lexmark 5300 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 22:13 --------- d-----w C:\Program Files\Intel
2008-01-30 22:04 --------- d-----w C:\Program Files\Verizon
2008-01-30 12:03 --------- d-----w C:\Program Files\Google
2008-01-19 07:33 --------- d-----w C:\Program Files\Common Files\Command Software
2008-01-18 22:32 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-01-15 22:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\CowboysScreenServer
2008-01-15 22:11 --------- d-----w C:\Program Files\AIM
2008-01-15 22:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Aim
2008-01-15 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 22:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Games
2008-01-15 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Games
2007-12-28 02:42 --------- d-----w C:\Program Files\Disney
2007-12-14 00:00 --------- d-----w C:\Program Files\Yahoo!
2007-12-10 04:20 --------- d-----w C:\Program Files\AOD
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor.lnk - C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe [2007-05-10 17:21:16 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KbdVolume"= {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll [2008-01-30 17:47 12838]
"zip"= {88b75b04-eb80-454e-996d-bec86992f57f} - C:\WINDOWS\Installer\{88b75b04-eb80-454e-996d-bec86992f57f}\zip.dll [2008-02-03 08:18 39462]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CowboysScreenServer]
C:\Program Files\CowboysScreenServer\CowboysScreenServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5300 Series Fax Server]
--a------ 2007-06-21 22:18 307888 C:\Program Files\Lexmark 5300 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkamon]
--a------ 2007-06-01 03:06 20480 C:\Program Files\Lexmark 5300 Series\lxdkamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdkmon.exe]
--a------ 2007-06-21 22:17 455344 C:\Program Files\Lexmark 5300 Series\lxdkmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 10:06 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon Internet Security Suite]
--a------ 2006-10-20 12:46 237568 C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
C:\Program Files\Verizon\McciTrayApp.exe

R2 lxdk_device;lxdk_device;C:\WINDOWS\system32\lxdkcoms.exe [2007-06-14 03:15]
S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe [2007-06-14 03:15]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-10-15 23:11]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 09:45:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 9:46:32
ComboFix-quarantined-files.txt 2008-02-03 14:46:23
ComboFix2.txt 2008-02-03 01:48:24
ComboFix3.txt 2008-02-03 00:14:58




HIJack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:31 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\monhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
O21 - SSODL: zip - {88b75b04-eb80-454e-996d-bec86992f57f} - C:\WINDOWS\Installer\{88b75b04-eb80-454e-996d-bec86992f57f}\zip.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe

--
End of file - 4409 bytes
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
PLease re-open Hijackthis and place a check mark next to his entry below:

O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll

Then click on Fix Checked and then close Hijackthis.
==================================
Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"KbdVolume"=-
Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
=================================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\udefender_setup.exe
    C:\Program Files\tmp46395875.exe
    C:\WINDOWS\system32\cpnprt2.cid
    C:\WINDOWS\cpnprt2.cid
    C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
Post back with a new Hijackthis and the OTMove it log.
ALso let me know how things are running?
  • 0

#13
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Hi There,
Things are getting better...I don't have all those popups that I had before! However, before running OTMoveIt2, the Ultimate Defender ads were still coming up..but so far so good..thanks so much!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:55 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\monhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O21 - SSODL: zip - {88b75b04-eb80-454e-996d-bec86992f57f} - C:\WINDOWS\Installer\{88b75b04-eb80-454e-996d-bec86992f57f}\zip.dll
O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe

--
End of file - 4425 bytes


OTmoveIT2:


C:\Program Files\udefender_setup.exe moved successfully.
C:\Program Files\tmp46395875.exe moved successfully.
C:\WINDOWS\system32\cpnprt2.cid moved successfully.
C:\WINDOWS\cpnprt2.cid moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll
C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll NOT unregistered.
C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll moved successfully.

OTMoveIt2 v1.0.17 log created on 02032008_101638
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes I believe we still have a little work to do.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===============================================================
Please download SUPERAntiSpyware Home Edition (free version).
–Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Scan for Alternate Data streams
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.

Then run Superantispyware.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
1. To retrieve the removal information for me please do the following:
2. After reboot, double-click the SUPERAntispyware icon on your desktop.
3. Click Preferences. Click the Statistics/Logs tab.
4. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
5. It will open in your default text editor (such as Notepad/Wordpad).
6. Please highlight everything in the notepad, then right-click and choose copy.
7. Click close and close again to exit the program.
Save the log information. If needed (still infected) paste this info along with your HijackThis log.
  • 0

#15
ztastorm

ztastorm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
ultimate defender/ultimate cleaner were still popping up as the SUPERAntiSpyware Scan was running...grrrrrr....


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2008 at 12:01 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 00:37:37

Memory items scanned : 324
Memory threats detected : 3
Registry items scanned : 4674
Registry threats detected : 5
File items scanned : 31672
File threats detected : 84

Trojan.Downloader-NoName
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\MONHOST.EXE
C:\DOCUME~1\OWNER\LOCALS~1\TEMP\MONHOST.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\MONHOST.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NP3VM05K\1202056211[1].EXE
C:\PROGRAM FILES\TMP58011296.EXE
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\16SYN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\32SERVER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\LOOKMON.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\POWERAGENT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\SERVERHOST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\SERVERLOOK.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\SERVERMON.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\SYN16.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\SYS64.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\SYSSV.EXE.VIR
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\WINPOWER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\SPOOLSV.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022290.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022300.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022320.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023340.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023376.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023505.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023507.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023513.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023517.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023519.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023520.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023521.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023527.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023528.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023529.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023532.EXE
C:\_OTMOVEIT\MOVEDFILES\02032008_101638\PROGRAM FILES\TMP46395875.EXE
C:\WINDOWS\Prefetch\TMP58011296.EXE-0D38551A.pf

Trojan.Downloader-Oreon/Resident
C:\WINDOWS\INSTALLER\{E8B77EC8-465A-40A4-8183-16925A8CC28B}\KBDVOLUME.DLL
C:\WINDOWS\INSTALLER\{E8B77EC8-465A-40A4-8183-16925A8CC28B}\KBDVOLUME.DLL

Spyware.Melkosoft (CoolWebSearch Variant)
C:\WINDOWS\INSTALLER\{88B75B04-EB80-454E-996D-BEC86992F57F}\ZIP.DLL
C:\WINDOWS\INSTALLER\{88B75B04-EB80-454E-996D-BEC86992F57F}\ZIP.DLL
C:\WINDOWS\INSTALLER\{153B0FC1-810B-4AC5-849B-9E41C95C0F25}\ZIP.DLL
C:\WINDOWS\INSTALLER\{70BA41EE-91D8-4355-B945-858C78BFBFAA}\ZIP.DLL
C:\WINDOWS\INSTALLER\{91C38AB7-361D-4CCC-9125-C7DD806D84C0}\ZIP.DLL
C:\WINDOWS\INSTALLER\{A3B1EB96-727D-455D-B319-7747773027DB}\ZIP.DLL
C:\WINDOWS\INSTALLER\{A802E95B-1663-4FA0-85D3-87A9DFDB2041}\ZIP.DLL
C:\WINDOWS\INSTALLER\{CCFC7BD0-1BDA-4199-96A0-8C32ACD9DDBD}\ZIP.DLL

Adware.AdSponsor/ISM
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{1B2588F5-45CE-4322-B755-D79944AD1B17}
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{1ED6A320-8AF3-4f06-868A-9BA95585712E}
HKU\S-1-5-21-798817249-1808548394-2052090312-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{1B2588F5-45CE-4322-B755-D79944AD1B17}
HKU\S-1-5-21-798817249-1808548394-2052090312-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{1ED6A320-8AF3-4F06-868A-9BA95585712E}
HKU\S-1-5-21-798817249-1808548394-2052090312-1003\Software\QdrModule
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDDRIVE7.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISMMODULE7.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\QDRDRIVE\QDRDRIVE9.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\FIFOED\A0021553.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022570.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023370.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023371.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023373.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Adware.Search2Find
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OHEJ4XIF\1202056264[1].EXE
C:\PROGRAM FILES\TMP58068234.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP261\A0023355.EXE
C:\WINDOWS\Prefetch\TMP58068234.EXE-04344944.pf

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\QOOBOX\QUARANTINE\C\DECKARD\SYSTEM SCANNER\BACKUP\DOCUME~1\OWNER\LOCALS~1\TEMP\WINVSNET.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023533.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE.VIR

Malware.Ultimate Defender
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\UCLEANER_SETUP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\UDEFENDER_SETUP.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0022317.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023321.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0023341.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023375.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0023649.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP264\A0023736.EXE
C:\_OTMOVEIT\MOVEDFILES\02032008_101638\PROGRAM FILES\UDEFENDER_SETUP.EXE

Trojan.Unclassifed/AffiliateBundle
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EFCYYWW.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SSQPNKJ.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023390.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023396.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023407.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023389.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023391.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023392.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023394.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023395.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023408.DLL

Trojan.Downloader-WinPop/SD
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0023482.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OP2FG16R\ucleaner_setup[1].exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NP3VM05K\udefender_setup[1].exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OP2FG16R\get_lic[1].htm
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OP2FG16R\get_lic_new[1].htm


HIJack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:37 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\lxdkcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Verizon\Verizon Internet Security Suite\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: zip - {88b75b04-eb80-454e-996d-bec86992f57f} - C:\WINDOWS\Installer\{88b75b04-eb80-454e-996d-bec86992f57f}\zip.dll (file missing)
O21 - SSODL: KbdVolume - {e8b77ec8-465a-40a4-8183-16925a8cc28b} - C:\WINDOWS\Installer\{e8b77ec8-465a-40a4-8183-16925a8cc28b}\KbdVolume.dll (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxdkCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdkserv.exe
O23 - Service: lxdk_device - - C:\WINDOWS\system32\lxdkcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - c:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\fws.exe

--
End of file - 4614 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP