Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help with Virtumonde


  • This topic is locked This topic is locked

#31
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here's the Avenger log:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Fri Apr 04 18:13:05 2008

18:12:51: Error: Invalid registry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:12:58: Error: Invalid registry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:13:00: Error: Invalid registry syntax in command:
"HKEY_CLASSES_ROOT\CLSID\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\FOoUBcdd.ini2" deleted successfully.
File "C:\WINDOWS\system32\opnlMdAR.dll" deleted successfully.
File "C:\WINDOWS\system32\puognnjl.dll" deleted successfully.
File "C:\WINDOWS\system32\gfrtdqbd.dll" deleted successfully.
File "C:\WINDOWS\system32\ddcBUoOF.dll" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJATKcy" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlMdAR" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbac1797" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Here's the main.txt from DSS. No extra.txt output again.

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-04 18:20:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:32 PM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2294E83B-BFF8-4C8A-A4D7-770DDF9D1817} - C:\WINDOWS\system32\ddcBUoOF.dll (file missing)
O2 - BHO: {e3bdd19b-4c8a-ae78-27e4-ce6881ebb636} - {636bbe18-86ec-4e72-87ea-a8c4b91ddb3e} - C:\WINDOWS\system32\puognnjl.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [b89f240b] rundll32.exe "C:\WINDOWS\system32\wnxlbvuv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: xxywTNFv - C:\WINDOWS\SYSTEM32\xxywTNFv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7142 bytes

-- Files created between 2008-03-04 and 2008-04-04 -----------------------------

2008-04-04 18:15:25 38912 --a------ C:\WINDOWS\system32\xxywTNFv.dll
2008-04-04 17:53:32 83520 --a------ C:\WINDOWS\system32\wnxlbvuv.dll
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-04 14:48:06 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-03 14:45:00 68096 --a------ C:\WINDOWS\zip.exe
2008-04-03 14:45:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-03 14:45:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-03 14:45:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-03 14:45:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-03 14:45:00 98816 --a------ C:\WINDOWS\sed.exe
2008-04-03 14:45:00 80412 --a------ C:\WINDOWS\grep.exe
2008-04-03 14:45:00 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 23:05:57 0 d-------- C:\Program Files\Lavasoft
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 16:43:42 0 d-------- C:\VundoFix Backups
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 -----n--- C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 1835008 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}]
C:\WINDOWS\system32\ddcBUoOF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}]
C:\WINDOWS\system32\puognnjl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [08/01/2007 05:16 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"b89f240b"="C:\WINDOWS\system32\wnxlbvuv.dll" [04/04/2008 05:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [04/02/2008 07:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\xxywTNFv.dll [04/04/2008 06:15 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywTNFv]
xxywTNFv.dll 04/04/2008 06:15 PM 38912 C:\WINDOWS\system32\xxywTNFv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcBUoOF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-04-04 18:30:30 ------------
  • 0

Advertisements


#32
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {2294E83B-BFF8-4C8A-A4D7-770DDF9D1817} - C:\WINDOWS\system32\ddcBUoOF.dll (file missing)
O2 - BHO: {e3bdd19b-4c8a-ae78-27e4-ce6881ebb636} - {636bbe18-86ec-4e72-87ea-a8c4b91ddb3e} - C:\WINDOWS\system32\puognnjl.dll (file missing)
O4 - HKLM\..\Run: [b89f240b] rundll32.exe "C:\WINDOWS\system32\wnxlbvuv.dll",b
O20 - Winlogon Notify: xxywTNFv - C:\WINDOWS\SYSTEM32\xxywTNFv.dll


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

[-HKEY_CLASSES_ROOT\CLSID\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}]

[-HKEY_CLASSES_ROOT\CLSID\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}]

[-HKEY_CLASSES_ROOT\CLSID\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]


Then double click on the fix.reg file, when it prompts to merge click "Yes".




1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\xxywTNFv.dll
C:\WINDOWS\system32\wnxlbvuv.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywTNFv

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | b89f240b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply
  • 0

#33
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here's the Avenger output:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\xxywTNFv.dll" deleted successfully.
File "C:\WINDOWS\system32\wnxlbvuv.dll" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2294E83B-BFF8-4C8A-A4D7-770DDF9D1817}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{636bbe18-86ec-4e72-87ea-a8c4b91ddb3e}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywTNFv" deleted successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b89f240b"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b89f240b" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here's the main.txt output from DSS.

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-04 19:05:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:23 PM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: nnnnLcyX - C:\WINDOWS\SYSTEM32\nnnnLcyX.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6808 bytes

-- Files created between 2008-03-04 and 2008-04-04 -----------------------------

2008-04-04 19:03:46 38912 --a------ C:\WINDOWS\system32\nnnnLcyX.dll
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-04 14:48:06 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-03 14:45:00 68096 --a------ C:\WINDOWS\zip.exe
2008-04-03 14:45:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-03 14:45:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-03 14:45:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-03 14:45:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-03 14:45:00 98816 --a------ C:\WINDOWS\sed.exe
2008-04-03 14:45:00 80412 --a------ C:\WINDOWS\grep.exe
2008-04-03 14:45:00 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 23:05:57 0 d-------- C:\Program Files\Lavasoft
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 16:43:42 0 d-------- C:\VundoFix Backups
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 -----n--- C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 1835008 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-04-04 19:11:58 169718 --ahs---- C:\WINDOWS\system32\fMSvycdd.ini2
2008-04-04 19:11:55 83520 --a------ C:\WINDOWS\system32\seprddxt.dll
2008-04-04 19:09:41 87104 --a------ C:\WINDOWS\system32\iykxsash.dll
2008-04-04 19:08:52 269312 --a------ C:\WINDOWS\system32\ddcyvSMf.dll
2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A8BE31C-604B-4E01-9AB4-E1B8B87307CB}]
04/04/2008 07:08 PM 269312 --a------ C:\WINDOWS\system32\ddcyvSMf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [08/01/2007 05:16 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BMbbac1797"="C:\WINDOWS\system32\iykxsash.dll" [04/04/2008 07:09 PM]
"b89f240b"="C:\WINDOWS\system32\seprddxt.dll" [04/04/2008 07:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [04/02/2008 07:24 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\nnnnLcyX.dll [04/04/2008 07:03 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnLcyX]
nnnnLcyX.dll 04/04/2008 07:03 PM 38912 C:\WINDOWS\system32\nnnnLcyX.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcyvSMf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-04-04 19:17:12 ------------
  • 0

#34
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#35
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here's my Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 05, 2008 12:42:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 682641
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 23786
Number of viruses found: 2
Number of infected objects: 47
Number of suspicious objects: 0
Duration of the scan process: 00:40:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla\Firefox\Profiles\laepd470.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla\Firefox\Profiles\laepd470.default\history.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla\Firefox\Profiles\laepd470.default\key3.db Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla\Firefox\Profiles\laepd470.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla\Firefox\Profiles\laepd470.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla\Firefox\Profiles\laepd470.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Application Data\Mozilla\Firefox\Profiles\laepd470.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Application Data\Mozilla\Firefox\Profiles\laepd470.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Application Data\Mozilla\Firefox\Profiles\laepd470.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Application Data\Mozilla\Firefox\Profiles\laepd470.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\History\History.IE5\MSHist012008040420080405\index.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jenny Zhao\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jenny Zhao\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080404-173839-928.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awttttSI.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXRIxXn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcYpqrS.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGWqNec.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGYPGxu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iifdefee.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnonoLb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pMDvtqPF.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qoMfdcdE.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqOFXoo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUmLbyY.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wtxrpjoy.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.bgj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yaywxXnN.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-03_145103.85.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip/ssqOEUkK.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-03_145103.85.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-03_145103.85.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2008-04-03_180300.85.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip/urqOGASJ.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-03_180300.85.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-03_180300.85.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2008-04-03_212046.75.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip/rqRKATMf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-03_212046.75.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-03_212046.75.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2008-04-04_144200.81.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip/yayvTlJD.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-04_144200.81.zip/Documents and Settings/Jenny Zhao/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\QooBox\Quarantine\catchme2008-04-04_144200.81.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005247.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005249.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005252.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005253.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005254.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005256.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP27\A0005258.dll Infected: not-a-virus:AdWare.Win32.Agent.bgj skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP31\A0005454.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP31\A0005455.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP33\A0005558.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP33\A0005562.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\A0005629.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\A0005646.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\A0005647.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\A0005661.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\A0005678.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\A0005694.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\A0005710.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP34\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\efcDWOEU.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nnnnLcyX.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mbi skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Cookies\index.dat Object is locked skipped
C:\WINDOWS\TEMP\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks!
  • 0

#36
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok we are going to try something else

Try limit going online with the infected PC until it is clean, and try not to reboot if possible(unless the tools prompt you to).



Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



We need to disable the AVG Anti-Spyware guard :

1. Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
2. In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
3. If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
4. Reply 'no' and set it to 'inactive' for the duration of your cleanup.



Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean.

To disable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off
3. Uncheck (red X) both items.



Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#37
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here is the ComboFix log:

ComboFix 08-04-04.1 - Jenny Zhao 2008-04-05 12:08:18.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT -4:00]
Running from: C:\Documents and Settings\Jenny Zhao\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ddcyvSMf.dll
C:\WINDOWS\system32\dgjlacrv.ini
C:\WINDOWS\system32\efcDWOEU.dll
C:\WINDOWS\system32\fMSvycdd.ini
C:\WINDOWS\system32\fMSvycdd.ini2
C:\WINDOWS\system32\FOoUBcdd.ini
C:\WINDOWS\system32\IknWFfhk.ini
C:\WINDOWS\system32\IOWvCfhk.ini
C:\WINDOWS\system32\iykxsash.dll
C:\WINDOWS\system32\mlJYrono.dll
C:\WINDOWS\system32\nnnnLcyX.dll
C:\WINDOWS\system32\saggocgt.ini
C:\WINDOWS\system32\seprddxt.dll
C:\WINDOWS\system32\txddrpes.ini
C:\WINDOWS\system32\vuvblxnw.ini
C:\WINDOWS\system32\yarputtw.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:32 . 2008-04-02 23:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 23:05 . 2008-04-02 23:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 19:02 . 2008-04-02 19:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 18:39 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Panda Security
2008-04-02 18:39 . 2008-04-02 18:44 1,859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38 . 2008-04-02 19:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 17:04 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-02 06:31 . 2008-04-02 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30 . 2008-04-02 23:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37 . 2008-04-01 16:15 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35 . 2008-03-31 23:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34 . 2008-03-31 23:36 <DIR> d-------- C:\Program Files\Windows Live
2008-03-31 23:34 . 2008-03-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57 . 2008-03-31 19:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:56 . 2008-03-31 19:56 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55 . 2008-03-31 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54 . 2008-03-31 19:57 <DIR> d-------- C:\WinFast WorkArea
2008-03-31 19:54 . 2008-03-31 19:56 <DIR> d-------- C:\WFDB
2008-03-31 19:54 . 2008-03-31 19:54 <DIR> d-------- C:\Program Files\WinFast
2008-03-31 19:54 . 2007-02-26 20:20 49,152 --a------ C:\WINDOWS\system32\TempDel.EXE
2008-03-31 19:54 . 2005-01-06 16:55 9,446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys
2008-03-31 19:46 . 2006-04-20 14:50 59,776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys
2008-03-31 19:46 . 2006-04-20 15:20 19,456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys
2008-03-31 19:46 . 2006-04-20 14:49 9,600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys
2008-03-31 19:34 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-31 19:32 . 2008-03-31 19:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28 . 2008-03-31 19:29 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27 . 2008-03-31 19:27 <DIR> dr-h----- C:\MSOCache
2008-03-31 19:27 . 2008-04-02 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 17:53 . 2008-03-31 18:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:53 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-31 17:46 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-31 17:46 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-31 17:46 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-31 17:45 . 2008-03-31 17:45 <DIR> d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:44 . 2008-03-31 17:44 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-31 17:32 . 2008-04-05 12:12 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Symantec
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 17:32 . 2006-09-18 18:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 17:32 . 2006-09-18 18:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 13:00 . 2004-08-03 20:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-31 13:00 . 2004-08-03 18:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2008-03-31 13:00 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a--c--- C:\WINDOWS\system32\dllcache\agp440.sys
2008-03-31 13:00 . 2004-08-03 18:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 23:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 23:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 23:01 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-03-31 22:58 --------- d-----w C:\Program Files\Logitech
2008-03-31 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 22:22 --------- d-----w C:\Program Files\Analog Devices
2008-03-31 22:20 --------- d-----w C:\Program Files\Intel
2008-03-31 22:07 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 12:01 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-10-18 13:47 876544]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\awtsRlLD.dll [2008-04-05 12:12 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 19:24 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsRlLD]
awtsRlLD.dll 2008-04-05 12:12 38912 C:\WINDOWS\system32\awtsRlLD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnLcyX]
nnnnLcyX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= SYNCOR11.DLL
"MSVideo"= vfwwdm32.dll
"MSVideo8"= VfWWDM32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2002-08-29 07:52]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 14:50]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 15:20]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 14:49]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 12:12:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\awtsRlLD.dll 38912 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\awtsRlLD.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-04-05 12:13:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 16:13:34
ComboFix2.txt 2008-04-04 18:48:04
Pre-Run: 115,555,545,088 bytes free
Post-Run: 115,524,124,672 bytes free


And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:46 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: awtsRlLD - C:\WINDOWS\SYSTEM32\awtsRlLD.dll
O20 - Winlogon Notify: nnnnLcyX - nnnnLcyX.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6667 bytes

Thank you.
  • 0

#38
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Don't use it yet



Disconnect from the internet for the following


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\awtsRlLD.dll

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsRlLD]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnLcyX]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Don't reboot, then do this


  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Then connect to the internet and post the ComboFix log and a new HijackThis log and the Dr. Web Cureit report
  • 0

#39
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here's the ComboFix log:

ComboFix 08-04-04.1 - Jenny Zhao 2008-04-05 17:58:40.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.640 [GMT -4:00]
Running from: C:\Documents and Settings\Jenny Zhao\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jenny Zhao\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\awtsRlLD.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtsRlLD.dll
C:\WINDOWS\system32\bddnsens.dll
C:\WINDOWS\system32\ddcCrpOH.dll
C:\WINDOWS\system32\hlukrhgj.dll
C:\WINDOWS\system32\HOprCcdd.ini
C:\WINDOWS\system32\HOprCcdd.ini2
C:\WINDOWS\system32\pmnnLBqn.dll
C:\WINDOWS\system32\snesnddb.ini
C:\WINDOWS\system32\ugnrkwjs.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 18:01 . 2008-04-05 18:01 38,912 --a------ C:\WINDOWS\system32\hgGxULfe.dll
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:32 . 2008-04-02 23:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 23:05 . 2008-04-02 23:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 19:02 . 2008-04-02 19:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 18:39 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Panda Security
2008-04-02 18:39 . 2008-04-02 18:44 1,859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38 . 2008-04-02 19:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 17:04 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-02 06:31 . 2008-04-02 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30 . 2008-04-02 23:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37 . 2008-04-01 16:15 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35 . 2008-03-31 23:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34 . 2008-03-31 23:36 <DIR> d-------- C:\Program Files\Windows Live
2008-03-31 23:34 . 2008-03-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57 . 2008-03-31 19:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:56 . 2008-03-31 19:56 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55 . 2008-03-31 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54 . 2008-03-31 19:57 <DIR> d-------- C:\WinFast WorkArea
2008-03-31 19:54 . 2008-03-31 19:56 <DIR> d-------- C:\WFDB
2008-03-31 19:54 . 2008-03-31 19:54 <DIR> d-------- C:\Program Files\WinFast
2008-03-31 19:54 . 2007-02-26 20:20 49,152 --a------ C:\WINDOWS\system32\TempDel.EXE
2008-03-31 19:54 . 2005-01-06 16:55 9,446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys
2008-03-31 19:46 . 2006-04-20 14:50 59,776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys
2008-03-31 19:46 . 2006-04-20 15:20 19,456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys
2008-03-31 19:46 . 2006-04-20 14:49 9,600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys
2008-03-31 19:34 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-31 19:32 . 2008-03-31 19:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28 . 2008-03-31 19:29 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27 . 2008-03-31 19:27 <DIR> dr-h----- C:\MSOCache
2008-03-31 19:27 . 2008-04-02 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 17:53 . 2008-03-31 18:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:53 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-31 17:46 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-31 17:46 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-31 17:46 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-31 17:45 . 2008-03-31 17:45 <DIR> d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:44 . 2008-03-31 17:44 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-31 17:32 . 2008-04-05 18:01 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Symantec
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 17:32 . 2006-09-18 18:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 17:32 . 2006-09-18 18:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 13:00 . 2004-08-03 20:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-31 13:00 . 2004-08-03 18:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2008-03-31 13:00 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a--c--- C:\WINDOWS\system32\dllcache\agp440.sys
2008-03-31 13:00 . 2004-08-03 18:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 23:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 23:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 23:01 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-03-31 22:58 --------- d-----w C:\Program Files\Logitech
2008-03-31 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 22:22 --------- d-----w C:\Program Files\Analog Devices
2008-03-31 22:20 --------- d-----w C:\Program Files\Intel
2008-03-31 22:07 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 12:01 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-10-18 13:47 876544]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\hgGxULfe.dll [2008-04-05 18:01 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 19:24 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGxULfe]
hgGxULfe.dll 2008-04-05 18:01 38912 C:\WINDOWS\system32\hgGxULfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= SYNCOR11.DLL
"MSVideo"= vfwwdm32.dll
"MSVideo8"= VfWWDM32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2002-08-29 07:52]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 14:50]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 15:20]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 14:49]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 18:01:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\hgGxULfe.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-04-05 18:03:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 22:02:57
ComboFix2.txt 2008-04-05 16:13:47
ComboFix3.txt 2008-04-04 18:48:04
Pre-Run: 115,524,558,848 bytes free
Post-Run: 115,510,181,888 bytes free


Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:23 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: hgGxULfe - C:\WINDOWS\SYSTEM32\hgGxULfe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6415 bytes

And here's the Dr. Web Cureit log:

A0006752.bat;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP35;Probably BATCH.Virus;Incurable.Moved.;
A0006762.bat;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP35;Probably SCRIPT.Virus;Incurable.Moved.;
A0006808.bat;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36;Probably BATCH.Virus;Incurable.Moved.;
A0006819.EXE;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36;Program.PsExec.170;Incurable.Moved.;
A0006832.bat;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36;Probably SCRIPT.Virus;Incurable.Moved.;
A0006880.EXE;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38;Program.PsExec.170;Incurable.Moved.;
A0006881.bat;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38;Probably BATCH.Virus;Incurable.Moved.;
A0006894.EXE;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38;Program.PsExec.170;Incurable.Moved.;
A0006905.bat;C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38;Probably SCRIPT.Virus;Incurable.Moved.;
PSEXESVC.EXE;C:\WINDOWS;Program.PsExec.170;Incurable.Moved.;


Thank you.
  • 0

#40
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Usual rules, try limit your internet usage, and don't reboot if possible.

Print out or save these instructions

Disconnect from the internet and do this

Make sure Ad-Aware is disabled


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\hgGxULfe.dll

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGxULfe]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reconnect and do this


Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

Edited by Rorschach112, 05 April 2008 - 04:54 PM.

  • 0

Advertisements


#41
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here is the ComboFix log:

ComboFix 08-04-04.1 - Jenny Zhao 2008-04-05 19:28:43.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.533 [GMT -4:00]
Running from: C:\Documents and Settings\Jenny Zhao\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jenny Zhao\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\hgGxULfe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\evkfohal.ini
C:\WINDOWS\system32\hgGxULfe.dll
C:\WINDOWS\system32\hwwrjskk.dll
C:\WINDOWS\system32\igcwvpbu.dll
C:\WINDOWS\system32\lahofkve.dll
C:\WINDOWS\system32\oqWDKRqr.ini
C:\WINDOWS\system32\oqWDKRqr.ini2
C:\WINDOWS\system32\rqRKDWqo.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 19:31 . 2008-04-05 19:31 38,912 --a------ C:\WINDOWS\system32\jkkLBrQj.dll
2008-04-05 18:04 . 2008-04-05 18:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:32 . 2008-04-02 23:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 23:05 . 2008-04-02 23:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 19:02 . 2008-04-02 19:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 18:39 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Panda Security
2008-04-02 18:39 . 2008-04-02 18:44 1,859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38 . 2008-04-02 19:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 17:04 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-02 06:31 . 2008-04-02 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30 . 2008-04-02 23:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37 . 2008-04-01 16:15 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35 . 2008-03-31 23:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34 . 2008-03-31 23:36 <DIR> d-------- C:\Program Files\Windows Live
2008-03-31 23:34 . 2008-03-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57 . 2008-03-31 19:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:56 . 2008-03-31 19:56 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55 . 2008-03-31 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54 . 2008-03-31 19:57 <DIR> d-------- C:\WinFast WorkArea
2008-03-31 19:54 . 2008-03-31 19:56 <DIR> d-------- C:\WFDB
2008-03-31 19:54 . 2008-03-31 19:54 <DIR> d-------- C:\Program Files\WinFast
2008-03-31 19:54 . 2007-02-26 20:20 49,152 --a------ C:\WINDOWS\system32\TempDel.EXE
2008-03-31 19:54 . 2005-01-06 16:55 9,446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys
2008-03-31 19:46 . 2006-04-20 14:50 59,776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys
2008-03-31 19:46 . 2006-04-20 15:20 19,456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys
2008-03-31 19:46 . 2006-04-20 14:49 9,600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys
2008-03-31 19:34 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-31 19:32 . 2008-03-31 19:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28 . 2008-03-31 19:29 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27 . 2008-03-31 19:27 <DIR> dr-h----- C:\MSOCache
2008-03-31 19:27 . 2008-04-02 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 17:53 . 2008-03-31 18:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:53 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-31 17:46 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-31 17:46 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-31 17:46 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-31 17:45 . 2008-03-31 17:45 <DIR> d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:44 . 2008-03-31 17:44 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-31 17:32 . 2008-04-05 19:31 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Symantec
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 17:32 . 2006-09-18 18:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 17:32 . 2006-09-18 18:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 13:00 . 2004-08-03 20:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-31 13:00 . 2004-08-03 18:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2008-03-31 13:00 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a--c--- C:\WINDOWS\system32\dllcache\agp440.sys
2008-03-31 13:00 . 2004-08-03 18:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 23:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 23:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 23:01 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-03-31 22:58 --------- d-----w C:\Program Files\Logitech
2008-03-31 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 22:22 --------- d-----w C:\Program Files\Analog Devices
2008-03-31 22:20 --------- d-----w C:\Program Files\Intel
2008-03-31 22:07 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 12:01 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-10-18 13:47 876544]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\jkkLBrQj.dll [2008-04-05 19:31 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 19:24 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLBrQj]
jkkLBrQj.dll 2008-04-05 19:31 38912 C:\WINDOWS\system32\jkkLBrQj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= SYNCOR11.DLL
"MSVideo"= vfwwdm32.dll
"MSVideo8"= VfWWDM32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2002-08-29 07:52]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 14:50]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 15:20]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 14:49]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 19:31:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkLBrQj.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-04-05 19:33:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 23:32:51
ComboFix2.txt 2008-04-05 22:03:09
ComboFix3.txt 2008-04-05 16:13:47
ComboFix4.txt 2008-04-04 18:48:04
Pre-Run: 115,511,975,936 bytes free
Post-Run: 115,499,933,696 bytes free


Here is the data for Processes, none of them were highlighted red:

Process:

System Idle Process
System
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jenny Zhao\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\WINDOWS\system32\wuauclt.exe


Here is the data for Win32 Services, none of them were highlighted red:

Started Service:

Service Name:aawservice Display Name:Ad-Aware 2007 Service
Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:AVG Anti-Spyware Guard Display Name:AVG Anti-Spyware Guard
Service Name:Browser Display Name:Computer Browser
Service Name:ccEvtMgr Display Name:Symantec Event Manager
Service Name:ccSetMgr Display Name:Symantec Settings Manager
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:DefWatch Display Name:Symantec AntiVirus Definition Watcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:LVCOMSer Display Name:LVCOMSer
Service Name:LVPrcSrv Display Name:Process Monitor
Service Name:MDM Display Name:Machine Debug Manager
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:SPBBCSvc Display Name:Symantec SPBBCSvc
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:Symantec AntiVirus Display Name:Symantec AntiVirus
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UleadBurningHelper Display Name:Ulead Burning Helper
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration


Here is the data for Startup, none of them were highlighted red:

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Smapp
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
vptray
C:\PROGRA~1\SYMANT~1\VPTray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechCommunicationsManager
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechQuickCamRibbon
"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinFast Schedule
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
!AVG Anti-Spyware
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed Launcher
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Jenny Zhao\Start Menu\Programs\Startup
desktop.ini


SSDT would not allow me to save a log. Here are the entries in red:

Unknown
\??\C:\Program Files\Symantec\SYMEVENT.SYS
\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys



Here are the Message Hooks entries labelled WH_KEYBOARD:

C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec Shared\ccApp.exe
C:\Program Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

Thank you.

Edited by justine123, 05 April 2008 - 06:16 PM.

  • 0

#42
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Now for the fix. Close all windows and disconnect from the Internet. Run IceSword.exe. Do not restart your PC until the very end to ensure the fix works


Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe




Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them.

C:\WINDOWS\system32\jkkLBrQj.dll


Step 3 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them.

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLBrQj
HKEY_CLASSES_ROOT\CLSID\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}

Step 4 : Now, we have to delete the rooted registry value. Click the Registry button. This will display a regedit type interface. Navigate to the following registry value in bold and delete it.

hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"


Then reboot your PC and post a new HijackThis log

Edited by Rorschach112, 05 April 2008 - 06:26 PM.

  • 0

#43
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:37 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - C:\WINDOWS\system32\jkkLBrQj.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: jkkLBrQj - C:\WINDOWS\SYSTEM32\jkkLBrQj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6545 bytes
  • 0

#44
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Did you have any trouble doing the IceSword step ? Seems the infection respawned already
  • 0

#45
justine123

justine123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
The processes that I tried to terminate were not coloured in red, but I managed to find them. Initially the C:\Program Files\Symantec AntiVirus\Rtvscan.exe would not terminate, so I proceeded to do all the other steps. Afterwards, I went back and tried to terminate it again and it did go away. So I went over the other steps again. My computer seems to be much faster, though.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP