Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Help with Virtumonde

Started by justine123 , Apr 02 2008 05:21 PM

Page 4 of 11
2
3
4
5
6

This topic is locked

#46
Rorschach112

Posted 06 April 2008 - 05:19 AM

Ralphie

Retired Staff
47,710 posts

You still have the infection unfortunately. There is a possibility that Ad-Aware may be responsible for respawning it, so we may need to remove that program.

Download avz4.zip from here

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

After the update, from the "File" menu, choose "Standard Scripts"
Put a check next to item 2: Advanced System Investigation
Click Execute selected scripts
At the next prompt, click the OK button
Let the scan run and click "OK" when the completion prompt pops up
Now Close out of the Standard Scripts window, and exit AVZ
Navigate to the avz4 folder and locate the folder LOG
Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
Attach virusinfo_syscheck.htm to your next reply, along with a fresh HijackThis log

#47
justine123

Posted 06 April 2008 - 05:34 AM

Member

Topic Starter
Member
82 posts

I don't mind uninstalling AdAware.

I've attached the AVZ html log.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:12 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [b89f240b] rundll32.exe "C:\WINDOWS\system32\jmilinxq.dll",b
O4 - HKLM\..\Run: [BMbbac1797] Rundll32.exe "C:\WINDOWS\system32\jxfuyvrr.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6288 bytes

Attached Files

virusinfo_syscheck.xml 51.5KB 224 downloads

#48
Rorschach112

Posted 06 April 2008 - 05:52 AM

Ralphie

Retired Staff
47,710 posts

Sorry, there was a problem there.

You need to upload virusinfo_syscheck.htm, not virusinfo_syscheck.xml

Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

Lavasoft

Then delete this folder in bold

C:\Program Files\Lavasoft

#49
justine123

Posted 06 April 2008 - 05:57 AM

Member

Topic Starter
Member
82 posts

Sorry about that.

Lavasoft was not present under the list of programs, but Adaware was, so I removed that and deleted its folder.

Attached Files

virusinfo_syscheck.htm 158.49KB 26 downloads

Edited by justine123, 06 April 2008 - 06:01 AM.

#50
Rorschach112

Posted 06 April 2008 - 06:06 AM

Ralphie

Retired Staff
47,710 posts

Hello

Make sure all security programs are closed when you run this fix

Close all windows then double click on AVZ.exe
Click File > Custom scripts

Copy & paste the contents of the following codebox in the box in the program

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{92780B25-18CC-41C8-B9BE-3C9C571A8263}');
 DelBHO('{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}');
 DelBHO('{B74502C8-786D-4E5A-81A7-901FFDB51D9C}');
 DelBHO('{7c03f388-606e-401d-8d1e-b919d3f3518d}');
 DelBHO('{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}');
 DeleteService('Ad-Watch Connect Filter');
 BC_DeleteFile('c:\program files\lavasoft\ad-aware 2007\aawservice.exe');
 BC_DeleteFile('C:\Program Files\Lavasoft\Ad-Aware 2007\CEAPI.dll');
 BC_DeleteFile('C:\Program Files\Lavasoft\Ad-Aware 2007\Update.dll');
 BC_DeleteFile('C:\WINDOWS\system32\hylhhekb.dll');
 BC_DeleteFile('C:\WINDOWS\system32\jkkLBrQj.dll');
 BC_DeleteFile('C:\WINDOWS\system32\jmilinxq.dll');
 BC_DeleteFile('C:\WINDOWS\system32\jxfuyvrr.dll');
 BC_DeleteFile('C:\WINDOWS\system32\pmnljKbX.dll');
 BC_DeleteFile('C:\WINDOWS\system32\urqRhHxx.dll');
 BC_DeleteFile('C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe');
 BC_DeleteFile('C:\WINDOWS\system32\drivers\NSDriver.sys');
 BC_DeleteFile('jkkLBrQj.dll');
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Note: When you run the script, your PC will be restarted
Click Run
Restart your PC if it doesn't do it automatically, and post back with a new DSS log.

#51
justine123

Posted 06 April 2008 - 06:26 AM

Member

Topic Starter
Member
82 posts

When the computer restarted, two notices came up, telling me that the following were missing:

C:\WINDOWS\system32\jxfuyvrr.dll
C:\WINDOWS\system32\jmilinxq.dll

Here is the DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-06 08:20:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:32 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398} - C:\WINDOWS\system32\ssqOIAsT.dll
O2 - BHO: {134e3c65-3ee2-ead9-71b4-2a358e5971b8} - {8b1795e8-53a2-4b17-9dae-2ee356c3e431} - C:\WINDOWS\system32\xdebcngd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A203F579-D46C-4322-9DA8-D88DEB316E4B} - C:\WINDOWS\system32\urqRhHxx.dll (file missing)
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - C:\WINDOWS\system32\ssqRKede.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [b89f240b] rundll32.exe "C:\WINDOWS\system32\jmilinxq.dll",b
O4 - HKLM\..\Run: [BMbbac1797] Rundll32.exe "C:\WINDOWS\system32\jmefkjto.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: jkkLBrQj - jkkLBrQj.dll (file missing)
O20 - Winlogon Notify: ssqRKede - C:\WINDOWS\SYSTEM32\ssqRKede.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6918 bytes

-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 08:18:35 89664 --a------ C:\WINDOWS\system32\xdebcngd.dll
2008-04-06 08:16:14 87104 --a------ C:\WINDOWS\system32\jmefkjto.dll
2008-04-06 08:15:34 169719 --ahs---- C:\WINDOWS\system32\TsAIOqss.ini2
2008-04-06 08:15:32 268288 --a------ C:\WINDOWS\system32\ssqOIAsT.dll
2008-04-06 08:10:30 38912 --a------ C:\WINDOWS\system32\ssqRKede.dll
2008-04-06 07:36:59 38912 --a------ C:\WINDOWS\system32\iifcBtRk.dll
2008-04-05 21:47:18 176963 --ahs---- C:\WINDOWS\system32\xxHhRqru.ini2
2008-04-05 20:42:42 38912 --a------ C:\WINDOWS\system32\opnommlk.dll
2008-04-05 19:33:04 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 -----n--- C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398}]
04/06/2008 08:15 AM 268288 --a------ C:\WINDOWS\system32\ssqOIAsT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}]
04/06/2008 08:18 AM 89664 --a------ C:\WINDOWS\system32\xdebcngd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A203F579-D46C-4322-9DA8-D88DEB316E4B}]
C:\WINDOWS\system32\urqRhHxx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]
04/06/2008 08:10 AM 38912 --a------ C:\WINDOWS\system32\ssqRKede.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"b89f240b"="C:\WINDOWS\system32\jmilinxq.dll" []
"BMbbac1797"="C:\WINDOWS\system32\jmefkjto.dll" [04/06/2008 08:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\ssqRKede.dll [04/06/2008 08:10 AM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLBrQj]
jkkLBrQj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRKede]
ssqRKede.dll 04/06/2008 08:10 AM 38912 C:\WINDOWS\system32\ssqRKede.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqOIAsT

-- End of Deckard's System Scanner: finished at 2008-04-06 08:21:31 ------------

Thank you

#52
Rorschach112

Posted 06 April 2008 - 06:27 AM

Ralphie

Retired Staff
47,710 posts

Hello

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

#53
justine123

Posted 06 April 2008 - 06:42 AM

Member

Topic Starter
Member
82 posts

Here are the GMER results:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-06 08:41:10
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT 86E13F68 ZwAlertResumeThread
SSDT 86E54E98 ZwAlertThread
SSDT 86BF6BC8 ZwAllocateVirtualMemory
SSDT 86BDE188 ZwConnectPort
SSDT 86E1CE00 ZwCreateMutant
SSDT 86D63630 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5B5F350]
SSDT 86D35868 ZwFreeVirtualMemory
SSDT 86E36748 ZwImpersonateAnonymousToken
SSDT 86E0EB48 ZwImpersonateThread
SSDT 86D2BE38 ZwMapViewOfSection
SSDT 86E494B8 ZwOpenEvent
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7CE98AC]
SSDT 86D3A9E0 ZwOpenProcessToken
SSDT 86D34360 ZwOpenThreadToken
SSDT 86CE9078 ZwQueryValueKey
SSDT 86D42408 ZwResumeThread
SSDT 86E45128 ZwSetContextThread
SSDT 86D34438 ZwSetInformationProcess
SSDT 86EB20B8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5B5F580]
SSDT 86E4C2E0 ZwSuspendProcess
SSDT 86E55A60 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7CE9812]
SSDT 86E3F600 ZwTerminateThread
SSDT 86D34790 ZwUnmapViewOfSection
SSDT 86D42900 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1856] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4556] kernel32.dll!MultiByteToWideChar 7C809BF8 5 Bytes JMP 01948C78 C:\WINDOWS\system32\ssqOIAsT.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4556] WS2_32.dll!connect 71AB406A 5 Bytes JMP 0136140A C:\WINDOWS\system32\jmefkjto.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\rundll32.exe[600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01622F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01622CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01622D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01622CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1792] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01E12F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1792] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01E12CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1792] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01E12D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1792] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01E12CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01EF2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01EF2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01EF2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1856] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01EF2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[2512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[2512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[2512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[2512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009B2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009B2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009B2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wuauclt.exe[2576] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009B2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[4556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [010D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[4556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [010D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[4556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [010D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[4556] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [010D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[5560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00392F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[5560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00392CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[5560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00392D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[5560] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00392CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

#54
Rorschach112

Posted 06 April 2008 - 07:38 AM

Ralphie

Retired Staff
47,710 posts

Hello

You will need to print out or save these instructions on your desktop

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file(s) and delete them:

C:\WINDOWS\system32\ssqOIAsT.dll
C:\WINDOWS\system32\jmefkjto.dll
C:\WINDOWS\system32\xdebcngd.dll
C:\WINDOWS\system32\jmefkjto.dll
C:\WINDOWS\system32\TsAIOqss.ini2
C:\WINDOWS\system32\ssqOIAsT.dll
C:\WINDOWS\system32\ssqRKede.dll
C:\WINDOWS\system32\iifcBtRk.dll
C:\WINDOWS\system32\xxHhRqru.ini2
C:\WINDOWS\system32\opnommlk.dll

Now click the CMD tab.

Copy and paste thhe following in

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A203F579-D46C-4322-9DA8-D88DEB316E4B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b89f240b"=-
"BMbbac1797"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLBrQj]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRKede]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):73,63,65,63,6c,69,00,00
[-HKEY_CLASSES_ROOT\CLSID\{4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398}}]
[-HKEY_CLASSES_ROOT\CLSID\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}]
[-HKEY_CLASSES_ROOT\CLSID\{A203F579-D46C-4322-9DA8-D88DEB316E4B}]
[-HKEY_CLASSES_ROOT\CLSID\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]

Click Run and accept any prompts.

Answer Yes to all the warning windows.
Reboot your computer and post a new DSS log

#55
justine123

Posted 06 April 2008 - 08:20 AM

Member

Topic Starter
Member
82 posts

The files have been deleted, but the CMD run didn't go well because it could not find/recognize the commands. Here is the latest DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-06 10:13:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:02 AM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398} - C:\WINDOWS\system32\ssqOIAsT.dll (file missing)
O2 - BHO: {134e3c65-3ee2-ead9-71b4-2a358e5971b8} - {8b1795e8-53a2-4b17-9dae-2ee356c3e431} - C:\WINDOWS\system32\xdebcngd.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A203F579-D46C-4322-9DA8-D88DEB316E4B} - C:\WINDOWS\system32\urqRhHxx.dll (file missing)
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - C:\WINDOWS\system32\opnLbXoP.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [b89f240b] rundll32.exe "C:\WINDOWS\system32\kvpdsmyb.dll",b
O4 - HKLM\..\Run: [BMbbac1797] Rundll32.exe "C:\WINDOWS\system32\jmefkjto.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: jkkLBrQj - jkkLBrQj.dll (file missing)
O20 - Winlogon Notify: opnLbXoP - C:\WINDOWS\SYSTEM32\opnLbXoP.dll
O20 - Winlogon Notify: ssqRKede - ssqRKede.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7049 bytes

-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 10:13:52 38912 --a------ C:\WINDOWS\system32\opnLbXoP.dll
2008-04-06 08:21:35 85056 --a------ C:\WINDOWS\system32\kvpdsmyb.dll
2008-04-05 19:33:04 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 -----n--- C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398}]
C:\WINDOWS\system32\ssqOIAsT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}]
C:\WINDOWS\system32\xdebcngd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A203F579-D46C-4322-9DA8-D88DEB316E4B}]
C:\WINDOWS\system32\urqRhHxx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]
04/06/2008 10:13 AM 38912 --a------ C:\WINDOWS\system32\opnLbXoP.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"b89f240b"="C:\WINDOWS\system32\kvpdsmyb.dll" [04/06/2008 08:21 AM]
"BMbbac1797"="C:\WINDOWS\system32\jmefkjto.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\opnLbXoP.dll [04/06/2008 10:13 AM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLBrQj]
jkkLBrQj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnLbXoP]
opnLbXoP.dll 04/06/2008 10:13 AM 38912 C:\WINDOWS\system32\opnLbXoP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRKede]
ssqRKede.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqOIAsT

-- End of Deckard's System Scanner: finished at 2008-04-06 10:15:08 ------------

Thank you.

#56
Rorschach112

Posted 06 April 2008 - 08:39 AM

Ralphie

Retired Staff
47,710 posts

Hello

You will need to print out or save these instructions

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do NOT

Now for the fix. Close all windows and disconnect from the Internet. Run IceSword.exe. Do not restart your PC until the very end to ensure the fix works

Step 1 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them.

C:\WINDOWS\system32\opnLbXoP.dll
C:\WINDOWS\system32\kvpdsmyb.dll

Step 2 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A203F579-D46C-4322-9DA8-D88DEB316E4B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLBrQj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnLbXoP
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRKede
HKEY_CLASSES_ROOT\CLSID\{4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398}
HKEY_CLASSES_ROOT\CLSID\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}
HKEY_CLASSES_ROOT\CLSID\{A203F579-D46C-4322-9DA8-D88DEB316E4B}
HKEY_CLASSES_ROOT\CLSID\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}

Step 2 : Now, we have to delete the rooted registry values. Click the Registry button. This will display a regedit type interface. Navigate to the following registry values in bold and delete them.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
b89f240b
BMbbac1797

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
C:\WINDOWS\system32\ssqOIAsT

1. Please download The Avenger by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\opnLbXoP.dll
C:\WINDOWS\system32\kvpdsmyb.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2F4490-6C3B-42C8-ABFF-7BDAFF7E3398}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A203F579-D46C-4322-9DA8-D88DEB316E4B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLBrQj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnLbXoP
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRKede

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | b89f240b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BMbbac1797
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using [b]Add/Reply

#57
justine123

Posted 06 April 2008 - 10:08 AM

Member

Topic Starter
Member
82 posts

Hi. I'm encountering some trouble. After carrying out most of the steps, when Avenger went to reboot my computer, it refused to start and displayed the message that lsass.exe was missing. I'm on my secondary computer right now. Is there anyway I can install the missing file back or recover from an old starting point?

#58
Rorschach112

Posted 06 April 2008 - 10:14 AM

Ralphie

Retired Staff
47,710 posts

Yes

Can you tell me did you have any trouble doing the fix ?

Did you accidentally delete the file C:\windows\system32\lsass.exe ?

Also did you delete this part in bold right ?

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
C:\WINDOWS\system32\ssqOIAsT

You didn't delete the LSA part right ?

#59
justine123

Posted 06 April 2008 - 10:20 AM

Member

Topic Starter
Member
82 posts

Shoot. I realize my mistake now. On my notepad printout, there was no bolding and I indeed did delete the lsa.

As well, the following could not be found in the rooted registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}
HKEY_CLASSES_ROOT\CLSID\{8b1795e8-53a2-4b17-9dae-2ee356c3e431}

Please tell me there's some way to recover...

#60
Rorschach112

Posted 06 April 2008 - 11:20 AM

Ralphie

Retired Staff
47,710 posts

Thought that was the problem

Reboot your PC, keep pressing F8, a menu should pop up given you options. Select Last Known Good Configuration

That will let you reboot into Normal Mode like before, then post a new DSS log