Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

fixing virtumonde infection - hijack log[RESOLVED]


  • This topic is locked This topic is locked

#1
chapjl

chapjl

    New Member

  • Member
  • Pip
  • 3 posts
I have tried multiple attempts at removing the virtumonde virus. Any help with fixing this would be appreciated. Thanks in advance for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:32 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://savageshooters.com/SavageForum/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203716829078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E805852-66EC-4AE9-97D0-30B1B92B9FD1}: NameServer = 69.20.128.5,69.20.129.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5706 bytes
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt in your next reply
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\


Regards,
RatHat
  • 0

#3
chapjl

chapjl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here are the results from your directions. Thanks for your help.

report.txt

SDFix: Version 1.157

Run by Jason on Fri 03/14/2008 at 09:54 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\autorun.inf - Deleted
C:\autorun.PNF - Deleted
C:\WINDOWS\admintxt.txt - Deleted



Folder C:\Temp\1cb - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 22:01:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 20 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\bs\DRMv1.bak"
Fri 18 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRMBACKUP\DRMv1.bak"
Sat 20 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRMbk1\DRMv1.bak"
Sat 27 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\drmbkup\DRMv1.bak"
Wed 27 Feb 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Thu 6 Mar 2008 28,160 ...H. --- "C:\Documents and Settings\Jason.CHAP\My Documents\~WRL1467.tmp"
Mon 4 Oct 2004 417,792 A..H. --- "C:\Program Files\Canon\Canon Setup Utility 2.0\Maint.exe"
Tue 11 May 2004 61,440 A..H. --- "C:\Program Files\Canon\Canon Setup Utility 2.0\uinstrsc.dll"
Wed 27 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Fri 18 Aug 2006 4,348 A..H. --- "C:\Documents and Settings\Jason.CHAP\My Documents\My Music\My Music\License Backup\drmv1key.bak"
Fri 18 Aug 2006 20 A..H. --- "C:\Documents and Settings\Jason.CHAP\My Documents\My Music\My Music\License Backup\drmv1lic.bak"
Fri 18 Aug 2006 400 A.SH. --- "C:\Documents and Settings\Jason.CHAP\My Documents\My Music\My Music\License Backup\drmv2key.bak"

Finished!

Main.txt

Deckard's System Scanner v20071014.68
Run by Jason on 2008-03-14 22:06:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2008-03-15 04:06:46 UTC - RP53 - Deckard's System Scanner Restore Point
52: 2008-03-15 02:54:58 UTC - RP52 - 3/14
51: 2008-03-14 14:07:18 UTC - RP51 - Software Distribution Service 3.0
50: 2008-03-13 03:25:04 UTC - RP50 - Software Distribution Service 3.0
49: 2008-03-13 03:17:00 UTC - RP49 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-08 16:26:22 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jason.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:16 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Jason.CHAP\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jason.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://savageshooters.com/SavageForum/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {66ce6fcd-05e2-bf9a-6924-9f7b28e194c6} - {6c491e82-b7f9-4296-a9fb-2e50dcf6ec66} - C:\WINDOWS\system32\fwkbmwct.dll
O2 - BHO: (no name) - {71AA461B-010C-4922-AE44-CA09031545C9} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {90716be6-37b9-41eb-a55a-d3e98e3769bd} - C:\WINDOWS\system32\rbrqowdj.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1203716829078
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E805852-66EC-4AE9-97D0-30B1B92B9FD1}: NameServer = 69.20.128.5,69.20.129.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6522 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 BDSelfPr - c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>
R3 catchme - c:\docume~1\jason~1.cha\locals~1\temp\catchme.sys (file missing)

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&10BD256C&0&10F0
Service:


-- Files created between 2008-02-14 and 2008-03-14 -----------------------------

2008-03-14 21:51:16 0 d-------- C:\WINDOWS\ERUNT
2008-03-14 20:58:17 0 d-------- C:\Program Files\Trend Micro
2008-03-14 20:51:38 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-14 20:13:40 0 d-------- C:\VundoFix Backups
2008-03-14 18:45:11 98368 --a------ C:\WINDOWS\system32\fwkbmwct.dll
2008-03-14 18:45:02 96832 --a------ C:\WINDOWS\system32\qbkxybjf.dll
2008-03-14 18:44:25 98368 --a------ C:\WINDOWS\system32\obpnehoy.dll
2008-03-14 18:42:19 92224 --a------ C:\WINDOWS\system32\tegiobee.dll
2008-03-14 18:42:10 96832 --a------ C:\WINDOWS\system32\dhueeead.dll
2008-03-14 16:01:28 92224 --a------ C:\WINDOWS\system32\cofmjqen.dll
2008-03-14 15:59:25 98368 --a------ C:\WINDOWS\system32\ifsrxapr.dll
2008-03-14 15:59:18 96832 --a------ C:\WINDOWS\system32\cwagfstl.dll
2008-03-14 15:58:22 236004 --ahs---- C:\WINDOWS\system32\cfhkj.ini2
2008-03-14 15:58:06 297984 --a------ C:\WINDOWS\system32\jkhfc.dll
2008-03-14 15:49:30 92224 --a------ C:\WINDOWS\system32\vustciek.dll
2008-03-14 15:47:34 98368 --a------ C:\WINDOWS\system32\cxvhfpyd.dll
2008-03-14 15:47:26 96832 --a------ C:\WINDOWS\system32\cftaacqw.dll
2008-03-14 14:51:15 98368 --a------ C:\WINDOWS\system32\ppladdny.dll
2008-03-14 14:49:09 96832 --a------ C:\WINDOWS\system32\wjomjsin.dll
2008-03-13 20:25:31 86080 --a------ C:\WINDOWS\system32\lfqornxn.dll
2008-03-13 20:25:23 90176 --a------ C:\WINDOWS\system32\dtvekcir.dll
2008-03-13 19:27:17 86080 --a------ C:\WINDOWS\system32\yvafrtmy.dll
2008-03-13 19:24:14 90176 --a------ C:\WINDOWS\system32\mbysgkbd.dll
2008-03-13 17:58:41 86080 --a------ C:\WINDOWS\system32\darjsrvd.dll
2008-03-13 17:56:14 90176 --a------ C:\WINDOWS\system32\jhthkije.dll
2008-03-12 19:22:10 89152 --a------ C:\WINDOWS\system32\vkwpabcc.dll
2008-03-11 19:20:51 86592 --a------ C:\WINDOWS\system32\psffisas.dll
2008-03-11 19:19:37 93248 --a------ C:\WINDOWS\system32\wddtujbt.dll
2008-03-11 06:59:11 0 d-------- C:\Documents and Settings\Lisa.CHAP\Application Data\Grisoft
2008-03-10 20:55:47 0 d-------- C:\Documents and Settings\Jason.CHAP\Application Data\Grisoft
2008-03-10 20:55:19 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-03-09 20:23:19 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-03-09 20:21:04 0 dr-h----- C:\Documents and Settings\Jason.CHAP\Recent
2008-03-09 20:19:42 0 d-------- C:\Program Files\Yahoo!
2008-03-09 13:43:17 91200 --a------ C:\WINDOWS\system32\rbrqowdj.dll
2008-03-09 13:43:07 89664 --a------ C:\WINDOWS\system32\sumrmvfe.dll
2008-03-09 12:24:37 91200 --a------ C:\WINDOWS\system32\esajssgo.dll
2008-03-09 12:24:23 89664 --a------ C:\WINDOWS\system32\xhqvmwyn.dll
2008-03-09 12:18:29 0 d-------- C:\Documents and Settings\Lisa.CHAP\Application Data\BitDefender
2008-03-09 11:30:32 91200 --a------ C:\WINDOWS\system32\rharjmuh.dll
2008-03-09 11:30:23 89664 --a------ C:\WINDOWS\system32\crxgagih.dll
2008-03-08 11:30:33 92224 --a------ C:\WINDOWS\system32\trvuwmyj.dll
2008-03-08 11:28:02 87104 --a------ C:\WINDOWS\system32\xkdtbdlv.dll
2008-03-08 11:27:55 88640 --a------ C:\WINDOWS\system32\nbagsacw.dll
2008-03-07 21:54:18 0 d-------- C:\Documents and Settings\Jason.CHAP\Application Data\Bitdefender
2008-03-07 21:52:02 0 d-------- C:\Program Files\BitDefender
2008-03-07 21:52:02 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\BitDefender
2008-03-07 21:49:24 0 d-------- C:\Program Files\Common Files\BitDefender
2008-03-07 20:12:50 0 d-------- C:\Program Files\Enigma Software Group
2008-03-07 20:06:05 0 d-------- C:\Documents and Settings\Jason.CHAP\Application Data\Google
2008-03-07 19:54:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2008-03-06 20:25:02 1572864 --a------ C:\Documents and Settings\Lisa.CHAP\ntuser.dat
2008-03-06 20:24:59 3407872 --a------ C:\Documents and Settings\Jason.CHAP\ntuser.dat
2008-03-06 20:24:52 1417216 --a------ C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat
2008-03-04 17:51:07 0 d-------- C:\Documents and Settings\Lisa.CHAP\Contacts
2008-02-28 17:45:35 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-28 17:42:24 0 d-------- C:\Documents and Settings\Jason.CHAP\Contacts
2008-02-28 17:30:31 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-02-27 21:58:49 0 d-------- C:\Documents and Settings\Jason.CHAP\Application Data\InstallShield
2008-02-27 20:40:37 0 d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2008-02-26 21:32:04 0 d-------- C:\Program Files\SigmaTel
2008-02-23 18:08:06 0 d-------- C:\Program Files\Lavasoft
2008-02-23 18:08:05 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-02-23 09:59:06 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2008-02-22 21:39:22 0 d-------- C:\Documents and Settings\Lisa.CHAP\Application Data\Macromedia
2008-02-22 21:39:02 0 d-------- C:\Documents and Settings\Lisa.CHAP\Application Data\Adobe
2008-02-22 09:23:15 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Windows Genuine Advantage
2008-02-22 09:22:21 0 d-------- C:\Documents and Settings\Jason.CHAP\Application Data\Macromedia
2008-02-22 09:21:44 0 d-------- C:\Documents and Settings\Jason.CHAP\Application Data\Adobe
2008-02-21 21:10:04 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Start Menu
2008-02-21 20:51:19 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trend Micro
2008-02-20 18:53:34 0 d--h----- C:\Documents and Settings\All Users.WINDOWS\Application Data\CanonBJ
2008-02-19 19:31:35 0 d-------- C:\drvrtmp
2008-02-19 17:51:43 0 d-------- C:\Documents and Settings\Lisa.CHAP\Application Data\Identities
2008-02-19 17:51:37 0 dr-h----- C:\Documents and Settings\Lisa.CHAP\SendTo
2008-02-19 17:51:37 0 dr-h----- C:\Documents and Settings\Lisa.CHAP\Recent
2008-02-19 17:51:37 0 d--h----- C:\Documents and Settings\Lisa.CHAP\PrintHood
2008-02-19 17:51:37 0 d--h----- C:\Documents and Settings\Lisa.CHAP\NetHood
2008-02-19 17:51:37 0 dr------- C:\Documents and Settings\Lisa.CHAP\My Documents
2008-02-19 17:51:37 0 d--h----- C:\Documents and Settings\Lisa.CHAP\Local Settings
2008-02-19 17:51:37 0 dr------- C:\Documents and Settings\Lisa.CHAP\Favorites
2008-02-19 17:51:37 0 d-------- C:\Documents and Settings\Lisa.CHAP\Desktop
2008-02-19 17:51:37 0 d--hs---- C:\Documents and Settings\Lisa.CHAP\Cookies
2008-02-19 17:51:37 0 dr-h----- C:\Documents and Settings\Lisa.CHAP\Application Data
2008-02-19 17:51:37 0 d---s---- C:\Documents and Settings\Lisa.CHAP\Application Data\Microsoft
2008-02-19 17:51:36 0 d--h----- C:\Documents and Settings\Lisa.CHAP\Templates
2008-02-19 17:51:36 0 dr------- C:\Documents and Settings\Lisa.CHAP\Start Menu
2008-02-18 20:23:37 195936 --a------ C:\WINDOWS\system32\QCONNECT.DLL <Not Verified; Intuit Inc.; Quicken 99 for Windows>
2008-02-18 20:23:37 193024 --a------ C:\WINDOWS\system32\QCON3216.EXE <Not Verified; Intuit; Quicken for Windows>
2008-02-18 20:23:37 225280 --a------ C:\WINDOWS\system32\QCON32.DLL <Not Verified; Intuit Inc.; Quicken 99 for Windows>
2008-02-18 20:23:37 41472 --a------ C:\WINDOWS\system32\IPROF32.DLL <Not Verified; Intuit; Intuit Family of Products>
2008-02-18 20:23:36 48640 --a------ C:\WINDOWS\system32\INETWH32.DLL <Not Verified; Blue Sky Software; Blue Sky Software - INETWH32>
2008-02-18 20:23:36 5856 --a------ C:\WINDOWS\system32\INET16.DLL <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2008-02-18 20:23:36 7406 --a------ C:\WINDOWS\ICOADB32.DAT
2008-02-18 20:23:36 73728 --a------ C:\WINDOWS\ICG32.DLL <Not Verified; Intuit; Internet Client 2.4>
2008-02-18 20:23:21 66048 --a------ C:\WINDOWS\system32\mrtRate.dll <Not Verified; Marimba, Inc.; Rate Sensing Manager>
2008-02-18 20:23:21 65536 --a------ C:\WINDOWS\system32\mrtMngr.exe <Not Verified; Marimba Inc.; Rate Sensing Manager>
2008-02-18 20:23:21 34712 --a------ C:\WINDOWS\system32\drivers\MrtRate.sys <Not Verified; Marimba, Inc.; Rate Sensing Manager>
2008-02-18 20:23:02 51200 --a------ C:\WINDOWS\system32\Q_ENCUTL.DLL <Not Verified; Intuit; Online Services>
2008-02-18 20:23:01 73728 --a------ C:\WINDOWS\system32\Q_ENCLIB.DLL <Not Verified; Intuit; Online Services>
2008-02-18 20:23:01 0 d-------- C:\WINDOWS\Intuit
2008-02-18 20:21:43 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-02-18 20:21:40 0 d-------- C:\Documents and Settings\Jason.CHAP\WINDOWS
2008-02-18 19:55:02 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-18 19:44:14 0 dr------- C:\Documents and Settings\Jason.CHAP\MyDocuments
2008-02-18 19:35:08 0 d-------- C:\Documents and Settings\Jason.CHAP\Application Data\Identities
2008-02-18 19:34:57 0 d--h----- C:\Documents and Settings\Jason.CHAP\Templates
2008-02-18 19:34:57 0 dr------- C:\Documents and Settings\Jason.CHAP\Start Menu
2008-02-18 19:34:57 0 dr-h----- C:\Documents and Settings\Jason.CHAP\SendTo
2008-02-18 19:34:57 0 d--h----- C:\Documents and Settings\Jason.CHAP\PrintHood
2008-02-18 19:34:57 0 d--h----- C:\Documents and Settings\Jason.CHAP\NetHood
2008-02-18 19:34:57 0 dr------- C:\Documents and Settings\Jason.CHAP\My Documents
2008-02-18 19:34:57 0 d--h----- C:\Documents and Settings\Jason.CHAP\Local Settings
2008-02-18 19:34:57 0 dr------- C:\Documents and Settings\Jason.CHAP\Favorites
2008-02-18 19:34:57 0 d-------- C:\Documents and Settings\Jason.CHAP\Desktop
2008-02-18 19:34:57 0 d--hs---- C:\Documents and Settings\Jason.CHAP\Cookies
2008-02-18 19:34:57 0 dr-h----- C:\Documents and Settings\Jason.CHAP\Application Data
2008-02-18 19:33:37 0 d--h----- C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings
2008-02-18 19:33:37 0 d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies
2008-02-18 19:33:37 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data
2008-02-18 19:33:37 0 d---s---- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft
2008-02-18 19:33:07 1417216 --a------ C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
2008-02-18 19:33:07 0 d--h----- C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings
2008-02-18 19:33:07 0 d--hs---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies
2008-02-18 19:33:07 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data
2008-02-18 19:33:07 0 d---s---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Microsoft
2008-02-18 19:29:40 225280 ---h----- C:\Documents and Settings\Default User.WINDOWS\NTUSER.DAT
2008-02-18 19:26:19 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-18 12:17:27 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\Templates
2008-02-18 12:17:27 0 dr------- C:\Documents and Settings\Default User.WINDOWS\Start Menu
2008-02-18 12:17:27 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\SendTo
2008-02-18 12:17:27 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\Recent
2008-02-18 12:17:27 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\PrintHood
2008-02-18 12:17:27 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\NetHood
2008-02-18 12:17:27 0 d-------- C:\Documents and Settings\Default User.WINDOWS\My Documents
2008-02-18 12:17:27 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\Local Settings
2008-02-18 12:17:27 0 d-------- C:\Documents and Settings\Default User.WINDOWS\Favorites
2008-02-18 12:17:27 0 d-------- C:\Documents and Settings\Default User.WINDOWS\Desktop
2008-02-18 12:17:27 0 d---s---- C:\Documents and Settings\Default User.WINDOWS\Cookies
2008-02-18 12:17:27 0 d--h----- C:\Documents and Settings\All Users.WINDOWS\Templates
2008-02-18 12:17:27 0 dr------- C:\Documents and Settings\All Users.WINDOWS\Start Menu
2008-02-18 12:17:27 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Favorites
2008-02-18 12:17:27 0 dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2008-02-18 12:17:27 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Desktop
2008-02-18 12:17:08 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\Application Data
2008-02-18 12:17:08 0 d---s---- C:\Documents and Settings\Default User.WINDOWS\Application Data\Microsoft
2008-02-18 12:17:08 0 dr-h----- C:\Documents and Settings\All Users.WINDOWS\Application Data
2008-02-18 12:17:08 0 d---s---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2008-02-17 17:23:23 5120 --a------ C:\winazys.exe
2008-02-17 11:37:58 5120 --a------ C:\winhsnm.exe


-- Find3M Report ---------------------------------------------------------------

2008-03-08 10:23:05 0 d-------- C:\Program Files\Google
2008-03-07 21:49:24 0 d-------- C:\Program Files\Common Files
2008-03-07 19:52:31 0 d-------- C:\Program Files\Java
2008-02-29 12:24:42 0 d-------- C:\Program Files\Windows Live
2008-02-23 18:07:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 11:32:32 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-02-22 11:31:38 0 d-------- C:\Program Files\DellSupport
2008-02-21 21:57:25 0 d-------- C:\Program Files\Messenger
2008-02-19 19:34:02 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-18 20:41:14 0 d-------- C:\Program Files\QUICKENW
2008-02-18 12:17:27 62 --ahs---- C:\Documents and Settings\Jason.CHAP\Application Data\desktop.ini
2008-02-13 19:38:18 0 d-------- C:\Program Files\Seagate
2008-02-13 19:37:13 0 d-------- C:\Program Files\MSXML 6.0
2008-02-10 14:50:21 0 d-------- C:\Program Files\Common Files\?asks
2008-02-10 14:50:20 0 d-------- C:\Program Files\F?nts
2008-02-01 12:11:10 586240 --a------ C:\WINDOWS\WLXPGSS.SCR <Not Verified; Microsoft Corporation; Windows Live Photo Gallery>
2008-01-15 18:37:40 0 d-------- C:\Program Files\IMVU


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c491e82-b7f9-4296-a9fb-2e50dcf6ec66}]
03/14/2008 06:45 PM 98368 --a------ C:\WINDOWS\system32\fwkbmwct.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71AA461B-010C-4922-AE44-CA09031545C9}]
03/14/2008 03:58 PM 297984 --a------ C:\WINDOWS\system32\jkhfc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90716be6-37b9-41eb-a55a-d3e98e3769bd}]
03/09/2008 01:43 PM 91200 --a------ C:\WINDOWS\system32\rbrqowdj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 04:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 04:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 04:50 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [10/22/2007 01:52 PM]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [10/09/2007 04:46 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [02/16/2008 06:45 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 03:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\QUICKENW\BILLMIND.EXE [2/18/2008 8:23:02 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Quicken Startup.lnk - C:\Program Files\QUICKENW\QWDLLS.EXE [2/18/2008 8:23:21 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhfc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan




-- End of Deckard's System Scanner: finished at 2008-03-14 22:08:51 ------------


Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
CPU 1: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 1014.07 MiB / 628.06 MiB
Pagefile Memory (total/avail): 2441.3 MiB / 2012.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.5 MiB

C: is Fixed (NTFS) - 52.71 GiB total, 28.69 GiB free.
D: is Fixed (NTFS) - 18.61 GiB total, 16.79 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD080HJ/P - 74.5 GiB - 4 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 52.71 GiB - C:
\PARTITION2 - Installable File System - 18.61 GiB - D:
\PARTITION3 - Unknown - 3.15 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Bitdefender Antivirus v8.0 (BitDefender)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Jason.CHAP\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHAP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jason.CHAP
LOGONSERVER=\\CHAP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JASON~1.CHA\LOCALS~1\Temp
TMP=C:\DOCUME~1\JASON~1.CHA\LOCALS~1\Temp
USERDOMAIN=CHAP
USERNAME=Jason
USERPROFILE=C:\Documents and Settings\Jason.CHAP
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jason.CHAP (admin)
Lisa.CHAP (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitDefender Antivirus 2008 --> MsiExec.exe /I{4A56DAB1-2680-4B8A-AD84-77EECFB94D7B}
Dell Resource CD --> MsiExec.exe /X{FCD9CD52-7222-4672-94A0-A722BA702FD0}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Connections Drivers --> Prounstl.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Quicken 2002 Deluxe --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
Sansa Updater --> C:\Program Files\InstallShield Installation Information\{E2D7E05E-C8C7-45F4-8D89-D6696075E0B7}\setup.exe -runfromtemp -l0x0009 -removeonly
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Photo Gallery --> MsiExec.exe /X{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1458 / Warning
Event Submitted/Written: 03/14/2008 10:01:50 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.

Event Record #/Type1457 / Warning
Event Submitted/Written: 03/14/2008 10:01:50 PM
Event ID/Source: 4356 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}. CoGetObject returned HRESULT 80080005.

Event Record #/Type1431 / Success
Event Submitted/Written: 03/14/2008 06:38:09 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1406 / Success
Event Submitted/Written: 03/14/2008 08:44:44 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1404 / Error
Event Submitted/Written: 03/14/2008 08:08:20 AM
Event ID/Source: 1024 / MsiInstaller
Event Description:
Product: Microsoft Office XP Professional - Update 'Security Update for Office XP (KB947866): SHARED' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4478 / Error
Event Submitted/Written: 03/14/2008 10:01:50 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E} did not register with DCOM within the required timeout.

Event Record #/Type4462 / Error
Event Submitted/Written: 03/14/2008 09:50:21 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type4461 / Error
Event Submitted/Written: 03/14/2008 09:49:45 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
bdftdif
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Event Record #/Type4460 / Error
Event Submitted/Written: 03/14/2008 09:49:45 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type4459 / Error
Event Submitted/Written: 03/14/2008 09:49:45 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-03-14 22:08:51 ------------
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\fwkbmwct.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\rbrqowdj.dll
C:\WINDOWS\system32\qbkxybjf.dll
C:\WINDOWS\system32\obpnehoy.dll
C:\WINDOWS\system32\tegiobee.dll
C:\WINDOWS\system32\dhueeead.dll
C:\WINDOWS\system32\cofmjqen.dll
C:\WINDOWS\system32\ifsrxapr.dll
C:\WINDOWS\system32\cwagfstl.dll
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\vustciek.dll
C:\WINDOWS\system32\cxvhfpyd.dll
C:\WINDOWS\system32\cftaacqw.dll
C:\WINDOWS\system32\ppladdny.dll
C:\WINDOWS\system32\wjomjsin.dll
C:\WINDOWS\system32\lfqornxn.dll
C:\WINDOWS\system32\dtvekcir.dll
C:\WINDOWS\system32\yvafrtmy.dll
C:\WINDOWS\system32\mbysgkbd.dll
C:\WINDOWS\system32\darjsrvd.dll
C:\WINDOWS\system32\jhthkije.dll
C:\WINDOWS\system32\vkwpabcc.dll
C:\WINDOWS\system32\psffisas.dll
C:\WINDOWS\system32\wddtujbt.dll
C:\WINDOWS\system32\sumrmvfe.dll
C:\WINDOWS\system32\esajssgo.dll
C:\WINDOWS\system32\xhqvmwyn.dll
C:\WINDOWS\system32\rharjmuh.dll
C:\WINDOWS\system32\crxgagih.dll
C:\WINDOWS\system32\trvuwmyj.dll
C:\WINDOWS\system32\xkdtbdlv.dll
C:\WINDOWS\system32\nbagsacw.dll
C:\winazys.exe
C:\winhsnm.exe

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c491e82-b7f9-4296-a9fb-2e50dcf6ec66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71AA461B-010C-4922-AE44-CA09031545C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90716be6-37b9-41eb-a55a-d3e98e3769bd}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include:
  • The contents of Avenger.txt
  • The MBAM log
  • The contents of Kaspersky.txt
  • A fresh DSS log, taken after completing all of the above

Regards,
RatHat
  • 0

#5
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Do you still require assistance with this log?

Regards,
RatHat
  • 0

#6
chapjl

chapjl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
No, but I sure appreciate your help trying to fix this. By about the 6th I realized it would be easier to reload the operating system than to keep trying new options. You have a wealth of knowledge and I appreciate the help.
  • 0

#7
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, sorry we could not be of help. I will mark this log as resolved, and close it.

Regards,
RatHat
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP