Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Help with Virtumonde

Started by justine123 , Apr 02 2008 05:21 PM

Page 7 of 11
5
6
7
8
9

This topic is locked

#91
Rorschach112

Posted 08 April 2008 - 08:41 AM

Ralphie

Retired Staff
47,710 posts

Hello

I need to see that script as it will tell me more about your infection, so lets try it again in a different way

Delete ComboFix.exe and the folders C:\ComboFix and C:\qoobox

Then re-download ComboFix from here onto your desktop

http://subs.geekstogo.com/ComboFix.exe

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

SysRes::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#92
justine123

Posted 08 April 2008 - 08:56 AM

Member

Topic Starter
Member
82 posts

It worked! Here's the log from ComboFix:

ComboFix 08-04-07.5 - Jenny Zhao 2008-04-08 10:45:26.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.537 [GMT -4:00]
Running from: C:\Documents and Settings\Jenny Zhao\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jenny Zhao\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbbac1797.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BacfLRqr.ini
C:\WINDOWS\system32\BacfLRqr.ini2
C:\WINDOWS\system32\ddcAtuTL.dll
C:\WINDOWS\system32\gixdncfd.ini
C:\WINDOWS\system32\knewlysr.dll
C:\WINDOWS\system32\ktpobcsq.dll
C:\WINDOWS\system32\lcbmxxkn.dll
C:\WINDOWS\system32\nnnllKAr.dll
C:\WINDOWS\system32\pyegtnmd.dll
C:\WINDOWS\system32\rqRHaXOE.dll
C:\WINDOWS\system32\rqRJAqPI.dll
C:\WINDOWS\system32\rqRLeeBQ.dll
C:\WINDOWS\system32\rqRLfcaB.dll
C:\WINDOWS\system32\rsylwenk.ini
C:\WINDOWS\system32\sbmajava.dll
C:\WINDOWS\system32\ulecybox.dll
C:\WINDOWS\system32\xobycelu.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07 . 2008-04-07 09:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19 . 2008-04-06 18:19 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01 . 2008-04-06 18:01 <DIR> d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01 . 2008-04-06 20:40 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2008-04-06 18:01 . 2008-04-06 20:40 53,248 --a------ C:\WINDOWS\system32\process.exe
2008-04-06 18:01 . 2008-04-06 20:40 16,384 --a------ C:\WINDOWS\system32\restart.exe
2008-04-06 18:01 . 2008-04-06 20:40 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 08:34 . 2008-04-06 19:27 250 --a------ C:\WINDOWS\gmer.ini
2008-04-06 08:20 . 2008-04-06 08:20 <DIR> d-------- C:\Deckard
2008-04-05 18:04 . 2008-04-05 18:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:32 . 2008-04-02 23:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 19:02 . 2008-04-02 19:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 18:39 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Panda Security
2008-04-02 18:39 . 2008-04-02 18:44 1,859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38 . 2008-04-02 19:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 17:04 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-02 06:31 . 2008-04-02 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30 . 2008-04-06 08:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37 . 2008-04-01 16:15 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35 . 2008-03-31 23:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34 . 2008-03-31 23:36 <DIR> d-------- C:\Program Files\Windows Live
2008-03-31 23:34 . 2008-03-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57 . 2008-03-31 19:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:56 . 2008-03-31 19:56 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55 . 2008-03-31 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54 . 2008-03-31 19:57 <DIR> d-------- C:\WinFast WorkArea
2008-03-31 19:54 . 2008-03-31 19:56 <DIR> d-------- C:\WFDB
2008-03-31 19:54 . 2008-03-31 19:54 <DIR> d-------- C:\Program Files\WinFast
2008-03-31 19:54 . 2007-02-26 20:20 49,152 --a------ C:\WINDOWS\system32\TempDel.EXE
2008-03-31 19:54 . 2005-01-06 16:55 9,446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys
2008-03-31 19:46 . 2006-04-20 14:50 59,776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys
2008-03-31 19:46 . 2006-04-20 15:20 19,456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys
2008-03-31 19:46 . 2006-04-20 14:49 9,600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys
2008-03-31 19:34 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-31 19:32 . 2008-03-31 19:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28 . 2008-03-31 19:29 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27 . 2008-03-31 19:27 <DIR> dr-h----- C:\MSOCache
2008-03-31 19:27 . 2008-04-02 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 17:53 . 2008-03-31 18:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:53 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-31 17:46 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-31 17:46 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-31 17:46 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-31 17:45 . 2008-03-31 17:45 <DIR> d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:44 . 2008-03-31 17:44 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-31 17:32 . 2008-04-08 10:47 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Symantec
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 17:32 . 2006-09-18 18:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 17:32 . 2006-09-18 18:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 13:00 . 2004-08-03 20:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-31 13:00 . 2004-08-03 18:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2008-03-31 13:00 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a--c--- C:\WINDOWS\system32\dllcache\agp440.sys
2008-03-31 13:00 . 2004-08-03 18:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 14:48 38,912 ----a-w C:\WINDOWS\system32\xxyxYsSK.dll
2008-03-31 23:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 23:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 23:01 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-03-31 22:58 --------- d-----w C:\Program Files\Logitech
2008-03-31 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 22:22 --------- d-----w C:\Program Files\Analog Devices
2008-03-31 22:20 --------- d-----w C:\Program Files\Intel
2008-03-31 22:07 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 12:01 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-10-18 13:47 876544]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\xxyxYsSK.dll [2008-04-08 10:48 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 19:24 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaXOE]
rqRHaXOE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxYsSK]
xxyxYsSK.dll 2008-04-08 10:48 38912 C:\WINDOWS\system32\xxyxYsSK.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2002-08-29 07:52]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 14:50]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 15:20]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 14:49]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 10:48:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xxyxYsSK.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-04-08 10:50:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-08 14:50:05
ComboFix2.txt 2008-04-06 18:38:10
Pre-Run: 115,367,399,424 bytes free
Post-Run: 115,350,528,000 bytes free

And here's a new DSS log, in case you want to have a look:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-08 10:51:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:19 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: rqRHaXOE - rqRHaXOE.dll (file missing)
O20 - Winlogon Notify: xxyxYsSK - C:\WINDOWS\SYSTEM32\xxyxYsSK.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6379 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 10:50:19 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-08 10:48:59 38912 --a------ C:\WINDOWS\system32\xxyxYsSK.dll
2008-04-07 20:33:42 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19:00 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01:09 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-04-06 18:01:09 0 d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01:09 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-04-06 18:01:09 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 18:01:09 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 10:55:53 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 --a------ C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\xxyxYsSK.dll [04/08/2008 10:48 AM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaXOE]
rqRHaXOE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxYsSK]
xxyxYsSK.dll 04/08/2008 10:48 AM 38912 C:\WINDOWS\system32\xxyxYsSK.dll

-- End of Deckard's System Scanner: finished at 2008-04-08 10:52:16 ------------

#93
Rorschach112

Posted 08 April 2008 - 09:05 AM

Ralphie

Retired Staff
47,710 posts

Not quite, but on another note that seems to have done a nice job

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\xxyxYsSK.dll

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaXOE]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyxYsSK]

SysRes::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#94
justine123

Posted 08 April 2008 - 09:23 AM

Member

Topic Starter
Member
82 posts

Here's the ComboFix log:

ComboFix 08-04-07.5 - Jenny Zhao 2008-04-08 11:17:27.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT -4:00]
Running from: C:\Documents and Settings\Jenny Zhao\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jenny Zhao\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\xxyxYsSK.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bmcjjfgw.dll
C:\WINDOWS\system32\iiffCRkJ.dll
C:\WINDOWS\system32\JkRCffii.ini
C:\WINDOWS\system32\JkRCffii.ini2
C:\WINDOWS\system32\kyhqpyjp.dll
C:\WINDOWS\system32\pjypqhyk.ini
C:\WINDOWS\system32\uegrsndm.dll
C:\WINDOWS\system32\xxyxYsSK.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 10:59 . 2008-04-08 10:59 3,648 --a------ C:\WINDOWS\system32\gwwxurmx.dll
2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07 . 2008-04-07 09:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19 . 2008-04-06 18:19 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01 . 2008-04-06 18:01 <DIR> d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01 . 2008-04-06 20:40 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2008-04-06 18:01 . 2008-04-06 20:40 53,248 --a------ C:\WINDOWS\system32\process.exe
2008-04-06 18:01 . 2008-04-06 20:40 16,384 --a------ C:\WINDOWS\system32\restart.exe
2008-04-06 18:01 . 2008-04-06 20:40 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 08:34 . 2008-04-06 19:27 250 --a------ C:\WINDOWS\gmer.ini
2008-04-06 08:20 . 2008-04-06 08:20 <DIR> d-------- C:\Deckard
2008-04-05 18:04 . 2008-04-05 18:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:32 . 2008-04-02 23:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 19:02 . 2008-04-02 19:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 18:39 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Panda Security
2008-04-02 18:39 . 2008-04-02 18:44 1,859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38 . 2008-04-02 19:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 17:04 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-02 06:31 . 2008-04-02 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30 . 2008-04-06 08:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37 . 2008-04-01 16:15 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35 . 2008-03-31 23:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34 . 2008-03-31 23:36 <DIR> d-------- C:\Program Files\Windows Live
2008-03-31 23:34 . 2008-03-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57 . 2008-03-31 19:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:56 . 2008-03-31 19:56 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55 . 2008-03-31 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54 . 2008-03-31 19:57 <DIR> d-------- C:\WinFast WorkArea
2008-03-31 19:54 . 2008-03-31 19:56 <DIR> d-------- C:\WFDB
2008-03-31 19:54 . 2008-03-31 19:54 <DIR> d-------- C:\Program Files\WinFast
2008-03-31 19:54 . 2007-02-26 20:20 49,152 --a------ C:\WINDOWS\system32\TempDel.EXE
2008-03-31 19:54 . 2005-01-06 16:55 9,446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys
2008-03-31 19:46 . 2006-04-20 14:50 59,776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys
2008-03-31 19:46 . 2006-04-20 15:20 19,456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys
2008-03-31 19:46 . 2006-04-20 14:49 9,600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys
2008-03-31 19:34 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-31 19:32 . 2008-03-31 19:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28 . 2008-03-31 19:29 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27 . 2008-03-31 19:27 <DIR> dr-h----- C:\MSOCache
2008-03-31 19:27 . 2008-04-02 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 17:53 . 2008-03-31 18:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:53 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-31 17:46 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-31 17:46 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-31 17:46 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-31 17:45 . 2008-03-31 17:45 <DIR> d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:44 . 2008-03-31 17:44 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-31 17:32 . 2008-04-08 11:18 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Symantec
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 17:32 . 2006-09-18 18:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 17:32 . 2006-09-18 18:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 13:00 . 2004-08-03 20:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-31 13:00 . 2004-08-03 18:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2008-03-31 13:00 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a--c--- C:\WINDOWS\system32\dllcache\agp440.sys
2008-03-31 13:00 . 2004-08-03 18:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 23:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 23:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 23:01 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-03-31 22:58 --------- d-----w C:\Program Files\Logitech
2008-03-31 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 22:22 --------- d-----w C:\Program Files\Analog Devices
2008-03-31 22:20 --------- d-----w C:\Program Files\Intel
2008-03-31 22:07 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-04-08_10.49.47.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-08 15:20:26 38,912 ----a-w C:\WINDOWS\system32\ssqPifcC.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 12:01 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-10-18 13:47 876544]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\ssqPifcC.dll [2008-04-08 11:20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 19:24 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPifcC]
ssqPifcC.dll 2008-04-08 11:20 38912 C:\WINDOWS\system32\ssqPifcC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2002-08-29 07:52]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 14:50]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 15:20]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 14:49]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 11:20:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqPifcC.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-04-08 11:21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-08 15:21:22
ComboFix2.txt 2008-04-08 14:50:18
ComboFix3.txt 2008-04-06 18:38:10
Pre-Run: 115,389,169,664 bytes free
Post-Run: 115,376,467,968 bytes free

And the DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-08 11:21:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:45 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ssqPifcC - C:\WINDOWS\SYSTEM32\ssqPifcC.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6395 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 11:21:36 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-08 11:20:26 38912 --a------ C:\WINDOWS\system32\ssqPifcC.dll
2008-04-08 10:59:20 3648 --a------ C:\WINDOWS\system32\gwwxurmx.dll
2008-04-07 20:33:42 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19:00 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01:09 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-04-06 18:01:09 0 d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01:09 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-04-06 18:01:09 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 18:01:09 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 10:55:53 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 --a------ C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\ssqPifcC.dll [04/08/2008 11:20 AM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPifcC]
ssqPifcC.dll 04/08/2008 11:20 AM 38912 C:\WINDOWS\system32\ssqPifcC.dll

-- End of Deckard's System Scanner: finished at 2008-04-08 11:22:46 ------------

#95
Rorschach112

Posted 08 April 2008 - 12:08 PM

Ralphie

Retired Staff
47,710 posts

Hello Justine

I am just waiting for feedback concerning a feature of the tool ComboFix, will help me come up with a solution to your problem.

Will take a little while though as your infection is being really difficult.

#96
justine123

Posted 08 April 2008 - 02:07 PM

Member

Topic Starter
Member
82 posts

Hi! Thanks for letting me know and also for your help

#97
Rorschach112

Posted 08 April 2008 - 03:20 PM

Ralphie

Retired Staff
47,710 posts

Hello

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\Temp\removalfile.bat

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

Download Silent Runners and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it.
A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

Please run a BitDefender Online Scan

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.

Edited by Rorschach112, 08 April 2008 - 03:38 PM.

#98
justine123

Posted 08 April 2008 - 03:48 PM

Member

Topic Starter
Member
82 posts

Here's the results from virustotal. I'm going to do the other steps now.

File has already been analysed:
MD5: 9a7ef09167a6f4433681b94351509043
Date: 04.08.2008 02:38:45 (CET) [<1D]
Results: 4/30
Permalink: analisis/b4cfe1f4a4a370a6fa606d3fd6c179bf

Here are the results from the permalink above:

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eTrust-Vet - - -
Ewido - - Not-A-Virus.Adware.Virtumonde
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - Win32/Adware.Virtumonde
Norman - - BAT/Virtumonde.QP
Panda - - -
Prevx1 - - Generic.Malware
Rising - - -
Sophos - - -
Sunbelt - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 9a7ef09167a6f4433681b94351509043
SHA1: 259b1375ed8e84943ca1d42646bb416325c89e12
SHA256: d5739a0510d89da572eb0b0d394d4fb4dd361cd9ee0144b9b31c590df93c3be7
SHA512: 96b84cd88a0e4b7c1122af3ed6ce5edf0a9a4e9bf79575eadfac16b2c46f1278d57755d29f21d7c6
dcb4403be24b7ac7da4837c6cc9c602342a8f2b8e54883df

Edited by justine123, 08 April 2008 - 03:50 PM.

#99
justine123

Posted 08 April 2008 - 04:26 PM

Member

Topic Starter
Member
82 posts

Here's the Silent Runners log:

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" ["Analog Devices, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"LogitechCommunicationsManager" = ""C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"" ["Logitech Inc."]
"LogitechQuickCamRibbon" = ""C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide" ["Logitech Inc."]
"WinFast Schedule" = "C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" ["Leadtek Research Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"b89f240b" = "rundll32.exe "C:\WINDOWS\system32\bknjsmfp.dll",b" [MS]
"BMbbac1797" = "Rundll32.exe "C:\WINDOWS\system32\hjoydfiq.dll",s" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2C6FB704-E8AE-4036-8BA8-2F4E92BAFFEC}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\urqOGXqR.dll" [null data]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\rqRJDstQ.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
<<!>> "{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" = "*k" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\rqRJDstQ.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL" ["SUPERAntiSpyware.com"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
<<!>> rqRJDstQ\DLLName = "rqRJDstQ.dll" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
LVCOMSer, LVCOMSer, ""C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe"" ["Logitech Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"" [MS]
Process Monitor, LVPrcSrv, ""C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"" ["Logitech Inc."]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
ssgb6 Langmon\Driver = "ssgb6mon.dll" ["Samsung Electronics."]

---------- (launch time: 2008-04-08 17:51:49)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 17 seconds.
---------- (total run time: 73 seconds)

And here's the BitDefender report. The output was in html format, so I attached it too, in case it's easier for you to view that, since the copy and paste distorted the chart:

BitDefender Online Scanner

Scan report generated at: Tue, Apr 08, 2008 - 18:21:14

Scan path: A:\;C:\;D:\;

Statistics

Time

00:16:07

Files

60566

Folders

2573

Boot Sectors

2

Archives

624

Packed Files

3867

Results

Identified Viruses

2

Infected Files

3

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

3

Engines Info

Virus Definitions

1132478

Engine build

AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins

16

Archive plugins

41

Unpack plugins

7

E-mail plugins

6

System plugins

5

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\Content.IE5\R42ACZ1L\index[1].htm

Detected with: Adware.SystemErrorFixer.A

C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\Content.IE5\R42ACZ1L\index[1].htm

Disinfection failed

C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\Content.IE5\R42ACZ1L\index[1].htm

Deleted

C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\Content.IE5\T03I96B4\clean[1].htm

Detected with: Adware.SystemErrorFixer.A

C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\Content.IE5\T03I96B4\clean[1].htm

Disinfection failed

C:\Documents and Settings\Jenny Zhao\Local Settings\Temporary Internet Files\Content.IE5\T03I96B4\clean[1].htm

Deleted

C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007059.sys

Infected with: Trojan.Agent.AFQN

C:\System Volume Information\_restore{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007059.sys

Deleted

Attached Files

BitDefenderReport.html 18.75KB 17 downloads

#100
Rorschach112

Posted 08 April 2008 - 05:18 PM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\gwwxurmx.dll
C:\WINDOWS\system32\ssqPifcC.dll
C:\WINDOWS\Temp\removalfile.bat
C:\WINDOWS\system32\bknjsmfp.dll
C:\WINDOWS\system32\hjoydfiq.dll
C:\WINDOWS\system32\urqOGXqR.dll
C:\WINDOWS\system32\rqRJDstQ.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C6FB704-E8AE-4036-8BA8-2F4E92BAFFEC}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqRJDstQ
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPifcC

Registry values to delete:
hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks | {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System | HideLogoffScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System | RunLogonScriptSync

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply

#101
justine123

Posted 08 April 2008 - 05:28 PM

Member

Topic Starter
Member
82 posts

Upon reboot, I got these two notices:

Error loading C:\WINDOWS\system32/bknjsmfp.dll
Error loading C:\WINDOWS\system32\hjoydfiq.dll
(The specified modules could not be found.)

Here is the avenger log:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Apr 08 19:22:51 2008

19:22:41: Error: Invalid registry syntax in command:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|HideLogoffScripts"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:22:47: Error: Invalid registry syntax in command:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|RunLogonScriptSync"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\gwwxurmx.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\ssqPifcC.dll" not found!
Deletion of file "C:\WINDOWS\system32\ssqPifcC.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\Temp\removalfile.bat" deleted successfully.
File "C:\WINDOWS\system32\bknjsmfp.dll" deleted successfully.
File "C:\WINDOWS\system32\hjoydfiq.dll" deleted successfully.
File "C:\WINDOWS\system32\urqOGXqR.dll" deleted successfully.
File "C:\WINDOWS\system32\rqRJDstQ.dll" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C6FB704-E8AE-4036-8BA8-2F4E92BAFFEC}" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqRJDstQ" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPifcC" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPifcC" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here is the DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-08 19:24:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:43 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: {5782c7f3-3571-6e1a-5674-b9150c172351} - {153271c0-519b-4765-a1e6-17533f7c2875} - C:\WINDOWS\system32\wegjosbd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [b89f240b] rundll32.exe "C:\WINDOWS\system32\bknjsmfp.dll",b
O4 - HKLM\..\Run: [BMbbac1797] Rundll32.exe "C:\WINDOWS\system32\hjoydfiq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: rqRKcyyy - C:\WINDOWS\SYSTEM32\rqRKcyyy.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7026 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 19:24:32 38912 --a------ C:\WINDOWS\system32\rqRKcyyy.dll
2008-04-08 18:01:56 0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-08 17:54:42 91712 --a------ C:\WINDOWS\system32\wegjosbd.dll
2008-04-08 17:51:40 3648 --a------ C:\WINDOWS\system32\vxpclcwk.dll
2008-04-08 17:48:40 270470 --ahs---- C:\WINDOWS\system32\RqXGOqru.ini2
2008-04-08 17:44:06 38912 --a------ C:\WINDOWS\system32\yayaXoMg.dll
2008-04-08 11:29:45 3648 --a------ C:\WINDOWS\system32\vebwsuan.dll
2008-04-08 11:21:36 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-07 20:33:42 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19:00 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01:09 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-04-06 18:01:09 0 d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01:09 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-04-06 18:01:09 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 18:01:09 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 10:55:53 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 --a------ C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{153271c0-519b-4765-a1e6-17533f7c2875}]
04/08/2008 05:54 PM 91712 --a------ C:\WINDOWS\system32\wegjosbd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"b89f240b"="C:\WINDOWS\system32\bknjsmfp.dll" []
"BMbbac1797"="C:\WINDOWS\system32\hjoydfiq.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\rqRKcyyy.dll [04/08/2008 07:24 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyyy]
rqRKcyyy.dll 04/08/2008 07:24 PM 38912 C:\WINDOWS\system32\rqRKcyyy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

-- End of Deckard's System Scanner: finished at 2008-04-08 19:25:42 ------------

#102
Rorschach112

Posted 08 April 2008 - 05:52 PM

Ralphie

Retired Staff
47,710 posts

Grr it returned

Can you tell me is this file still there

C:\WINDOWS\Temp\removalfile.bat

Please run GMER.exe again

Select rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Press scan
When it has finished press save & post back the log it makes
Repeat the process with the Autostarts tab and do the same there

Download the attached zip file, save it to your desktop and unzip it to it's own folder

Double click on Filelist.bat and let it run. A notepad file will pop up, post that in your reply

#103
justine123

Posted 08 April 2008 - 06:03 PM

Member

Topic Starter
Member
82 posts

Yes that C:\WINDOWS\Temp\removalfile.bat is still there.

Here's the Rootkit report:

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-08 20:00:35
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT 871273B0 ZwAlertResumeThread
SSDT 87127488 ZwAlertThread
SSDT 87116D48 ZwAllocateVirtualMemory
SSDT 8708D5B0 ZwConnectPort
SSDT 87125E70 ZwCreateMutant
SSDT 87085188 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5F41350]
SSDT 87159888 ZwFreeVirtualMemory
SSDT 871269C0 ZwImpersonateAnonymousToken
SSDT 87126008 ZwImpersonateThread
SSDT 8705D790 ZwMapViewOfSection
SSDT 8711FF30 ZwOpenEvent
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7F2B8AC]
SSDT 871690D8 ZwOpenProcessToken
SSDT 871551A8 ZwOpenThreadToken
SSDT 86FDFBC8 ZwQueryValueKey
SSDT 87174478 ZwResumeThread
SSDT 871543C8 ZwSetContextThread
SSDT 871568F8 ZwSetInformationProcess
SSDT 87153210 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5F41580]
SSDT 871E1BB0 ZwSuspendProcess
SSDT 87127898 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7F2B812]
SSDT 87127AF0 ZwTerminateThread
SSDT 87157E48 ZwUnmapViewOfSection
SSDT 870D6188 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

? goclkhbm.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\Explorer.EXE[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01C72F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01C72CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01C72D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1520] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01C72CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[1740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00372F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[1740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00372CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[1740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00372D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Jenny Zhao\Desktop\gmer\gmer.exe[1740] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00372CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01DE2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01DE2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01DE2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[1892] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01DE2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[2132] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [008D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [008D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [008D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[2604] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [008D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3384] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4048] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4048] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4048] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4048] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[4368] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\WISPTIS.EXE[5004] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00892F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\WISPTIS.EXE[5004] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00892CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\WISPTIS.EXE[5004] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00892D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\WISPTIS.EXE[5004] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00892CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[5972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AB2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[5972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AB2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[5972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AB2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\rundll32.exe[5972] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AB2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

Here's the Autostart report:

GMER 1.0.14.14205 - http://www.gmer.net
Autostart scan 2008-04-08 20:00:50
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
NavLogon@DLLName = C:\WINDOWS\system32\NavLogon.dll
rqRKcyyy@DLLName = rqRKcyyy.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVG Anti-Spyware Guard@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
ccEvtMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr@ = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
DefWatch@ = "C:\Program Files\Symantec AntiVirus\DefWatch.exe"
LVCOMSer@ = "C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe"
LVPrcSrv@ = "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"
LVSrvLauncher@ = C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"
SPBBCSvc@ = "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"
Symantec AntiVirus@ = "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
UleadBurningHelper@ = C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SmappC:\Program Files\Analog Devices\SoundMAX\Smtray.exe = C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
@ccApp"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
@vptrayC:\PROGRA~1\SYMANT~1\VPTray.exe = C:\PROGRA~1\SYMANT~1\VPTray.exe
@LogitechCommunicationsManager"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" = "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
@LogitechQuickCamRibbon"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide = "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
@WinFast ScheduleC:\Program Files\WinFast\WFTVFM\WFWIZ.exe = C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@Adobe Reader Speed Launcher"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
@b89f240brundll32.exe "C:\WINDOWS\system32\rlkwsiyh.dll",b = rundll32.exe "C:\WINDOWS\system32\rlkwsiyh.dll",b
@BMbbac1797Rundll32.exe "C:\WINDOWS\system32\lgmpoipb.dll",s = Rundll32.exe "C:\WINDOWS\system32\lgmpoipb.dll",s

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MsnMsgr"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background = "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

HKLM\Software\Classes\.scr@ = "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}C:\Program Files\SUPERAntiSpyware\SASSEH.DLL = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
@{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}C:\WINDOWS\system32\rqRKcyyy.dll = C:\WINDOWS\system32\rqRKcyyy.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office12\msohevi.dll = C:\Program Files\Microsoft Office\Office12\msohevi.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll = C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{0D79E2A9-BE78-4FD4-882B-E075A86DFD7D}C:\WINDOWS\system32\mlJBUNET.dll = C:\WINDOWS\system32\mlJBUNET.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121}C:\WINDOWS\system32\advusbpa.dll = C:\WINDOWS\system32\advusbpa.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft...p...&ar=msnhome
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

---- EOF - GMER 1.0.14 ----

And here's the Filelist report:

Tue 04/08/2008 20:01:19.90
Volume in drive C has no label.
Volume Serial Number is B89F-24A4

Directory of C:\

04/08/2008 07:23 PM 5,514 avenger.txt
04/08/2008 07:23 PM 1,072,549,888 hiberfil.sys
04/08/2008 07:23 PM 1,610,612,736 pagefile.sys
04/08/2008 11:21 AM 13,600 ComboFix.txt
04/06/2008 08:42 PM 307 kaflog.txt
03/31/2008 06:20 PM 90 inf.log
03/31/2008 06:07 PM 0 IO.SYS
03/31/2008 06:07 PM 0 MSDOS.SYS
03/31/2008 06:07 PM 0 AUTOEXEC.BAT
03/31/2008 06:07 PM 0 CONFIG.SYS
03/31/2008 06:02 PM 211 boot.ini
08/03/2004 10:59 PM 250,032 ntldr
08/03/2004 10:38 PM 47,564 NTDETECT.COM
13 File(s) 2,683,479,942 bytes
0 Dir(s) 115,402,362,880 bytes free
Volume in drive C has no label.
Volume Serial Number is B89F-24A4

Directory of C:\

Volume in drive C has no label.
Volume Serial Number is B89F-24A4

Directory of C:\WINDOWS

04/08/2008 07:54 PM 250 gmer.ini
04/08/2008 07:31 PM 32,316 BMbbac1797.txt
04/08/2008 07:31 PM 22 pskt.ini
04/08/2008 07:24 PM 0 0.log
04/08/2008 07:24 PM 157 wiadebug.log
04/08/2008 07:24 PM 48 wiaservc.log
04/08/2008 07:23 PM 2,048 bootstat.dat
04/08/2008 07:23 PM 15,158 SchedLgU.Txt
04/08/2008 07:22 PM 1,424,218 WindowsUpdate.log
04/08/2008 06:20 PM 446 cookies.ini
04/08/2008 06:01 PM 488,232 setupapi.log
04/08/2008 11:21 AM 53,248 PSEXESVC.EXE
04/08/2008 11:20 AM 227 system.ini
04/07/2008 09:07 AM 364,856 ntbtlog.txt
04/06/2008 10:11 AM 1,366 gmer.bat
04/06/2008 08:34 AM 80 gmer_uninstall.cmd
04/06/2008 08:34 AM 819,200 gmer.dll
04/02/2008 06:57 PM 242 svcpack.log
04/02/2008 06:44 PM 1,859 mozver.dat
04/02/2008 05:02 PM 176,967 setupact.log
04/01/2008 04:11 PM 11,860 DPINST.LOG
04/01/2008 08:53 AM 4,267 wmsetup.log
03/31/2008 07:57 PM 0 nsreg.dat
03/31/2008 07:55 PM 316,640 WMSysPr9.prx
03/31/2008 07:28 PM 552 win.ini
03/31/2008 06:54 PM 42,060 WgaNotify.log
03/31/2008 06:54 PM 716,708 iis6.log
03/31/2008 06:54 PM 1,374 imsins.log
03/31/2008 06:54 PM 217,970 comsetup.log
03/31/2008 06:54 PM 292,287 tsoc.log
03/31/2008 06:54 PM 130,635 ntdtcsetup.log
03/31/2008 06:54 PM 34,743 ocmsn.log
03/31/2008 06:54 PM 10,950 KB938127-IE7.log
03/31/2008 06:54 PM 32,352 tabletoc.log
03/31/2008 06:54 PM 111,090 netfxocm.log
03/31/2008 06:54 PM 43,987 MedCtrOC.log
03/31/2008 06:54 PM 306,332 ocgen.log
03/31/2008 06:54 PM 31,771 msgsocm.log
03/31/2008 06:54 PM 629,801 FaxSetup.log
03/31/2008 06:54 PM 199,302 msmqinst.log
03/31/2008 06:36 PM 6,272 spupdsvc.log
03/31/2008 06:25 PM 1,374 imsins.BAK
03/31/2008 06:25 PM 83,191 KB943055.log
03/31/2008 06:25 PM 83,011 KB946026.log
03/31/2008 06:25 PM 95,035 KB944533.log
03/31/2008 06:25 PM 93,662 KB944533-IE7.log
03/31/2008 06:25 PM 65,187 updspapi.log
03/31/2008 06:25 PM 84,695 KB943485.log
03/31/2008 06:24 PM 85,630 KB942840.log
03/31/2008 06:24 PM 84,708 KB941644.log
03/31/2008 06:24 PM 75,706 KB941569.log
03/31/2008 06:24 PM 85,843 KB937894.log
03/31/2008 06:24 PM 84,642 KB944653.log
03/31/2008 06:24 PM 84,379 KB941568.log
03/31/2008 06:24 PM 96,311 KB942763.log
03/31/2008 06:24 PM 37,710 ie7_main.log
03/31/2008 06:23 PM 108,758 KB942615-IE7.log
03/31/2008 06:23 PM 93,151 ie7.log
03/31/2008 06:22 PM 38,245 IDNMitigationAPIs.log
03/31/2008 06:22 PM 37,910 NLSDownlevelMapping.log
03/31/2008 06:22 PM 39,655 KB915865.log
03/31/2008 06:21 PM 38,315 KB914440.log
03/31/2008 06:21 PM 79,442 KB943460.log
03/31/2008 06:21 PM 75,674 KB904942.log
03/31/2008 06:20 PM 525 chipset.log
03/31/2008 06:16 PM 48,691 KB936357.log
03/31/2008 06:15 PM 48,299 KB941202.log
03/31/2008 06:15 PM 38,983 KB933729.log
03/31/2008 06:15 PM 46,988 KB936021.log
03/31/2008 06:15 PM 46,759 KB938127.log
03/31/2008 06:15 PM 35,456 KB936782.log
03/31/2008 06:15 PM 47,053 KB938829.log
03/31/2008 06:15 PM 46,493 KB938828.log
03/31/2008 06:15 PM 35,466 KB925398.log
03/31/2008 06:14 PM 45,867 KB935839.log
03/31/2008 06:14 PM 45,498 KB935840.log
03/31/2008 06:14 PM 45,810 KB929123.log
03/31/2008 06:14 PM 36,727 KB927891.log
03/31/2008 06:14 PM 44,821 KB930916.log
03/31/2008 06:14 PM 45,089 KB920213.log
03/31/2008 06:14 PM 44,697 KB890046.log
03/31/2008 06:14 PM 44,839 KB932168.log
03/31/2008 06:14 PM 43,426 KB931261.log
03/31/2008 06:13 PM 44,318 KB930178.log
03/31/2008 06:13 PM 45,374 KB931784.log
03/31/2008 06:13 PM 833 OEWABLog.txt
03/31/2008 06:13 PM 44,895 KB925902.log
03/31/2008 06:13 PM 807,854 setuplog.txt
03/31/2008 06:13 PM 42,905 KB926436.log
03/31/2008 06:13 PM 43,112 KB918118.log
03/31/2008 06:13 PM 43,447 KB927779.log
03/31/2008 06:13 PM 38,270 KB924667.log
03/31/2008 06:13 PM 40,237 KB927802.log
03/31/2008 06:13 PM 40,233 KB928843.log
03/31/2008 06:13 PM 41,313 KB928255.log
03/31/2008 06:12 PM 40,020 KB926255.log
03/31/2008 06:12 PM 40,108 KB923980.log
03/31/2008 06:12 PM 39,940 KB924270.log
03/31/2008 06:12 PM 38,728 KB922819.log
03/31/2008 06:12 PM 34,477 KB923191.log
03/31/2008 06:12 PM 36,580 KB924496.log
03/31/2008 06:12 PM 36,070 KB923414.log
03/31/2008 06:12 PM 37,678 KB920872.log
03/31/2008 06:12 PM 35,927 KB920685.log
03/31/2008 06:12 PM 36,080 KB919007.log
03/31/2008 06:11 PM 36,031 KB916595.log
03/31/2008 06:11 PM 28,383 KB922582.log
03/31/2008 06:11 PM 33,948 KB920683.log
03/31/2008 06:11 PM 32,426 KB920670.log
03/31/2008 06:11 PM 32,957 KB914388.log
03/31/2008 06:11 PM 31,037 KB911280.log
03/31/2008 06:11 PM 32,884 KB913580.log
03/31/2008 06:11 PM 31,220 KB918439.log
03/31/2008 06:11 PM 31,916 KB917344.log
03/31/2008 06:11 PM 31,533 KB914389.log
03/31/2008 06:10 PM 31,657 KB908531.log
03/31/2008 06:10 PM 31,637 KB900485.log
03/31/2008 06:10 PM 30,822 KB911562.log
03/31/2008 06:10 PM 18,719 KB911564.log
03/31/2008 06:10 PM 8,192 REGLOCS.OLD
03/31/2008 06:10 PM 30,153 KB911927.log
03/31/2008 06:10 PM 29,523 KB908519.log
03/31/2008 06:10 PM 23,753 KB910437.log
03/31/2008 06:10 PM 30,450 KB900725.log
03/31/2008 06:10 PM 27,925 KB905749.log
03/31/2008 06:09 PM 27,401 KB905414.log
03/31/2008 06:09 PM 26,587 KB901017.log
03/31/2008 06:09 PM 31,752 KB902400.log
03/31/2008 06:09 PM 23,053 KB894391.log
03/31/2008 06:09 PM 21,209 KB896423.log
03/31/2008 06:09 PM 20,697 KB899587.log
03/31/2008 06:09 PM 20,197 KB899591.log
03/31/2008 06:09 PM 20,061 KB893756.log
03/31/2008 06:09 PM 20,215 KB896358.log
03/31/2008 06:09 PM 22,124 KB890859.log
03/31/2008 06:08 PM 21,324 KB901214.log
03/31/2008 06:08 PM 21,135 KB896428.log
03/31/2008 06:08 PM 21,510 KB885835.log
03/31/2008 06:08 PM 20,108 KB891781.log
03/31/2008 06:08 PM 20,019 KB887472.log
03/31/2008 06:08 PM 20,098 KB888302.log
03/31/2008 06:08 PM 19,661 KB885836.log
03/31/2008 06:08 PM 12,255 KB886185.log
03/31/2008 06:08 PM 19,649 KB873339.log
03/31/2008 06:07 PM 0 control.ini
03/31/2008 06:06 PM 4,161 ODBCINST.INI
03/31/2008 06:06 PM 749 WindowsShell.Manifest
03/31/2008 06:04 PM 1,022 sessmgr.setup.log
03/31/2008 06:04 PM 36 vb.ini
03/31/2008 06:04 PM 37 vbaddin.ini
03/31/2008 06:03 PM 133 DtcInstall.log
03/31/2008 06:02 PM 200 cmsetacl.log
03/31/2008 05:53 PM 7,880 KB892130.log
03/31/2008 05:53 PM 9,477 KB898461.log
03/31/2008 05:53 PM 9,365 KB893803v2.log
03/31/2008 05:44 PM 0 vpc32.INI
03/31/2008 01:01 PM 0 Sti_Trace.log
03/31/2008 12:59 PM 1,052 regopt.log
03/31/2008 12:58 PM 0 setuperr.log
03/03/2008 08:29 PM 761,856 gmer.exe
01/09/2008 03:01 PM 453 bdoscandellang.ini
01/09/2008 03:01 PM 53,248 bdoscandel.exe
06/13/2007 06:23 AM 1,033,216 explorer.exe
05/26/2005 07:22 PM 10,752 hh.exe
08/04/2004 12:56 AM 283,648 winhlp32.exe
08/04/2004 12:56 AM 69,120 NOTEPAD.EXE
08/04/2004 12:56 AM 146,432 regedit.exe
08/04/2004 12:56 AM 50,688 twain_32.dll
04/26/2002 12:27 PM 368,640 SynCor.exe
04/26/2002 12:27 PM 962,560 SynthCoreA.Dll
08/23/2001 08:00 AM 707 _default.pif
08/23/2001 08:00 AM 48,680 winnt.bmp
08/23/2001 08:00 AM 48,680 winnt256.bmp
08/23/2001 08:00 AM 16,730 FeatherTexture.bmp
08/23/2001 08:00 AM 80 explorer.scf
08/23/2001 08:00 AM 17,336 Gone Fishing.bmp
08/23/2001 08:00 AM 15,360 TASKMAN.EXE
08/23/2001 08:00 AM 65,954 Prairie Wind.bmp
08/23/2001 08:00 AM 94,784 twain.dll
08/23/2001 08:00 AM 26,582 Greenstone.bmp
08/23/2001 08:00 AM 49,680 twunk_16.exe
08/23/2001 08:00 AM 25,600 twunk_32.exe
08/23/2001 08:00 AM 2 desktop.ini
08/23/2001 08:00 AM 1,405 msdfmap.ini
08/23/2001 08:00 AM 65,832 Santa Fe Stucco.bmp
08/23/2001 08:00 AM 256,192 winhelp.exe
08/23/2001 08:00 AM 18,944 vmmreg32.dll
08/23/2001 08:00 AM 26,680 River Sumida.bmp
08/23/2001 08:00 AM 17,362 Rhododendron.bmp
08/23/2001 08:00 AM 17,062 Coffee Bean.bmp
08/23/2001 08:00 AM 9,522 Zapotec.bmp
08/23/2001 08:00 AM 82,944 clock.avi
08/23/2001 08:00 AM 65,978 Soap Bubbles.bmp
08/23/2001 08:00 AM 1,272 Blue Lace 16.bmp
08/31/2000 08:00 AM 49,152 VFind.exe
08/31/2000 08:00 AM 212,480 swxcacls.exe
08/31/2000 08:00 AM 161,792 swreg.exe
08/31/2000 08:00 AM 73,728 fdsv.exe
08/31/2000 08:00 AM 98,816 sed.exe
08/31/2000 08:00 AM 80,412 grep.exe
08/31/2000 08:00 AM 28,160 Nircmd.exe
08/31/2000 08:00 AM 68,096 zip.exe
08/31/2000 08:00 AM 136,704 swsc.exe
203 File(s) 17,225,667 bytes
0 Dir(s) 115,402,350,592 bytes free
Volume in drive C has no label.
Volume Serial Number is B89F-24A4

Directory of C:\WINDOWS\System32

04/08/2008 08:01 PM 263,311 TENUBJlm.ini
04/08/2008 07:59 PM 263,295 TENUBJlm.ini2
04/08/2008 07:41 PM 91,712 advusbpa.dll
04/08/2008 07:38 PM 705,369 hyiswklr.ini
04/08/2008 07:38 PM 83,520 rlkwsiyh.dll
04/08/2008 07:32 PM 3,648 qvajcqgi.dll
04/08/2008 07:30 PM 88,640 lgmpoipb.dll
04/08/2008 07:29 PM 269,824 mlJBUNET.dll
04/08/2008 07:24 PM 38,912 rqRKcyyy.dll
04/08/2008 07:22 PM 270,486 RqXGOqru.ini
04/08/2008 07:22 PM 270,470 RqXGOqru.ini2
04/08/2008 06:20 PM 705,378 pfmsjnkb.ini
04/08/2008 05:54 PM 91,712 wegjosbd.dll
04/08/2008 05:51 PM 3,648 vxpclcwk.dll
04/08/2008 05:44 PM 38,912 yayaXoMg.dll
04/08/2008 11:29 AM 3,648 vebwsuan.dll
04/06/2008 08:40 PM 16,384 restart.exe
04/06/2008 08:40 PM 53,248 process.exe
04/06/2008 08:40 PM 90,112 regdacl.exe
04/06/2008 08:40 PM 4,096 reboot.exe
04/01/2008 04:10 PM 137,256 FNTCACHE.DAT
03/31/2008 07:01 PM 4,912 lvcoinst.log
03/31/2008 06:55 PM 2,206 wpa.dbl
03/31/2008 06:37 PM 311,934 perfh009.dat
03/31/2008 06:37 PM 40,196 perfc009.dat
03/31/2008 06:37 PM 356,120 PerfStringBackup.INI
03/31/2008 06:24 PM 138,978 TZLog.log
03/31/2008 06:09 PM 386 $winnt$.inf
03/31/2008 06:07 PM 2,577 CONFIG.NT
03/31/2008 06:06 PM 16,832 amcompat.tlb
03/31/2008 06:06 PM 23,392 nscompat.tlb
03/31/2008 06:06 PM 488 WindowsLogon.manifest
03/31/2008 06:06 PM 488 logonui.exe.manifest
03/31/2008 06:06 PM 749 sapi.cpl.manifest
03/31/2008 06:06 PM 749 wuaucpl.cpl.manifest
03/31/2008 06:06 PM 749 ncpa.cpl.manifest
03/31/2008 06:06 PM 749 cdplayer.exe.manifest
03/31/2008 06:06 PM 749 nwc.cpl.manifest
03/31/2008 06:04 PM 21,640 emptyregdb.dat
03/31/2008 01:02 PM 0 h323log.txt
03/29/2008 10:47 AM 236,032 WgaTray.exe
03/21/2008 08:44 AM 1,488,688 LegitCheckControl.dll
03/20/2008 07:45 PM 200,064 WgaLogon.dll
01/11/2008 01:53 AM 44,544 pngfilt.dll
12/19/2007 07:01 PM 347,136 dxtmsft.dll
12/08/2007 11:51 AM 3,592,192 mshtml.dll
12/06/2007 10:21 PM 193,024 msrating.dll
12/06/2007 10:21 PM 671,232 mstime.dll
12/06/2007 10:21 PM 233,472 webcheck.dll
12/06/2007 10:21 PM 105,984 url.dll
12/06/2007 10:21 PM 1,159,680 urlmon.dll
12/06/2007 10:21 PM 824,832 wininet.dll
12/06/2007 10:21 PM 102,912 occache.dll
12/06/2007 10:21 PM 478,208 mshtmled.dll
12/06/2007 10:21 PM 52,224 msfeedsbs.dll
12/06/2007 10:21 PM 1,831,424 inetcpl.cpl
12/06/2007 10:21 PM 27,648 jsproxy.dll
12/06/2007 10:21 PM 459,264 msfeeds.dll
12/06/2007 10:21 PM 6,066,176 ieframe.dll
12/06/2007 10:21 PM 267,776 iertutil.dll
12/06/2007 10:21 PM 44,544 iernonce.dll
12/06/2007 10:21 PM 124,928 advpack.dll
12/06/2007 10:21 PM 383,488 ieapfltr.dll
12/06/2007 10:21 PM 63,488 icardie.dll
12/06/2007 10:21 PM 153,088 ieakeng.dll
12/06/2007 10:21 PM 230,400 ieaksie.dll
12/06/2007 10:21 PM 133,120 extmgr.dll
12/06/2007 10:21 PM 214,528 dxtrans.dll
12/06/2007 10:21 PM 384,512 iedkcs32.dll
12/06/2007 08:44 PM 474,112 shlwapi.dll
12/06/2007 08:44 PM 1,499,136 shdocvw.dll
12/06/2007 08:44 PM 1,054,208 danim.dll
12/06/2007 08:44 PM 151,040 cdfview.dll
12/06/2007 08:44 PM 1,024,000 browseui.dll
12/06/2007 07:00 AM 13,824 ieudinit.exe
12/06/2007 07:00 AM 70,656 ie4uinit.exe
12/06/2007 05:38 AM 350,720 xpsp3res.dll
12/06/2007 12:59 AM 161,792 ieakui.dll
12/04/2007 02:38 PM 550,912 oleaut32.dll
11/13/2007 07:31 AM 60,416 tzchange.exe
11/07/2007 05:26 AM 721,920 lsasrv.dll
10/29/2007 06:43 PM 1,287,680 quartz.dll
10/27/2007 06:39 PM 230,912 wmasf.dll
10/27/2007 06:37 PM 2,109,440 wmvcore.dll
10/25/2007 11:34 PM 8,460,288 shell32.dll
10/21/2007 06:51 PM 323,624 wiaaut.dll
10/21/2007 06:38 PM 516,832 capicom.dll
10/18/2007 11:31 AM 51,224 sirenacm.dll
10/11/2007 10:00 PM 465,432 LVUI2RC.dll
10/11/2007 10:00 PM 490,008 LVUI2.dll
10/11/2007 09:57 PM 195,096 lvci1150.dll
10/11/2007 09:57 PM 416,280 lvcodec2.dll
10/11/2007 09:18 PM 21,138 Repository.reg
10/11/2007 09:11 PM 59,500 lvcoinst.ini
10/11/2007 03:12 PM 1,468,968 legitcheckcontrol.dll.bak
08/21/2007 02:15 AM 683,520 inetcomm.dll
08/13/2007 07:54 PM 191,488 iepeers.dll
08/13/2007 07:54 PM 413,696 vbscript.dll
08/13/2007 07:54 PM 180,736 ieui.dll
08/13/2007 07:54 PM 156,160 msls31.dll
08/13/2007 07:45 PM 443,904 html.iec
08/13/2007 07:45 PM 78,336 ieencode.dll
08/13/2007 07:45 PM 206,336 WinFXDocObj.exe
08/13/2007 07:44 PM 40,960 licmgr10.dll
08/13/2007 07:39 PM 71,680 admparse.dll
08/13/2007 07:39 PM 55,296 iesetup.dll
08/13/2007 07:39 PM 92,672 inseng.dll
08/13/2007 07:38 PM 10,240 advpack.dll.mui
08/13/2007 07:38 PM 491,520 jscript.dll
08/13/2007 07:36 PM 12,288 msfeedssync.exe
08/13/2007 07:36 PM 36,352 imgutil.dll
08/13/2007 07:32 PM 45,568 mshta.exe
08/13/2007 07:32 PM 66,560 tdc.ocx
08/13/2007 07:06 PM 56,700 ieuinit.inf
08/13/2007 07:01 PM 48,128 mshtmler.dll
08/13/2007 06:50 PM 1,383,424 mshtml.tlb
07/30/2007 08:19 PM 203,096 wuweb.dll
07/30/2007 08:19 PM 1,712,984 wuaueng.dll
07/30/2007 08:19 PM 549,720 wuapi.dll
07/30/2007 08:19 PM 325,976 wucltui.dll
07/30/2007 08:19 PM 25,944 wuaucpl.cpl.mui
07/30/2007 08:19 PM 216,408 wuaucpl.cpl
07/30/2007 08:19 PM 92,504 cdm.dll
07/30/2007 08:19 PM 53,080 wuauclt.exe
07/30/2007 08:19 PM 43,352 wups2.dll
07/30/2007 08:19 PM 25,944 wuapi.dll.mui
07/30/2007 08:18 PM 34,136 wucltui.dll.mui
07/30/2007 08:18 PM 33,624 wups.dll
07/30/2007 08:18 PM 20,312 wuaueng.dll.mui
07/09/2007 09:09 AM 584,192 rpcrt4.dll
07/06/2007 08:46 AM 48,640 mqupgrd.dll
07/06/2007 08:46 AM 138,240 mqad.dll
07/06/2007 08:46 AM 95,744 mqsec.dll
07/06/2007 08:46 AM 47,104 mqdscli.dll
07/06/2007 08:46 AM 177,152 mqrt.dll
07/06/2007 08:46 AM 471,552 mqutil.dll
07/06/2007 08:46 AM 16,896 mqise.dll
07/06/2007 08:46 AM 660,992 mqqm.dll
06/26/2007 02:08 AM 1,104,896 msxml3.dll
06/19/2007 09:31 AM 282,112 gdi32.dll
04/30/2007 03:22 AM 4,734,976 wmp.dll
04/25/2007 10:21 AM 144,896 schannel.dll
04/18/2007 12:12 PM 2,854,400 msi.dll
04/17/2007 05:32 AM 2,455,488 ieapfltr.dat
04/16/2007 11:52 AM 984,576 kernel32.dll
03/17/2007 09:43 AM 292,864 winsrv.dll
03/08/2007 11:36 AM 40,960 mf3216.dll
03/08/2007 11:36 AM 577,536 user32.dll
03/08/2007 09:47 AM 1,843,584 win32k.sys
03/08/2007 01:10 AM 991,232 ieframe.dll.mui
02/28/2007 05:10 AM 2,180,352 ntoskrnl.exe
02/28/2007 04:38 AM 2,057,600 ntkrnlpa.exe
02/26/2007 08:20 PM 49,152 TempDel.EXE
02/05/2007 04:17 PM 185,344 upnphost.dll
01/23/2007 03:29 PM 546,304 hhctrl.ocx
12/19/2006 05:52 PM 134,656 shsvcs.dll
12/19/2006 02:16 PM 333,824 wiaservc.dll
12/10/2006 02:10 PM 14,640 spmsg.dll
11/27/2006 10:54 AM 433,152 riched20.dll
11/27/2006 10:54 AM 539,136 msftedit.dll
11/01/2006 03:17 PM 927,504 mfc40u.dll
10/26/2006 07:58 PM 30,512 mdimon.dll
10/26/2006 02:10 PM 1,190,688 FM20.DLL
10/26/2006 02:10 PM 33,088 FM20ENU.DLL
10/26/2006 01:45 PM 293,376 WISPTIS.EXE
10/26/2006 01:45 PM 207,360 INKED.DLL
10/19/2006 09:56 AM 713,216 sxs.dll
10/16/2006 12:15 PM 122,880 oledlg.dll
10/14/2006 04:13 AM 981,760 mfc42u.dll
10/13/2006 08:35 AM 64,000 nwapi32.dll
10/13/2006 08:35 AM 142,336 nwprovau.dll
10/13/2006 08:35 AM 65,536 nwwks.dll
09/27/2006 09:35 PM 83,752 pds.dll
09/27/2006 09:35 PM 46,896 msgsys.dll
09/27/2006 09:35 PM 83,752 nts.dll
09/27/2006 09:35 PM 83,696 loc32vc0.dll
09/27/2006 09:35 PM 34,600 cba.dll
09/27/2006 09:33 PM 43,760 NavLogon.dll
09/23/2006 02:12 PM 74,715 IE7Eula.rtf
09/18/2006 06:55 PM 48,816 S32EVNT1.DLL
09/06/2006 06:43 PM 22,752 spupdsvc.exe
09/01/2006 09:44 AM 8,798 icrav03.rat
09/01/2006 09:44 AM 1,988 ticrf.rat
08/25/2006 11:45 AM 617,472 comctl32.dll
08/22/2006 05:05 AM 498,742 dxmasf.dll
08/21/2006 10:52 AM 246,814 strmdll.dll
08/21/2006 08:21 AM 16,896 fltlib.dll
08/21/2006 05:14 AM 23,040 fltmc.exe
08/17/2006 08:28 AM 332,288 netapi32.dll
08/17/2006 08:28 AM 132,096 wkssvc.dll
08/16/2006 07:58 AM 100,352 6to4svc.dll
08/07/2006 05:02 PM 534,208 SymNeti.dll
08/07/2006 05:02 PM 161,472 SymRedir.dll
07/24/2006 10:50 AM 47,920 VBAME.DLL
07/24/2006 10:50 AM 39,728 SCP32.DLL
07/24/2006 10:50 AM 125,744 MSSTDFMT.DLL
07/21/2006 04:24 AM 72,704 hlink.dll
07/14/2006 11:51 AM 121,856 xmllite.dll
06/29/2006 09:05 AM 23,552 normaliz.dll
06/29/2006 09:05 AM 26,112 idndl.dll
06/28/2006 06:59 PM 24,576 nlsdl.dll
06/26/2006 01:37 PM 148,480 dnsapi.dll
06/26/2006 01:37 PM 8,192 rasadhlp.dll
06/22/2006 06:47 AM 181,248 rasmans.dll
06/22/2006 01:06 AM 1,435,648 query.dll
06/22/2006 01:06 AM 69,120 ciodm.dll
06/08/2006 01:06 PM 60,294 normnfkd.nls
06/08/2006 01:06 PM 45,794 normnfc.nls
06/08/2006 01:06 PM 59,342 normidna.nls
06/08/2006 01:06 PM 66,384 normnfkc.nls
06/08/2006 01:06 PM 39,284 normnfd.nls
06/01/2006 02:47 PM 163,840 jgdw400.dll
06/01/2006 02:47 PM 27,648 jgpl400.dll
05/19/2006 08:59 AM 111,616 dhcpcsvc.dll
05/19/2006 08:59 AM 94,720 iphlpapi.dll
03/24/2006 12:37 AM 49,152 wdigest.dll
03/16/2006 08:38 PM 28,672 verclsid.exe
03/01/2006 03:42 PM 91,136 mtxoci.dll
03/01/2006 03:42 PM 11,776 xolehlp.dll
03/01/2006 03:42 PM 161,280 msdtcuiu.dll
03/01/2006 03:42 PM 66,560 mtxclu.dll
03/01/2006 03:42 PM 956,416 msdtctm.dll
03/01/2006 03:42 PM 426,496 msdtcprx.dll
01/03/2006 11:35 PM 68,096 webclnt.dll
10/20/2005 06:20 PM 1,082,368 esent.dll
10/17/2005 05:14 PM 118,272 t2embed.dll
10/17/2005 05:14 PM 80,896 fontsub.dll
09/09/2005 09:53 PM 2,067,968 cdosys.dll
08/31/2005 09:41 PM 19,968 linkinfo.dll
08/22/2005 11:35 PM 123,392 umpnpmgr.dll
08/22/2005 02:29 PM 197,632 netman.dll
07/26/2005 12:39 AM 397,824 rpcss.dll
07/26/2005 12:39 AM 101,376 txflog.dll
07/26/2005 12:39 AM 37,888 olecnv32.dll
07/26/2005 12:39 AM 74,752 olecli32.dll
07/26/2005 12:39 AM 1,285,120 ole32.dll
07/26/2005 12:39 AM 540,160 comuid.dll
07/26/2005 12:39 AM 243,200 es.dll
07/26/2005 12:39 AM 97,792 comrepl.dll
07/26/2005 12:39 AM 1,267,200 comsvcs.dll
07/26/2005 12:39 AM 625,152 catsrvut.dll
07/26/2005 12:39 AM 110,080 clbcatex.dll
07/26/2005 12:39 AM 60,416 colbact.dll
07/26/2005 12:39 AM 498,688 clbcatq.dll
07/26/2005 12:39 AM 225,792 catsrv.dll
07/08/2005 12:27 PM 249,344