Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Serious Malware and Trojan Problem [RESOLVED]

Started by Jaereloaded , Feb 23 2008 08:32 PM

  • This topic is locked This topic is locked

#1
Jaereloaded
Posted 23 February 2008 - 08:32 PM

Jaereloaded

    Member

  • Member
  • PipPip
  • 22 posts
Hi... to anyone who can help me.
I'll just try to explain what is going on with the computer... and maybe you guys will know what the solution is...

of course I get pop ups and "Critical error messages." In the "My Documents" folder as well as other folders, there are like twenty thousand .tmp files that I can't delete. Of course it's taking up so much space on my computer.... The anti virus software that I have is so old it has no effect on anything. So I buy a new anti-virus program, and it says I don't have enough memory to add the program.... Can someone help me... without having to completely reinstall windows... I don't want to lose any of programs or music....
  • 0

Advertisements

#2
kahdah
Posted 23 February 2008 - 08:47 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Jaereloaded

Welcome to G2Go. :)
=================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Jaereloaded
Posted 23 February 2008 - 09:20 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Deckard's System Scanner v20071014.68
Run by Jamael on 2008-01-04 21:59:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
102: 2008-01-05 03:01:48 UTC - RP704 - Deckard's System Scanner Restore Point
101: 2008-01-04 21:50:36 UTC - RP703 - Removed Adobe Reader 7.0
100: 2008-01-04 21:40:23 UTC - RP702 - Removed Microsoft Outlook 2002
99: 2008-01-04 21:30:40 UTC - RP701 - Removed Microsoft Office XP Professional with FrontPage
98: 2008-01-04 21:30:30 UTC - RP700 - Removed QuickTime


-- First Restore Point --
1: 2008-02-17 02:16:28 UTC - RP603 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 127 MiB (512 MiB recommended).


-- HijackThis (run as Jamael.exe) ----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-04 22:07:26
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Lexbces.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\windows
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Documents and Settings\Jamael\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - C:\WINDOWS\system32\tuvvttq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\sbglanqc.dll
O2 - BHO: (no name) - {C765EB71-70C7-4525-B2B7-F59E06759A5A} - C:\WINDOWS\system32\fcywt.dll
O2 - BHO: {f50944be-8198-cbd9-9254-7875747b984e} - {e489b747-5787-4529-9dbc-8918eb44905f} - C:\WINDOWS\system32\tpjxuhpt.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [35380754] rundll32.exe "C:\WINDOWS\system32\qvcumkxh.dll",b
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - Winlogon Notify: ibuntu - C:\WINDOWS\system32\ibuntu.dll (file missing)
O20 - Winlogon Notify: sbglanqc - C:\WINDOWS\system32\sbglanqc.dll
O20 - Winlogon Notify: tuvvttq - C:\WINDOWS\system32\tuvvttq.dll
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\Lexbces.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


--
End of file - 4225 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 mchInjDrv (madCodeHook DLL injection driver) - c:\windows\system32\drivers\mchinjdrv.sys
R1 sdcplh - c:\windows\system32\drivers\sdcplh.sys <Not Verified; ; SDCPLH>
R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S1 krnllds (Kernel CryptoModule) - c:\windows\system32\krnllds.sys (file missing)
S1 wer32 - c:\windows\system32\jkghje.dll (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
S3 TSP - c:\program files\pc tools antivirus\klif.sys <Not Verified; Kaspersky Labs; KLIF>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 MSControlService (Microsoft cache control) - c:\windows\system32\windows

S2 AvSynMgr (AVSync Manager) - "c:\program files\mcafee\mcafee virusscan\avsynmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Home Edition>
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_1057&DEV_5608&SUBSYS_00031668&REV_00\4&24AB0D93&0&58F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_1057&DEV_5608&SUBSYS_00031668&REV_00\4&24AB0D93&0&58F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-02-20 03:00:20 490 --a------ C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job
2008-02-19 11:13:24 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-04 and 2008-01-04 -----------------------------

2008-02-20 13:08:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 10:51:51 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 23:04:22 0 d-------- C:\Program Files\Spyware Doctor
2008-02-19 21:25:37 89152 --a------ C:\WINDOWS\system32\kowdvehj.dll
2008-02-19 21:22:42 88128 --a------ C:\WINDOWS\system32\hpfgnaka.dll
2008-02-18 21:28:00 0 d-------- C:\Documents and Settings\Jamael\Application Data\MalwareBot
2008-02-18 21:24:49 93248 --a------ C:\WINDOWS\system32\hseahpeo.dll
2008-02-17 23:09:59 87616 --a------ C:\WINDOWS\system32\jqwioprh.dll
2008-02-17 21:20:11 97344 --a------ C:\WINDOWS\system32\rgqubetp.dll
2008-02-16 23:41:28 0 d--hs---- C:\FOUND.019
2008-02-16 23:09:36 0 d--hs---- C:\FOUND.018
2008-02-16 22:39:42 2856 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-16 22:37:57 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-16 22:37:57 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-16 22:37:57 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-16 22:37:57 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-16 22:25:11 0 d-------- C:\WINDOWS\pss
2008-02-16 21:22:20 92736 --a------ C:\WINDOWS\system32\ehharijh.dll
2008-02-16 21:19:24 86080 --a------ C:\WINDOWS\system32\ceeeehpu.dll
2008-02-16 21:19:16 163904 --a------ C:\WINDOWS\system32\sbglanqc.dll
2008-02-16 21:19:14 163904 --a------ C:\WINDOWS\system32\rhbdfgih.dll
2008-02-16 21:05:32 5476352 --a------ C:\Documents and Settings\Jamael\ntuser.dat
2008-02-16 21:05:04 279234 --ahs---- C:\WINDOWS\system32\twycf.ini2
2008-02-16 21:04:54 331776 --a------ C:\WINDOWS\system32\fcywt.dll
2008-02-16 00:37:25 40448 --a------ C:\WINDOWS\system32\tuvvttq.dll
2008-02-11 16:30:58 0 d-------- C:\Program Files\New Folder
2008-02-10 23:21:27 0 d-------- C:\Program Files\Apple Software Update
2008-02-10 23:20:23 0 d-------- C:\WINDOWS\system32\DRVSTORE
2008-02-07 22:46:35 0 d-------- C:\Program Files\Common Files\Apple
2008-02-07 22:39:28 0 d-------- C:\Program Files\Apple Software Update(2)
2008-02-01 13:56:59 94784 --a------ C:\WINDOWS\system32\kmcfbgdf.dll
2008-01-26 03:58:54 0 d-------- C:\Documents and Settings\Jamael\Application Data\Opera
2008-01-24 21:24:57 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-24 21:20:58 17176 -----n--- C:\WINDOWS\hpomdl04.dat
2008-01-24 21:08:11 0 d-------- C:\Program Files\Hp
2008-01-17 21:38:38 0 d--hs---- C:\FOUND.017
2008-01-15 01:20:32 0 d--hs---- C:\FOUND.016
2008-01-08 15:58:56 0 d--hs---- C:\FOUND.015
2008-01-04 16:28:04 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-04 15:02:23 0 d-------- C:\WINDOWS\Prefetch
2008-01-04 10:19:58 7168 --a------ C:\WINDOWS\system32\windows
2008-01-04 05:21:16 87616 --a------ C:\WINDOWS\system32\qvcumkxh.dll
2008-01-04 05:18:10 94784 --a------ C:\WINDOWS\system32\tpjxuhpt.dll
2008-01-04 04:19:45 94784 --a------ C:\WINDOWS\system32\yqfmvyuf.dll
2008-01-03 22:12:36 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-01-03 20:46:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-01-03 20:35:29 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 00:40:15 87616 --a------ C:\WINDOWS\system32\ccpbdktm.dll
2008-01-03 00:40:07 94784 --a------ C:\WINDOWS\system32\iehrxnmc.dll
2008-01-02 22:15:38 0 d-------- C:\Program Files\Common Files\Network Associates
2008-01-02 22:15:37 0 d-------- C:\Program Files\McAfee
2008-01-02 03:49:18 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-02 00:10:03 94784 --a------ C:\WINDOWS\system32\hnarssig.dll
2008-01-01 23:37:31 0 d-------- C:\Documents and Settings\All Users\Templates
2008-01-01 23:37:30 0 d-------- C:\WINDOWS\system32\PreInstall
2008-01-01 23:37:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-01 23:37:26 0 d-------- C:\Documents and Settings\Jamael\Application Data\PC Tools
2008-01-01 23:37:23 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-01 23:37:22 0 d-------- C:\Program Files\MalwareAlarm
2007-12-31 03:50:52 0 d-------- C:\AOL OCP
2007-12-22 14:53:35 0 d-------- C:\Program Files\CinemaForge
2007-12-21 22:35:08 0 d-------- C:\Documents and Settings\Guest\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2007-11-21 21:48:28 0 d-------- C:\Documents and Settings\Jamael\Application Data\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23D44BCF-AA7A-41D6-8905-E808F16322EF}]
02/16/2008 12:37 AM 40448 --a------ C:\WINDOWS\system32\tuvvttq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
02/16/2008 09:19 PM 163904 --a------ C:\WINDOWS\system32\sbglanqc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C765EB71-70C7-4525-B2B7-F59E06759A5A}]
02/16/2008 09:04 PM 331776 --a------ C:\WINDOWS\system32\fcywt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e489b747-5787-4529-9dbc-8918eb44905f}]
01/04/2008 05:18 AM 94784 --a------ C:\WINDOWS\system32\tpjxuhpt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" []
"35380754"="C:\WINDOWS\system32\qvcumkxh.dll" [01/04/2008 05:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe" [02/16/2005 11:06 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [11/30/2006 09:49 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{23D44BCF-AA7A-41D6-8905-E808F16322EF}"= C:\WINDOWS\system32\tuvvttq.dll [02/16/2008 12:37 AM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu]
ibuntu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sbglanqc]
sbglanqc.dll 02/16/2008 09:19 PM 163904 C:\WINDOWS\system32\sbglanqc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvttq]
tuvvttq.dll 02/16/2008 12:37 AM 40448 C:\WINDOWS\system32\tuvvttq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\fcywt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - MSCONTROLSERVICE



-- Hosts -----------------------------------------------------------------------

127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com

18 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-04 22:17:34 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Celeron processor
Percentage of Memory in Use: 80%
Physical Memory (total/avail): 126.3 MiB / 24.43 MiB
Pagefile Memory (total/avail): 443.53 MiB / 162.17 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.1 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 127.97 GiB total, 83.07 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)

\\.\PHYSICALDRIVE1 - IOMEGA ZIP 250

\\.\PHYSICALDRIVE0 - WDC WD1600JB-00GVA0 - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 128 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\DOCUME~1\\Jamael\\LOCALS~1\\Temp\\bl4ck.com"="C:\\DOCUME~1\\Jamael\\LOCALS~1\\Temp\\bl4ck.com:*:ENABLED:0"
"C:\\WINDOWS\\System32\\a.exe"="C:\\WINDOWS\\System32\\a.exe:*:ENABLED:0"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"="C:\\Program Files\\Pando Networks\\Pando\\pando.exe:*:Enabled:pando"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jamael\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JDWILLIAMS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jamael
LOGONSERVER=\\JDWILLIAMS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\;C:\WINDOWS;C:\WINDOWS\COMMAND
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$p$g
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jamael\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jamael\LOCALS~1\Temp
USERDOMAIN=JDWILLIAMS
USERNAME=Jamael
USERPROFILE=C:\Documents and Settings\Jamael
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jamael (admin)
Administrator (new local, admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Motorola\iDEN WebJAL\Uninst.isu"
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMIX.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
CinemaForge --> C:\WINDOWS\system32\xmirage.exe c:\program files\CinemaForge\UninstallCF.xmfg
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
essvcpt --> MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
Free Mp3 Wma Converter V 1.3.0 --> "C:\Program Files\Free Audio Pack\unins000.exe"
HijackThis 1.99.1 --> C:\Documents and Settings\Jamael\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe /uninstall
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HP Driver Diagnostics --> MsiExec.exe /I{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}
HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
kgcbaby --> MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase --> MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday --> MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn --> MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt --> MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids --> MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove --> MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday --> MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140010_3d83cf8f\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
Lexmark Z82 Drivers --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\DeIsL4.isu -c"C:\WINDOWS\InstZ82.dll"
LimeWire 4.13.2 --> "C:\Program Files\LimeWire\uninstall.exe"
McAfee Firewall --> MsiExec.exe /I{4471FF45-62BD-11D6-B259-00C04FF4B435}
McAfee VirusScan Professional Edition --> MsiExec.exe /I{E4DC62CE-5F95-11D6-B254-00C04FF4B435}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero PhotoShow Express --> "C:\Program Files\Ahead\Ahead\data\Xtras\Uninstall.exe"
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
NoteWorthy Player --> C:\PROGRA~1\NOTEWO~1\UNINSTAL.EXE C:\PROGRA~1\NOTEWO~1\INSTALL.LOG
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
staticcr --> MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type338 / Error
Event Submitted/Written: 01/04/2008 06:33:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application vsmain.exe, version 7.0.5000.0, faulting module mcscan32.dll, version 4.1.6.0, fault address 0x00029f77.
Processing media-specific event for [vsmain.exe!ws!]

Event Record #/Type336 / Error
Event Submitted/Written: 01/04/2008 06:25:19 PM / 01/04/2008 06:25:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application Avsynmgr.exe, version 7.0.5000.0, faulting module Mcscan32.dll, version 4.1.6.0, fault address 0x00029f77.
Processing media-specific event for [Avsynmgr.exe!ws!]

Event Record #/Type332 / Error
Event Submitted/Written: 01/04/2008 04:30:29 PM
Event ID/Source: 11704 / MsiInstaller
Event Description:
Product: Microsoft Office XP Professional with FrontPage -- Error 1704. An installation for QuickTime is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Event Record #/Type329 / Error
Event Submitted/Written: 01/04/2008 03:06:37 PM / 01/04/2008 03:06:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application Avsynmgr.exe, version 7.0.5000.0, faulting module Mcscan32.dll, version 4.1.6.0, fault address 0x00029f77.
Processing media-specific event for [Avsynmgr.exe!ws!]

Event Record #/Type328 / Error
Event Submitted/Written: 01/04/2008 03:00:41 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type39040 / Error
Event Submitted/Written: 01/04/2008 06:33:08 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The AVSync Manager service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type39039 / Error
Event Submitted/Written: 01/04/2008 06:33:07 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type39038 / Error
Event Submitted/Written: 01/04/2008 06:33:04 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep
IKFileSec

Event Record #/Type39037 / Error
Event Submitted/Written: 01/04/2008 06:33:04 PM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The PC Tools Security Service service hung on starting.

Event Record #/Type39036 / Error
Event Submitted/Written: 01/04/2008 06:32:09 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460



-- End of Deckard's System Scanner: finished at 2008-01-04 22:17:34 ------------
  • 0

#4
kahdah
Posted 23 February 2008 - 09:45 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
Jaereloaded
Posted 23 February 2008 - 10:55 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:32:53 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\sbglanqc.dll
O2 - BHO: (no name) - {C765EB71-70C7-4525-B2B7-F59E06759A5A} - C:\WINDOWS\system32\fcywt.dll (file missing)
O2 - BHO: {f50944be-8198-cbd9-9254-7875747b984e} - {e489b747-5787-4529-9dbc-8918eb44905f} - C:\WINDOWS\system32\tpjxuhpt.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [35380754] rundll32.exe "C:\WINDOWS\system32\qvcumkxh.dll",b
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O20 - Winlogon Notify: ibuntu - ibuntu.dll (file missing)
O20 - Winlogon Notify: sbglanqc - C:\WINDOWS\SYSTEM32\sbglanqc.dll
O20 - Winlogon Notify: tuvvttq - tuvvttq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

ComboFix 08-02-24.2 - Jamael 2008-01-04 22:58:49.1 - FAT32x86
Running from: C:\Documents and Settings\Jamael\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\windows
C:\Program Files\Common Files\windows\ack.html
C:\Program Files\Common Files\windows\request.html
C:\Program Files\cowabanga
C:\Program Files\cowabanga\License.txt
C:\Program Files\cowabanga\uninstaller.exe
C:\Program Files\network monitor
C:\Program Files\newdotnet
C:\Program Files\newdotnet\readme.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\spamblockerutility
C:\Program Files\spamblockerutility\bin\4.8.4.0\SpamBlockerUtility.exe
C:\Program Files\WinBudget
C:\Program Files\ymbols~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\keyboard21.dat
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\akangfph.ini
C:\WINDOWS\system32\ccpbdktm.dll
C:\WINDOWS\system32\ceeeehpu.dll
C:\WINDOWS\system32\ehharijh.dll
C:\WINDOWS\system32\fcywt.dll
C:\WINDOWS\system32\ffsqtytp.ini
C:\WINDOWS\system32\gsuwxkxx.ini
C:\WINDOWS\system32\hnarssig.dll
C:\WINDOWS\system32\hpfgnaka.dll
C:\WINDOWS\system32\hrpoiwqj.ini
C:\WINDOWS\system32\hseahpeo.dll
C:\WINDOWS\system32\hxkmucvq.ini
C:\WINDOWS\system32\iehrxnmc.dll
C:\WINDOWS\system32\jglrkjvh.ini
C:\WINDOWS\system32\jqwioprh.dll
C:\WINDOWS\system32\kmcfbgdf.dll
C:\WINDOWS\system32\kowdvehj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mtkdbpcc.ini
C:\WINDOWS\system32\qvcumkxh.dll
C:\WINDOWS\system32\rgqubetp.dll
C:\WINDOWS\system32\rhbdfgih.dll
C:\WINDOWS\system32\sbglanqc.dll
C:\WINDOWS\system32\sbglanqc.dllbox
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tpjxuhpt.dll
C:\WINDOWS\system32\tuvvttq.dll
C:\WINDOWS\system32\twycf.ini
C:\WINDOWS\system32\twycf.ini2
C:\WINDOWS\system32\uknichrv.dllbox
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\upheeeec.ini
C:\WINDOWS\system32\usruocue.ini
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wtssu.exe
C:\WINDOWS\system32\yqfmvyuf.dll
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm
C:\WINDOWS\system32\sbglanqc.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NEW_DRV
-------\new_drv


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 23:25 . 2008-02-24 23:25 14,033 --a------ C:\posED.tmp
2008-02-24 23:24 . 2008-02-24 23:26 19,054 ---hs---- C:\WINDOWS\system32\sbglanqc.dllbox
2008-02-20 13:08 . 2008-02-20 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 10:56 . 2006-03-16 19:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-02-20 10:51 . 2008-02-20 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 23:04 . 2008-02-19 23:04 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 23:04 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 23:04 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 23:04 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 23:04 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-19 21:44 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-19 21:44 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-19 21:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-19 21:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-19 21:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-19 21:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-19 21:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-18 21:28 . 2008-02-18 21:28 <DIR> d-------- C:\Documents and Settings\Jamael\Application Data\MalwareBot
2008-02-16 23:41 . 2008-02-16 23:41 <DIR> d--hs---- C:\FOUND.019
2008-02-16 23:09 . 2008-02-16 23:09 <DIR> d--hs---- C:\FOUND.018
2008-02-16 22:39 . 2008-02-16 23:21 2,856 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-16 22:37 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-16 22:37 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-16 22:37 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-16 22:37 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-16 21:19 . 2008-02-24 23:11 163,904 --------- C:\WINDOWS\system32\sbglanqc.dll
2008-02-11 16:30 . 2008-02-11 16:31 <DIR> d-------- C:\Program Files\New Folder
2008-02-10 23:21 . 2008-02-10 23:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-10 23:20 . 2008-02-10 23:20 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-02-07 22:46 . 2008-02-07 22:46 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-07 22:39 . 2008-02-07 22:39 <DIR> d-------- C:\Program Files\Apple Software Update(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 04:23 2,560 ----a-w C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-01-25 02:24 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-01-25 02:08 --------- d-----w C:\Program Files\Hp
2008-01-04 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-04 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 03:15 --------- d-----w C:\Program Files\McAfee
2008-01-03 03:15 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-01-02 08:49 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-02 04:37 --------- d-----w C:\Program Files\MalwareAlarm
2008-01-02 04:37 --------- d-----w C:\Documents and Settings\Jamael\Application Data\PC Tools
2008-01-02 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2006-05-12 17:29 59,504 ----a-w C:\Documents and Settings\Jamael\Application Data\GDIPFONTCACHEV1.DAT
2005-05-22 14:36 271 --sh--w C:\Program Files\desktop.ini
2005-05-22 14:36 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2005-06-11 22:19:10 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 180,269 2007-03-20 05:35:20 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 98,304 2001-09-24 14:39:28 C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE
----a-w 37,388 2007-01-16 15:02:34 C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe

----a-w 36,975 2005-11-10 18:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
----a-w 37,388 2007-01-16 15:02:34 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

----a-w 3,334,144 2006-06-16 19:37:08 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 4,662,776 2006-12-01 02:49:04 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

----a-w 282,624 2006-12-26 18:59:58 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-01-10 20:27:36 C:\Program Files\QuickTime\QTTask.exe

----a-w 872,216 2005-10-25 20:00:16 C:\Program Files\PC Tools AntiVirus\bak\PCTAV.exe

----a-w 196,608 2004-05-12 21:04:54 C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe
----a-w 37,388 2007-01-16 15:02:34 C:\Program Files\Ahead\Ahead\data\Xtras\mssysmgr.exe

----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-01-15 08:22:56 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 155,648 2001-07-09 16:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe
----a-w 37,388 2007-01-16 15:02:34 C:\WINDOWS\system32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-24 23:11 163904 --------- C:\WINDOWS\system32\sbglanqc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C765EB71-70C7-4525-B2B7-F59E06759A5A}]
C:\WINDOWS\system32\fcywt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e489b747-5787-4529-9dbc-8918eb44905f}]
C:\WINDOWS\system32\tpjxuhpt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe" [2005-02-16 11:06 218112]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"35380754"="C:\WINDOWS\system32\qvcumkxh.dll" [ ]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 03:56 388608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 0 (0x0)
"ForceActiveDesktopOn"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu]
ibuntu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sbglanqc]
sbglanqc.dll 2008-02-24 23:11 163904 C:\WINDOWS\system32\sbglanqc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvttq]
tuvvttq.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-02-24 23:23]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-13 15:33]
S1 krnllds;Kernel CryptoModule;C:\WINDOWS\system32\krnllds.sys []
S1 wer32;wer32;C:\WINDOWS\system32\jkghje.dll []
S2 AvSynMgr;AVSync Manager;"C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" [2002-08-05 07:00]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 16:13:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-20 08:00:20 C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job"
- C:\Program Files\MalwareBot\MalwareBot.ex
- C:\Program Files\MalwareBot.JamaelVRuns MalwareBot to scan your computer for malicious and potenially unwanted programs.
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 23:26:20
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sbglanqc.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-24 23:32:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 04:31:54
.
2008-01-02 09:02:50 --- E O F ---
  • 0

#6
kahdah
Posted 23 February 2008 - 11:12 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
krnllds
wer32
MSControlService
File::
C:\posED.tmp
C:\WINDOWS\system32\sbglanqc.dllbox
C:\WINDOWS\system32\sbglanqc.dll
C:\WINDOWS\system32\fcywt.dll
C:\WINDOWS\system32\tpjxuhpt.dll
C:\WINDOWS\system32\qvcumkxh.dll
C:\WINDOWS\system32\jkghje.dll 
C:\WINDOWS\system32\krnllds.sys 
Folder::
C:\Documents and Settings\Jamael\Application Data\MalwareBot
C:\WINDOWS\system32\windows 
C:\Program Files\MalwareBot
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C765EB71-70C7-4525-B2B7-F59E06759A5A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e489b747-5787-4529-9dbc-8918eb44905f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"35380754"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sbglanqc]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvttq]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
Jaereloaded
Posted 23 February 2008 - 11:36 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ComboFix 08-02-24.2 - Jamael 2008-02-25 0:18:11.2 - FAT32x86
Running from: C:\Documents and Settings\Jamael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jamael\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\posED.tmp
C:\WINDOWS\system32\fcywt.dll
C:\WINDOWS\system32\jkghje.dll
C:\WINDOWS\system32\krnllds.sys
C:\WINDOWS\system32\qvcumkxh.dll
C:\WINDOWS\system32\sbglanqc.dll
C:\WINDOWS\system32\sbglanqc.dllbox
C:\WINDOWS\system32\tpjxuhpt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jamael\Application Data\MalwareBot
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Log\2008 Feb 18 - 09_28_00 PM_639.log
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Log\2008 Feb 18 - 09_28_14 PM_619.log
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Log\2008 Feb 18 - 10_57_44 PM_338.log
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Log\2008 Feb 19 - 03_00_13 AM_428.log
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Log\2008 Feb 19 - 03_00_20 AM_719.log
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Log\2008 Feb 19 - 09_39_33 PM_636.log
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Log\2008 Feb 19 - 09_46_31 AM_185.log
C:\Documents and Settings\Jamael\Application Data\MalwareBot\rs.dat
C:\Documents and Settings\Jamael\Application Data\MalwareBot\Settings\ScanResults.pie
C:\posED.tmp
C:\WINDOWS\system32\sbglanqc.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KRNLLDS
-------\LEGACY_MSCONTROLSERVICE
-------\LEGACY_NEW_DRV
-------\LEGACY_WER32
-------\krnllds
-------\MSControlService
-------\wer32


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-20 13:08 . 2008-02-20 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 10:56 . 2006-03-16 19:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-02-20 10:51 . 2008-02-20 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 23:04 . 2008-02-19 23:04 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-19 23:04 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-19 23:04 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-19 23:04 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-19 23:04 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-19 21:44 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-19 21:44 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-19 21:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-19 21:43 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-19 21:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-19 21:43 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-19 21:43 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-16 23:41 . 2008-02-16 23:41 <DIR> d--hs---- C:\FOUND.019
2008-02-16 23:09 . 2008-02-16 23:09 <DIR> d--hs---- C:\FOUND.018
2008-02-16 22:39 . 2008-02-16 23:21 2,856 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-16 22:37 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-16 22:37 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-16 22:37 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-16 22:37 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-11 16:30 . 2008-02-11 16:31 <DIR> d-------- C:\Program Files\New Folder
2008-02-10 23:21 . 2008-02-10 23:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-10 23:20 . 2008-02-10 23:20 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-02-07 22:46 . 2008-02-07 22:46 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-07 22:39 . 2008-02-07 22:39 <DIR> d-------- C:\Program Files\Apple Software Update(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 05:28 2,560 ----a-w C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-01-25 02:24 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-01-25 02:08 --------- d-----w C:\Program Files\Hp
2008-01-04 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-04 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-03 03:15 --------- d-----w C:\Program Files\McAfee
2008-01-03 03:15 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-01-02 08:49 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-02 04:37 --------- d-----w C:\Program Files\MalwareAlarm
2008-01-02 04:37 --------- d-----w C:\Documents and Settings\Jamael\Application Data\PC Tools
2008-01-02 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-07 14:37 3,059,200 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2006-05-12 17:29 59,504 ----a-w C:\Documents and Settings\Jamael\Application Data\GDIPFONTCACHEV1.DAT
2005-05-22 14:36 271 --sh--w C:\Program Files\desktop.ini
2005-05-22 14:36 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe" [2005-02-16 11:06 218112]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.exe" [2006-11-30 21:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2004-08-04 03:56 388608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu]
ibuntu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sbglanqc]
sbglanqc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-02-25 00:28]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-13 15:33]
Start Pending2 AvSynMgr;AVSync Manager;"C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" [2002-08-05 07:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 16:13:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-20 08:00:20 C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job"
- C:\Program Files\MalwareBot\MalwareBot.ex
- C:\Program Files\MalwareBot.JamaelVRuns MalwareBot to scan your computer for malicious and potenially unwanted programs.
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 00:28:00
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\dwwin.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-25 0:30:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 05:30:42
ComboFix2.txt 2008-02-25 04:32:06
.
2008-01-02 09:02:50 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 12:31:24 AM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.EXE" -quiet
O20 - Winlogon Notify: ibuntu - ibuntu.dll (file missing)
O20 - Winlogon Notify: sbglanqc - sbglanqc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
  • 0

#8
kahdah
Posted 24 February 2008 - 08:43 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It is important that you paste the filepaths below under the Yellow bar or it will not work correctly


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job
C:\Program Files\MalwareAlarm
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\sbglanqc
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\combofix

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Keep that log to post with the other log.
========================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
  • 0

#9
Jaereloaded
Posted 24 February 2008 - 10:48 AM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
These are the results from the "Move it"

Custom Input]
< C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job >
File/Folder C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job not found.
< C:\Program Files\MalwareAlarm >
File/Folder C:\Program Files\MalwareAlarm not found.
< HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\sbglanqc >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sbglanqc\\ not found.
< HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ibuntu\\ not found.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\combofix >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\combofix not found.

OTMoveIt2 v1.0.20 log created on 02252008_111247



Malwarebytes' Anti-Malware 1.05
Database version: 400

Scan type: Full Scan (A:\|C:\|F:\|)
Objects scanned: 82116
Time elapsed: 27 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\toolbar.toolband180 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolband180.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93cecbb2-6b1b-448d-91b9-72604ef70105} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\The Weather Channel FW (Adware.Hotbar) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP686\A0131712.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP689\A0132994.exe (Rogue.MalwareAlarm) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP689\A0132995.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP689\A0132996.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP689\A0132997.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP705\A0146560.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Jamael\LOCALS~1\Temp\~DF499D.tmp (Malware.trace) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Jamael\LOCALS~1\Temp\~DF708E.tmp (Malware.trace) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\SpamBlockerUtility\bin\4.8.4.0\SpamBlockerUtility.exe.vir (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamael\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
  • 0

#10
kahdah
Posted 24 February 2008 - 12:09 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

Advertisements

#11
Jaereloaded
Posted 24 February 2008 - 02:21 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I tried it 5 times, and it keeps saying "Failed to load"
  • 0

#12
kahdah
Posted 24 February 2008 - 02:22 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
ok.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#13
Jaereloaded
Posted 24 February 2008 - 02:54 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 02/25/2008
The current time is: 15:39:26.28


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/26/2006 01:59 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\PCTOOL~1\BAK

10/25/2005 03:00 PM 872,216 PCTAV.exe
1 File(s) 872,216 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 11:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/16/2006 02:37 PM 3,334,144 YahooMessenger.exe
1 File(s) 3,334,144 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/11/2005 05:19 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\BAK

09/24/2001 09:39 AM 98,304 LVCOMS.EXE
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\AHEAD\AHEAD\DATA\XTRAS\BAK

05/12/2004 04:04 PM 196,608 mssysmgr.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

385024 Jan 10 2008 "C:\Program Files\QuickTime\QTTask.exe"
282624 Dec 26 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
872216 Oct 25 2005 "C:\Program Files\PC Tools AntiVirus\bak\PCTAV.exe"
267048 Jan 15 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 20 2008 "C:\WINDOWS\Installer\{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}\iTunesIco.exe"
79144 Jan 15 2008 "C:\Deckard\System Scanner\backup\DOCUME~1\Jamael\LOCALS~1\Temp\IXP920.TMP\iTunesSetupAdmin.exe"
37388 Jan 16 2007 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe1168958720"
3334144 Jun 16 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
180269 Mar 20 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 11 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
98304 Sep 24 2001 "C:\WINDOWS\system32\LVComS.exe"
37388 Jan 16 2007 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
98304 Sep 24 2001 "C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE"
36975 Dec 6 2004 "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
37388 Jan 16 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
37388 Jan 16 2007 "C:\Program Files\Ahead\Ahead\data\Xtras\mssysmgr.exe"
196608 May 12 2004 "C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe"


end of report
  • 0

#14
kahdah
Posted 24 February 2008 - 03:09 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\PC Tools AntiVirus\bak\PCTAV.exe"
    "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    "C:\WINDOWS\system32\bak\NeroCheck.exe"
    "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
    "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    "C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE"
    "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
    "C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#15
Jaereloaded
Posted 24 February 2008 - 03:22 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 02/25/2008
The current time is: 16:13:24.19


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/26/2006 01:59 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\PCTOOL~1\BAK

10/25/2005 03:00 PM 872,216 PCTAV.exe
1 File(s) 872,216 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 11:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/16/2006 02:37 PM 3,334,144 YahooMessenger.exe
1 File(s) 3,334,144 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/11/2005 05:19 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\BAK

09/24/2001 09:39 AM 98,304 LVCOMS.EXE
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\AHEAD\AHEAD\DATA\XTRAS\BAK

05/12/2004 04:04 PM 196,608 mssysmgr.exe
1 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Dec 26 2006 "C:\Program Files\QuickTime\QTTask.exe"
282624 Dec 26 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
872216 Oct 25 2005 "C:\Program Files\PC Tools AntiVirus\PCTAV.exe"
872216 Oct 25 2005 "C:\Program Files\PC Tools AntiVirus\bak\PCTAV.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Feb 20 2008 "C:\WINDOWS\Installer\{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}\iTunesIco.exe"
79144 Jan 15 2008 "C:\Deckard\System Scanner\backup\DOCUME~1\Jamael\LOCALS~1\Temp\IXP920.TMP\iTunesSetupAdmin.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe1168958720"
3334144 Jun 16 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
180269 Jun 11 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jun 11 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
98304 Sep 24 2001 "C:\WINDOWS\system32\LVComS.exe"
98304 Sep 24 2001 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
98304 Sep 24 2001 "C:\Program Files\Common Files\Logitech\QCDriver\bak\LVCOMS.EXE"
36975 Dec 6 2004 "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
196608 May 12 2004 "C:\Program Files\Ahead\Ahead\data\Xtras\mssysmgr.exe"
196608 May 12 2004 "C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe"


end of report
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP