Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Help with Virtumonde

Started by justine123 , Apr 02 2008 05:21 PM

This topic is locked

#106
Rorschach112

Posted 08 April 2008 - 06:36 PM

Ralphie

Retired Staff
47,710 posts

That was a bit of an eye sore

Please don't run any scans by yourself as it may change the current infections file paths and make this tougher

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

* Click on the Start Button, Click Search
Click "All Files and Folders"
Click "Advanced Options", put a check next to the following:
Search System Folders
Search Hidden Files And Folders
Search Subfolders

Next copy and paste the following entries into the search box(one at a time):

goclkhbm

Click Search, let it run.

Tell me if it is found and where it is located

Download RegSearch to your desktop and unzip it to it's own folder there

Double click RegSearch.exe. Under "Enter Search Strings" paste in the following in bold only goclkhbm

Click Ok and let it run. A log will pop up when it is done, copy and paste that log in your next reply

Let me know if you had any trouble

Edited by Rorschach112, 08 April 2008 - 06:37 PM.

#107
justine123

Posted 08 April 2008 - 07:17 PM

Member

Topic Starter
Member
82 posts

When I searched from the start panel, it could not find "goclkhbm".

Here is the log from RegSearch:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 4/8/2008 9:15:48 PM for strings:
; 'goclkhbm'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="goclkhbm"

; End Of The Log...

Thank you.

#108
Rorschach112

Posted 09 April 2008 - 05:40 AM

Ralphie

Retired Staff
47,710 posts

Hello

Please run IceSword.exe

Step 1 : Now, we have to delete the rooted registry values. Click the Registry button. This will display a regedit type interface. Navigate to the following registry values in bold and delete them.

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="goclkhbm"

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\BMbbac1797.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\goclkhbm.sys
C:\WINDOWS\System32\TENUBJlm.ini
C:\WINDOWS\System32\TENUBJlm.ini2
C:\WINDOWS\System32\advusbpa.dll
C:\WINDOWS\System32\hyiswklr.ini
C:\WINDOWS\System32\rlkwsiyh.dll
C:\WINDOWS\System32\qvajcqgi.dll
C:\WINDOWS\System32\lgmpoipb.dll
C:\WINDOWS\System32\mlJBUNET.dll
C:\WINDOWS\System32\rqRKcyyy.dll
C:\WINDOWS\System32\RqXGOqru.ini
C:\WINDOWS\System32\RqXGOqru.ini2
C:\WINDOWS\System32\pfmsjnkb.ini
C:\WINDOWS\System32\wegjosbd.dll
C:\WINDOWS\System32\vxpclcwk.dll
C:\WINDOWS\System32\yayaXoMg.dll
C:\WINDOWS\System32\vebwsuan.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
C:\WINDOWS\Prefetch\WINRAR.EXE-39C6DAD9.pf
C:\WINDOWS\Prefetch\GMER.EXE-2FE9DA2B.pf
C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf
C:\WINDOWS\Prefetch\WISPTIS.EXE-0C21B942.pf
C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2BAE323A.pf
C:\WINDOWS\Prefetch\WLLOGINPROXY.EXE-1781D844.pf
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf
C:\WINDOWS\Prefetch\WINWORD.EXE-07381162.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-46B5CAFA.pf
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-19972BA4.pf
C:\WINDOWS\Prefetch\USNSVC.EXE-2DF2835C.pf
C:\WINDOWS\Prefetch\LULNCHR.EXE-1D2DBDC8.pf
C:\WINDOWS\Prefetch\LOGITECHUPDATE.EXE-2FAF519E.pf
C:\WINDOWS\Prefetch\NOTEPAD.EXE-189578DA.pf
C:\WINDOWS\Prefetch\FIND.EXE-0EC32F1E.pf
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\Prefetch\CSCRIPT.EXE-1C26180C.pf
C:\WINDOWS\Prefetch\SWREG.EXE-05BAA356.pf
C:\WINDOWS\Prefetch\SED.EXE-37719B90.pf
C:\WINDOWS\Prefetch\FINDSTR.EXE-0CA6274B.pf
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
C:\WINDOWS\Prefetch\COCIMANAGER.EXE-2464DE0A.pf
C:\WINDOWS\Prefetch\JENNYZ~1.EXE-158330FD.pf
C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf
C:\WINDOWS\Prefetch\LVCOMSER.EXE-33BC6B21.pf
C:\WINDOWS\Prefetch\WGATRAY.EXE-0ED38BED.pf
C:\WINDOWS\Prefetch\WGATRAY.EXE-02141F53.pf
C:\WINDOWS\Prefetch\TORRLC~1.EXE-0BD220C7.pf
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf
C:\WINDOWS\Prefetch\DSS.EXE-35B6A986.pf
C:\WINDOWS\Prefetch\CCEVTMGR.EXE-24B7A008.pf
C:\WINDOWS\Prefetch\ULCDRSVR.EXE-1D40A77D.pf
C:\WINDOWS\Prefetch\RTVSCAN.EXE-1D887DCC.pf
C:\WINDOWS\Prefetch\SPBBCSVC.EXE-01674B3B.pf
C:\WINDOWS\Prefetch\MDM.EXE-222A1FD1.pf
C:\WINDOWS\Prefetch\SRVLNCH.EXE-02CACF76.pf
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf
C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf
C:\WINDOWS\Prefetch\AVENGER.EXE-2CD7A14D.pf
C:\WINDOWS\Prefetch\MSNMSGR.EXE-030AB647.pf
C:\WINDOWS\Prefetch\layout.ini
C:\WINDOWS\Prefetch\WSCRIPT.EXE-32960AB9.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-37EFE1A2.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1677B455.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3C2E0C9D.pf
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2425235C.pf
C:\WINDOWS\Prefetch\OFFLB.EXE-3449130C.pf
C:\WINDOWS\Prefetch\MBAM.EXE-0BEE0439.pf
C:\WINDOWS\Prefetch\AVGAS.EXE-27525987.pf
C:\WINDOWS\Prefetch\SSUPDATE.EXE-216506EC.pf
C:\WINDOWS\Prefetch\SUPERANTISPYWARE.EXE-07994D9B.pf
C:\WINDOWS\Prefetch\WFCPUUSE.EXE-00967CC7.pf
C:\WINDOWS\Prefetch\SNDVOL32.EXE-383480B7.pf
C:\WINDOWS\Prefetch\WFTV.EXE-19C66946.pf
C:\WINDOWS\Prefetch\VFIND.CFEXE-2033727F.pf
C:\WINDOWS\Prefetch\SWREG.CFEXE-2BF4FFCD.pf
C:\WINDOWS\Prefetch\SED.CFEXE-268D7E58.pf
C:\WINDOWS\Prefetch\PV.CFEXE-0E6F2701.pf
C:\WINDOWS\Prefetch\NIRCMD.CFEXE-19FF4781.pf
C:\WINDOWS\Prefetch\SORT.EXE-194AE83C.pf
C:\WINDOWS\Prefetch\GREP.CFEXE-20443039.pf
C:\WINDOWS\Prefetch\SWREG.CFEXE-287CC9EF.pf
C:\WINDOWS\Prefetch\NIRCMD.COM-223F42C3.pf
C:\WINDOWS\Prefetch\CF1551.EXE-0C40DD1F.pf
C:\WINDOWS\TEMP\LVCOMSX.LOG
C:\WINDOWS\TEMP\removalfile.bat
C:\WINDOWS\TEMP\WGAErrLog.txt
C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\LVCOMSX.LOG
C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\appdata.xml
C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\callingapps.xml
C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\~DFAD89.tmp
C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\SSUPDATE.EXE

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply

Let me know if you had any problems

#109
justine123

Posted 09 April 2008 - 12:51 PM

Member

Topic Starter
Member
82 posts

When the computer restarted, it said there was an error with the following:
C:\WINDOWS\system32\rlkwsiyh.dll
C:\WINDOWS\system32/lgmpoipb.dll

Here's the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\BMbbac1797.txt" deleted successfully.
File "C:\WINDOWS\pskt.ini" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\goclkhbm.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\goclkhbm.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\System32\TENUBJlm.ini" deleted successfully.
File "C:\WINDOWS\System32\TENUBJlm.ini2" deleted successfully.
File "C:\WINDOWS\System32\advusbpa.dll" deleted successfully.
File "C:\WINDOWS\System32\hyiswklr.ini" deleted successfully.
File "C:\WINDOWS\System32\rlkwsiyh.dll" deleted successfully.
File "C:\WINDOWS\System32\qvajcqgi.dll" deleted successfully.
File "C:\WINDOWS\System32\lgmpoipb.dll" deleted successfully.
File "C:\WINDOWS\System32\mlJBUNET.dll" deleted successfully.
File "C:\WINDOWS\System32\rqRKcyyy.dll" deleted successfully.
File "C:\WINDOWS\System32\RqXGOqru.ini" deleted successfully.
File "C:\WINDOWS\System32\RqXGOqru.ini2" deleted successfully.
File "C:\WINDOWS\System32\pfmsjnkb.ini" deleted successfully.
File "C:\WINDOWS\System32\wegjosbd.dll" deleted successfully.
File "C:\WINDOWS\System32\vxpclcwk.dll" deleted successfully.
File "C:\WINDOWS\System32\yayaXoMg.dll" deleted successfully.
File "C:\WINDOWS\System32\vebwsuan.dll" deleted successfully.
File "C:\WINDOWS\cookies.ini" deleted successfully.
File "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WINRAR.EXE-39C6DAD9.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\GMER.EXE-2FE9DA2B.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WISPTIS.EXE-0C21B942.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2BAE323A.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WLLOGINPROXY.EXE-1781D844.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WINWORD.EXE-07381162.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RUNDLL32.EXE-46B5CAFA.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RUNDLL32.EXE-19972BA4.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\USNSVC.EXE-2DF2835C.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\LULNCHR.EXE-1D2DBDC8.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\LOGITECHUPDATE.EXE-2FAF519E.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\NOTEPAD.EXE-189578DA.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\FIND.EXE-0EC32F1E.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\CSCRIPT.EXE-1C26180C.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SWREG.EXE-05BAA356.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SED.EXE-37719B90.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\FINDSTR.EXE-0CA6274B.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\COCIMANAGER.EXE-2464DE0A.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\JENNYZ~1.EXE-158330FD.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\LVCOMSER.EXE-33BC6B21.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WGATRAY.EXE-0ED38BED.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WGATRAY.EXE-02141F53.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\TORRLC~1.EXE-0BD220C7.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\DSS.EXE-35B6A986.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\CCEVTMGR.EXE-24B7A008.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\ULCDRSVR.EXE-1D40A77D.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RTVSCAN.EXE-1D887DCC.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SPBBCSVC.EXE-01674B3B.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\MDM.EXE-222A1FD1.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SRVLNCH.EXE-02CACF76.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\AVENGER.EXE-2CD7A14D.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\MSNMSGR.EXE-030AB647.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\layout.ini" deleted successfully.
File "C:\WINDOWS\Prefetch\WSCRIPT.EXE-32960AB9.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RUNDLL32.EXE-37EFE1A2.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1677B455.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3C2E0C9D.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2425235C.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\OFFLB.EXE-3449130C.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\MBAM.EXE-0BEE0439.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\AVGAS.EXE-27525987.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SSUPDATE.EXE-216506EC.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SUPERANTISPYWARE.EXE-07994D9B.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WFCPUUSE.EXE-00967CC7.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SNDVOL32.EXE-383480B7.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\WFTV.EXE-19C66946.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\VFIND.CFEXE-2033727F.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SWREG.CFEXE-2BF4FFCD.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SED.CFEXE-268D7E58.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\PV.CFEXE-0E6F2701.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\NIRCMD.CFEXE-19FF4781.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SORT.EXE-194AE83C.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\GREP.CFEXE-20443039.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\SWREG.CFEXE-287CC9EF.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\NIRCMD.COM-223F42C3.pf" deleted successfully.
File "C:\WINDOWS\Prefetch\CF1551.EXE-0C40DD1F.pf" deleted successfully.
File "C:\WINDOWS\TEMP\LVCOMSX.LOG" deleted successfully.
File "C:\WINDOWS\TEMP\removalfile.bat" deleted successfully.
File "C:\WINDOWS\TEMP\WGAErrLog.txt" deleted successfully.
File "C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\LVCOMSX.LOG" deleted successfully.
File "C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\appdata.xml" deleted successfully.
File "C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\callingapps.xml" deleted successfully.
File "C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\~DFAD89.tmp" deleted successfully.
File "C:\DOCUME~1\JENNYZ~1\LOCALS~1\Temp\SSUPDATE.EXE" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

And here's the DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-09 14:50:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:08 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - C:\WINDOWS\system32\byXOggGw.dll
O2 - BHO: {12116f6f-0e18-30f8-e4b4-b7a51af1c4de} - {ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121} - C:\WINDOWS\system32\advusbpa.dll (file missing)
O2 - BHO: (no name) - {FC51A049-DE20-404B-922B-6EEA18F7999C} - C:\WINDOWS\system32\mlJBUNET.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [b89f240b] rundll32.exe "C:\WINDOWS\system32\rlkwsiyh.dll",b
O4 - HKLM\..\Run: [BMbbac1797] Rundll32.exe "C:\WINDOWS\system32\lgmpoipb.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: byXOggGw - C:\WINDOWS\SYSTEM32\byXOggGw.dll
O20 - Winlogon Notify: rqRKcyyy - rqRKcyyy.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7197 bytes

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 14:49:05 38912 --a------ C:\WINDOWS\system32\byXOggGw.dll
2008-04-09 14:35:32 38912 --a------ C:\WINDOWS\system32\hgGywVMG.dll
2008-04-08 18:01:56 0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-08 11:21:36 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-07 20:33:42 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19:00 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01:09 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-04-06 18:01:09 0 d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01:09 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-04-06 18:01:09 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 18:01:09 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 10:55:53 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 --a------ C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]
04/09/2008 02:49 PM 38912 --a------ C:\WINDOWS\system32\byXOggGw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121}]
C:\WINDOWS\system32\advusbpa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC51A049-DE20-404B-922B-6EEA18F7999C}]
C:\WINDOWS\system32\mlJBUNET.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"b89f240b"="C:\WINDOWS\system32\rlkwsiyh.dll" []
"BMbbac1797"="C:\WINDOWS\system32\lgmpoipb.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\byXOggGw.dll [04/09/2008 02:49 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOggGw]
byXOggGw.dll 04/09/2008 02:49 PM 38912 C:\WINDOWS\system32\byXOggGw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyyy]
rqRKcyyy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

-- End of Deckard's System Scanner: finished at 2008-04-09 14:51:08 ------------

Edited by justine123, 09 April 2008 - 12:52 PM.

#110
Rorschach112

Posted 09 April 2008 - 01:37 PM

Ralphie

Retired Staff
47,710 posts

Did you find and delete this registry value in bold

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="goclkhbm"

#111
justine123

Posted 09 April 2008 - 02:26 PM

Member

Topic Starter
Member
82 posts

Yes I did.

#112
Rorschach112

Posted 09 April 2008 - 02:42 PM

Ralphie

Retired Staff
47,710 posts

Ok lets give this a shot

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\byXOggGw.dll
C:\WINDOWS\system32\hgGywVMG.dll

Registry Keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC51A049-DE20-404B-922B-6EEA18F7999C}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOggGw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyyy

Registry Values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | b89f240b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BMbbac1797
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply

Edited by Rorschach112, 09 April 2008 - 02:43 PM.

#113
justine123

Posted 09 April 2008 - 02:48 PM

Member

Topic Starter
Member
82 posts

Hi, there was no problem running the script. No notices upon startup either. Here's the avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\byXOggGw.dll" deleted successfully.
File "C:\WINDOWS\system32\hgGywVMG.dll" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC51A049-DE20-404B-922B-6EEA18F7999C}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOggGw" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyyy" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b89f240b" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbac1797" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

And here's the DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-09 16:46:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:21 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {14113d91-4aa6-d069-16d4-1bea322547ba} - {ab745223-aeb1-4d61-960d-6aa419d31141} - C:\WINDOWS\system32\qqjlvygc.dll
O2 - BHO: (no name) - {C070F876-E41A-4E4A-8FCB-2A12B36DD065} - C:\WINDOWS\system32\ssqqPGVN.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: jkkLFXno - C:\WINDOWS\SYSTEM32\jkkLFXno.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6893 bytes

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 16:46:12 38912 --a------ C:\WINDOWS\system32\jkkLFXno.dll
2008-04-09 15:06:11 84544 --a------ C:\WINDOWS\system32\vatboehv.dll
2008-04-09 15:03:11 95808 --a------ C:\WINDOWS\system32\qqjlvygc.dll
2008-04-09 14:57:10 3648 --a------ C:\WINDOWS\system32\gsrgpjjq.dll
2008-04-09 14:54:49 89664 --a------ C:\WINDOWS\system32\bckgegsf.dll
2008-04-09 14:54:10 262245 --ahs---- C:\WINDOWS\system32\NVGPqqss.ini2
2008-04-09 14:54:08 270336 --a------ C:\WINDOWS\system32\ssqqPGVN.dll
2008-04-08 18:01:56 0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-08 11:21:36 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-07 20:33:42 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19:00 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01:09 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-04-06 18:01:09 0 d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01:09 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-04-06 18:01:09 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 18:01:09 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 10:55:53 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 --a------ C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab745223-aeb1-4d61-960d-6aa419d31141}]
04/09/2008 03:03 PM 95808 --a------ C:\WINDOWS\system32\qqjlvygc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C070F876-E41A-4E4A-8FCB-2A12B36DD065}]
04/09/2008 02:54 PM 270336 --a------ C:\WINDOWS\system32\ssqqPGVN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\jkkLFXno.dll [04/09/2008 04:46 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLFXno]
jkkLFXno.dll 04/09/2008 04:46 PM 38912 C:\WINDOWS\system32\jkkLFXno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

-- End of Deckard's System Scanner: finished at 2008-04-09 16:47:24 ------------

#114
justine123

Posted 09 April 2008 - 02:49 PM

Member

Topic Starter
Member
82 posts

Whoops, I missed the added steps. I'll do it again.

#115
justine123

Posted 09 April 2008 - 03:02 PM

Member

Topic Starter
Member
82 posts

Here is the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\byXOggGw.dll" not found!
Deletion of file "C:\WINDOWS\system32\byXOggGw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\hgGywVMG.dll" not found!
Deletion of file "C:\WINDOWS\system32\hgGywVMG.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ed4c1fa1-5a7b-4b4e-8f03-81e0f6f61121}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC51A049-DE20-404B-922B-6EEA18F7999C}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC51A049-DE20-404B-922B-6EEA18F7999C}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOggGw" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXOggGw" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyyy" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRKcyyy" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b89f240b"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b89f240b" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbac1797"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbac1797" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here is the DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-09 16:58:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:22 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {14113d91-4aa6-d069-16d4-1bea322547ba} - {ab745223-aeb1-4d61-960d-6aa419d31141} - C:\WINDOWS\system32\qqjlvygc.dll
O2 - BHO: (no name) - {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB} - C:\WINDOWS\system32\jkkLFXno.dll
O2 - BHO: (no name) - {FDE9CE7D-434D-4C3B-BCA5-6309F6BC1B2D} - C:\WINDOWS\system32\ssqqPGVN.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206999929953
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: jkkLFXno - C:\WINDOWS\SYSTEM32\jkkLFXno.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6886 bytes

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-09 16:53:55 38912 --a------ C:\WINDOWS\system32\khfEVMFX.dll
2008-04-09 16:46:12 38912 --a------ C:\WINDOWS\system32\jkkLFXno.dll
2008-04-09 15:06:11 84544 --a------ C:\WINDOWS\system32\vatboehv.dll
2008-04-09 15:03:11 95808 --a------ C:\WINDOWS\system32\qqjlvygc.dll
2008-04-09 14:57:10 3648 --a------ C:\WINDOWS\system32\gsrgpjjq.dll
2008-04-09 14:54:49 89664 --a------ C:\WINDOWS\system32\bckgegsf.dll
2008-04-09 14:54:10 263415 --ahs---- C:\WINDOWS\system32\NVGPqqss.ini2
2008-04-09 14:54:08 270336 --a------ C:\WINDOWS\system32\ssqqPGVN.dll
2008-04-08 18:01:56 0 d-------- C:\WINDOWS\BDOSCAN8
2008-04-08 11:21:36 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-07 20:33:42 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07:20 0 d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19:00 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01:09 16384 --a------ C:\WINDOWS\system32\restart.exe <Not Verified; WareSoft Software; restart>
2008-04-06 18:01:09 0 d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01:09 90112 --a------ C:\WINDOWS\system32\regdacl.exe <Not Verified; Frank Heyne Software; RegTools>
2008-04-06 18:01:09 4096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 18:01:09 53248 --a------ C:\WINDOWS\system32\process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-06 10:55:53 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-05 18:04:13 0 d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-05 12:07:55 68096 --a------ C:\WINDOWS\zip.exe
2008-04-05 12:07:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-05 12:07:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-05 12:07:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-05 12:07:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-05 12:07:55 98816 --a------ C:\WINDOWS\sed.exe
2008-04-05 12:07:55 80412 --a------ C:\WINDOWS\grep.exe
2008-04-05 12:07:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 19:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-04 19:41:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 15:30:42 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\WinRAR
2008-04-02 23:33:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 23:32:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:24:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-02 19:02:45 0 d-------- C:\Program Files\Trend Micro
2008-04-02 18:39:45 0 d-------- C:\Program Files\Panda Security
2008-04-02 18:39:44 1859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38:15 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04:44 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 06:31:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37:27 0 d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34:44 0 d-------- C:\Program Files\Windows Live
2008-03-31 23:34:38 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:57:25 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Mozilla
2008-03-31 19:56:10 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54:55 49152 --a------ C:\WINDOWS\system32\TempDel.EXE <Not Verified; Leadtek Research Inc.; Leadtek Research Inc. TempDel>
2008-03-31 19:54:52 0 d-------- C:\WFDB
2008-03-31 19:54:49 9446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>
2008-03-31 19:54:46 0 d-------- C:\Program Files\WinFast
2008-03-31 19:54:42 0 d-------- C:\WinFast WorkArea
2008-03-31 19:46:23 9600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM XBar Crossbar Driver.>
2008-03-31 19:46:23 59776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Video Capture Driver.>
2008-03-31 19:46:23 19456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys <Not Verified; Leadtek Research Inc.; WinFast TV2000 XP WDM Tuner Driver.>
2008-03-31 19:32:29 0 d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28:36 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 19:27:05 0 dr-h----- C:\MSOCache
2008-03-31 18:59:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 18:58:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 18:58:31 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-03-31 18:58:29 0 d-------- C:\Program Files\Logitech
2008-03-31 18:58:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 18:55:44 204800 --a------ C:\WINDOWS\system32\SSRemove.exe <Not Verified; Samsung Electronics Co., Ltd.; DeleteFilesAfterReboot Application>
2008-03-31 18:55:23 40448 -----n--- C:\WINDOWS\system32\drivers\DGIVECP.SYS <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
2008-03-31 18:55:20 0 d-------- C:\WINDOWS\Samsung
2008-03-31 18:22:09 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-31 18:22:09 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-31 18:22:08 962560 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-31 18:22:08 368640 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-31 18:22:07 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Staccato Systems, Inc.; Staccato Systems, Inc. SynthCore11Resources>
2008-03-31 18:22:07 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:07 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-31 18:22:06 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-31 18:22:05 0 d-------- C:\WINDOWS\VirtualEar
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-31 18:22:03 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-31 18:22:03 0 d-------- C:\Program Files\Analog Devices
2008-03-31 18:21:25 0 d-------- C:\WINDOWS\network diagnostic
2008-03-31 18:20:25 0 d-------- C:\Program Files\Intel
2008-03-31 18:20:12 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-03-31 18:20:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 18:20:09 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-31 18:13:47 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Identities
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Templates
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Start Menu
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\SendTo
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Recent
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\PrintHood
2008-03-31 18:13:40 2097152 --ah----- C:\Documents and Settings\Jenny Zhao\NTUSER.DAT
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\NetHood
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\My Documents
2008-03-31 18:13:40 0 d--h----- C:\Documents and Settings\Jenny Zhao\Local Settings
2008-03-31 18:13:40 0 dr------- C:\Documents and Settings\Jenny Zhao\Favorites
2008-03-31 18:13:40 0 d-------- C:\Documents and Settings\Jenny Zhao\Desktop
2008-03-31 18:13:40 0 d--hs---- C:\Documents and Settings\Jenny Zhao\Cookies
2008-03-31 18:13:40 0 dr-h----- C:\Documents and Settings\Jenny Zhao\Application Data
2008-03-31 18:10:42 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-03-31 18:10:41 0 d-------- C:\WINDOWS\Prefetch
2008-03-31 18:10:40 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-03-31 18:10:40 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-03-31 18:10:40 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-03-31 18:10:40 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-03-31 18:10:40 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-03-31 18:10:40 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-03-31 18:10:33 225280 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-03-31 18:10:33 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-03-31 18:10:33 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-03-31 18:10:33 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-03-31 18:10:33 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-03-31 18:07:19 0 d-------- C:\WINDOWS\system32\xircom
2008-03-31 18:07:19 0 d-------- C:\Program Files\microsoft frontpage
2008-03-31 18:07:06 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-03-31 18:07:04 0 -rahs---- C:\MSDOS.SYS
2008-03-31 18:07:04 0 -rahs---- C:\IO.SYS
2008-03-31 18:07:04 0 --a------ C:\CONFIG.SYS
2008-03-31 18:07:04 0 --a------ C:\AUTOEXEC.BAT
2008-03-31 18:06:19 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-31 18:06:10 0 dr------- C:\WINDOWS\Offline Web Pages
2008-03-31 18:06:10 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-03-31 18:06:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-31 18:05:44 0 d-------- C:\WINDOWS\system32\DirectX
2008-03-31 18:05:03 0 d---s---- C:\WINDOWS\Tasks
2008-03-31 18:05:02 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\system32\Macromed
2008-03-31 18:04:58 0 d-------- C:\WINDOWS\srchasst
2008-03-31 18:04:49 0 d-------- C:\Program Files\Movie Maker
2008-03-31 18:04:41 0 d-------- C:\WINDOWS\system32\Restore
2008-03-31 18:04:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-31 18:03:58 0 d-------- C:\WINDOWS\Registration
2008-03-31 18:03:56 0 d-------- C:\Program Files\Online Services
2008-03-31 18:03:53 0 d-------- C:\Program Files\Messenger
2008-03-31 18:03:49 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-31 18:03:05 0 d-------- C:\Program Files\Windows NT
2008-03-31 18:03:01 0 d-------- C:\WINDOWS\system32\MsDtc
2008-03-31 18:02:59 0 d-------- C:\WINDOWS\system32\Com
2008-03-31 17:58:34 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Macromedia
2008-03-31 17:58:18 0 d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Adobe
2008-03-31 17:57:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-31 17:53:27 0 d-------- C:\WINDOWS\system32\PreInstall
2008-03-31 17:53:26 0 d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:46:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-03-31 17:45:14 0 d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:32:27 0 d-------- C:\WINDOWS\RegisteredPackages
2008-03-31 17:32:22 0 d-------- C:\Program Files\Symantec
2008-03-31 17:32:19 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32:19 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 12:59:21 0 d--hs---- C:\WINDOWS\Installer
2008-03-31 12:59:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-31 12:59:18 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-31 12:59:17 0 dr------- C:\Program Files
2008-03-31 12:59:17 0 d-------- C:\Program Files\Common Files
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-31 12:58:54 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-31 12:58:54 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-03-31 12:58:54 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-31 12:58:54 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-31 12:58:54 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-31 12:58:40 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-31 12:58:35 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-31 12:58:35 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-03-31 12:58:13 0 d--hs---- C:\System Volume Information
2008-03-31 12:58:13 0 d-------- C:\Documents and Settings
2008-03-31 12:52:47 0 d-------- C:\WINDOWS\OemDir
2008-03-31 12:52:42 0 d-------- C:\WINDOWS
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\WinSxS
2008-03-31 12:52:42 0 dr------- C:\WINDOWS\Web
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\twain_32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wins
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\wbem
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\usmt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\spool
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ShellExt
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\Setup
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ras
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\oobe
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\npp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\inetsrv
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\IME
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\icsxml
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\ias
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\export
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-03-31 12:52:42 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\dhcp
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\3076
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\2052
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1054
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1042
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1041
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1037
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1033
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1031
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1028
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system32\1025
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\system
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\security
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Resources
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\repair
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Provisioning
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\PeerNet
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\pchealth
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\mui
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msapps
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\msagent
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Media
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\java
2008-03-31 12:52:42 0 d--h----- C:\WINDOWS\inf
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ime
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Help
2008-03-31 12:52:42 0 dr--s---- C:\WINDOWS\Fonts
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\ehome
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Driver Cache
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Debug
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Cursors
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Connection Wizard
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\Config
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\AppPatch
2008-03-31 12:52:42 0 d-------- C:\WINDOWS\addins

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:58:54 62 --ahs---- C:\Documents and Settings\Jenny Zhao\Application Data\desktop.ini
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab745223-aeb1-4d61-960d-6aa419d31141}]
04/09/2008 03:03 PM 95808 --a------ C:\WINDOWS\system32\qqjlvygc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}]
04/09/2008 04:46 PM 38912 --a------ C:\WINDOWS\system32\jkkLFXno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDE9CE7D-434D-4C3B-BCA5-6309F6BC1B2D}]
04/09/2008 02:54 PM 270336 --a------ C:\WINDOWS\system32\ssqqPGVN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [03/19/2002 12:01 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 08:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 09:33 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [10/18/2007 01:47 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\jkkLFXno.dll [04/09/2008 04:46 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 04/02/2008 07:24 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLFXno]
jkkLFXno.dll 04/09/2008 04:46 PM 38912 C:\WINDOWS\system32\jkkLFXno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

-- End of Deckard's System Scanner: finished at 2008-04-09 16:59:22 ------------

#116
Rorschach112

Posted 09 April 2008 - 03:05 PM

Ralphie

Retired Staff
47,710 posts

Hello

I need you to do this for the time being while I try come up with a new idea

Follow the steps in this link to install the Recovery Console

http://www.bleepingc...utorial117.html

Just install it, reboot and tell me when you have done that

#117
justine123

Posted 09 April 2008 - 04:03 PM

Member

Topic Starter
Member
82 posts

Hi. I have a slight problem. My brother helped me install Windows XP, but he moved out of the country and I can't reach him at the moment, nor do I know where the Windows XP CD is. I will ask him the first chance I get, but in the meantime, is there anyway around this?

#118
Rorschach112

Posted 09 April 2008 - 04:41 PM

Ralphie

Retired Staff
47,710 posts

Yes, lets leave that for the time being. It is just a backup in case anything goes wrong.

Do this

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Sysrst::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also can you tell me, are you plugging in a USB key or external drive when you reboot ? Or anything like that

Edited by Rorschach112, 09 April 2008 - 04:41 PM.

#119
justine123

Posted 09 April 2008 - 05:13 PM

Member

Topic Starter
Member
82 posts

Hi, I have an external drive that's plugged in, but the power is off. Would you like me to unplug it or turn it on in case the malware is there? I also have a USB key with some files, but not plugged in.

Here is the CF log:

ComboFix 08-04-07.5 - Jenny Zhao 2008-04-09 18:55:20.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT -4:00]
Running from: C:\Documents and Settings\Jenny Zhao\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jenny Zhao\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbbac1797.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bckgegsf.dll
C:\WINDOWS\system32\jkkLFXno.dll
C:\WINDOWS\system32\khfEVMFX.dll
C:\WINDOWS\system32\NVGPqqss.ini
C:\WINDOWS\system32\NVGPqqss.ini2
C:\WINDOWS\system32\qqjlvygc.dll
C:\WINDOWS\system32\ssqqPGVN.dll
C:\WINDOWS\system32\vatboehv.dll
C:\WINDOWS\system32\vheobtav.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 18:59 . 2008-04-09 18:59 38,912 --a------ C:\WINDOWS\system32\geBuTkhe.dll
2008-04-09 14:57 . 2008-04-09 14:57 3,648 --a------ C:\WINDOWS\system32\gsrgpjjq.dll
2008-04-08 18:01 . 2008-04-08 18:21 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-07 09:07 . 2008-04-07 09:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-06 18:19 . 2008-04-06 18:19 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-06 18:01 . 2008-04-06 18:01 <DIR> d-------- C:\WINDOWS\system32\regdacl
2008-04-06 18:01 . 2008-04-06 20:40 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2008-04-06 18:01 . 2008-04-06 20:40 53,248 --a------ C:\WINDOWS\system32\process.exe
2008-04-06 18:01 . 2008-04-06 20:40 16,384 --a------ C:\WINDOWS\system32\restart.exe
2008-04-06 18:01 . 2008-04-06 20:40 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Malwarebytes
2008-04-06 10:55 . 2008-04-06 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 08:34 . 2008-04-08 19:54 250 --a------ C:\WINDOWS\gmer.ini
2008-04-06 08:20 . 2008-04-06 08:20 <DIR> d-------- C:\Deckard
2008-04-05 18:04 . 2008-04-05 18:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\DoctorWeb
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 19:41 . 2008-04-04 19:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:32 . 2008-04-02 23:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 19:02 . 2008-04-02 19:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 18:39 . 2008-04-02 18:46 <DIR> d-------- C:\Program Files\Panda Security
2008-04-02 18:39 . 2008-04-02 18:44 1,859 --a------ C:\WINDOWS\mozver.dat
2008-04-02 17:38 . 2008-04-02 19:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\SUPERAntiSpyware.com
2008-04-02 17:38 . 2008-04-02 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Application Data\Grisoft
2008-04-02 17:04 . 2008-04-02 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 17:04 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-02 06:31 . 2008-04-02 21:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 06:30 . 2008-04-06 08:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 23:37 . 2008-04-01 16:15 <DIR> d-------- C:\Documents and Settings\Jenny Zhao\Contacts
2008-03-31 23:35 . 2008-03-31 23:35 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 23:34 . 2008-03-31 23:36 <DIR> d-------- C:\Program Files\Windows Live
2008-03-31 23:34 . 2008-03-31 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 19:57 . 2008-03-31 19:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-31 19:56 . 2008-03-31 19:56 <DIR> d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-31 19:55 . 2008-03-31 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-03-31 19:54 . 2008-03-31 19:57 <DIR> d-------- C:\WinFast WorkArea
2008-03-31 19:54 . 2008-03-31 19:56 <DIR> d-------- C:\WFDB
2008-03-31 19:54 . 2008-03-31 19:54 <DIR> d-------- C:\Program Files\WinFast
2008-03-31 19:54 . 2007-02-26 20:20 49,152 --a------ C:\WINDOWS\system32\TempDel.EXE
2008-03-31 19:54 . 2005-01-06 16:55 9,446 --a------ C:\WINDOWS\system32\drivers\WFIOCTL.sys
2008-03-31 19:46 . 2006-04-20 14:50 59,776 --a------ C:\WINDOWS\system32\drivers\wf2kvcap.sys
2008-03-31 19:46 . 2006-04-20 15:20 19,456 --a------ C:\WINDOWS\system32\drivers\wf2ktunr.sys
2008-03-31 19:46 . 2006-04-20 14:49 9,600 --a------ C:\WINDOWS\system32\drivers\wf2kXbar.sys
2008-03-31 19:34 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-31 19:32 . 2008-03-31 19:32 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-31 19:28 . 2008-03-31 19:29 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-31 19:27 . 2008-03-31 19:27 <DIR> dr-h----- C:\MSOCache
2008-03-31 19:27 . 2008-04-02 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-31 17:53 . 2008-03-31 18:53 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-31 17:53 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-31 17:46 . 2007-07-30 20:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-31 17:46 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-31 17:46 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-31 17:46 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-31 17:45 . 2008-03-31 17:45 <DIR> d--hs---- C:\Documents and Settings\Jenny Zhao\UserData
2008-03-31 17:44 . 2008-03-31 17:44 0 --a------ C:\WINDOWS\vpc32.INI
2008-03-31 17:32 . 2008-04-09 18:59 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Symantec
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-31 17:32 . 2008-03-31 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 17:32 . 2006-09-18 18:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 17:32 . 2006-09-18 18:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 13:00 . 2004-08-03 20:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-31 13:00 . 2004-08-03 18:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-03-31 13:00 . 2004-08-04 01:56 74,240 --a--c--- C:\WINDOWS\system32\dllcache\usbui.dll
2008-03-31 13:00 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2008-03-31 13:00 . 2004-08-04 00:07 42,368 --a--c--- C:\WINDOWS\system32\dllcache\agp440.sys
2008-03-31 13:00 . 2004-08-03 18:59 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 23:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 23:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-31 23:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-03-31 23:01 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-03-31 22:58 --------- d-----w C:\Program Files\Logitech
2008-03-31 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-31 22:22 --------- d-----w C:\Program Files\Analog Devices
2008-03-31 22:20 --------- d-----w C:\Program Files\Intel
2008-03-31 22:07 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-09 19:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-08_10.49.47.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-08 22:03:06 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-04-08 22:03:06 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-04-08 22:03:06 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-04-08 22:03:08 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 19:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 19:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-04-08 22:03:09 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-04-08 22:03:07 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 19:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 19:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Avenger\advusbpa.dll
2008-04-08 19:41 91712 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014934.dll

C:\Avenger\backup.reg
2008-04-06 11:39 3419 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008084.reg
2008-04-09 16:51 2752 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014974.reg

C:\Avenger\bknjsmfp.dll
2008-04-08 17:51 83520 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014884.dll

C:\Avenger\byXOggGw.dll
2008-04-09 14:49 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014961.dll

C:\Avenger\byXQJAro.dll
2008-04-06 21:14 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013408.dll

C:\Avenger\fccbCutu.dll
2008-04-06 20:25 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013366.dll
2008-04-06 21:13 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013409.dll

C:\Avenger\gwwxurmx.dll
2008-04-08 10:59 3648 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014885.dll

C:\Avenger\hgGywVMG.dll
2008-04-09 14:35 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014962.dll

C:\Avenger\hjoydfiq.dll
2008-04-08 17:49 88640 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014886.dll

C:\Avenger\iiffCTKD.dll
2008-04-06 20:09 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013367.dll
2008-04-06 21:13 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013410.dll

C:\Avenger\jkkJbcBs.dll
2008-04-06 20:42 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013368.dll
2008-04-06 21:13 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013411.dll

C:\Avenger\jkkLFxvT.dll
2008-04-06 20:07 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013369.dll
2008-04-06 21:13 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013412.dll

C:\Avenger\lgmpoipb.dll
2008-04-08 19:30 88640 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014937.dll

C:\Avenger\mlJBUNET.dll
2008-04-08 19:29 269824 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014938.dll

C:\Avenger\qvajcqgi.dll
2008-04-08 19:32 3648 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014941.dll

C:\Avenger\rlkwsiyh.dll
2008-04-08 19:38 83520 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014942.dll

C:\Avenger\rqRJDstQ.dll
2008-04-08 17:41 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014887.dll

C:\Avenger\rqRKcyyy.dll
2008-04-08 19:24 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014943.dll

C:\Avenger\rqRLbxUn.dll
2008-04-06 19:59 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013370.dll
2008-04-06 21:13 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013413.dll

C:\Avenger\tuvTmNHb.dll
2008-04-06 18:36 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013371.dll
2008-04-06 21:13 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013414.dll

C:\Avenger\urqOGXqR.dll
2008-04-08 17:48 269824 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014888.dll

C:\Avenger\vebwsuan.dll
2008-04-08 11:29 3648 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014946.dll

C:\Avenger\vxpclcwk.dll
2008-04-08 17:51 3648 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014947.dll

C:\Avenger\wegjosbd.dll
2008-04-08 17:54 91712 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014948.dll

C:\Avenger\xxyAtULD.dll
2008-04-06 19:26 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013372.dll
2008-04-06 21:13 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013415.dll

C:\Avenger\yayaXoMg.dll
2008-04-08 17:44 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014949.dll

C:\cleanup.bat
2008-04-06 11:39 574 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008087.bat
2008-04-09 16:51 574 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014977.bat

C:\cleanup.exe
2008-04-06 11:39 19286 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008086.exe
2008-04-09 16:51 19286 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014976.exe

2006-12-06 09:06 4096 C:\Documents and Settings\All Users\Application Data\Grisoft\AVG Anti-Spyware 7.5\Downloads\help.dll
2006-12-06 09:06 4096 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006820.dll
2006-12-06 09:06 4096 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP53\A0015010.dll

C:\Documents and Settings\Jenny Zhao\Application Data\Microsoft\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
2008-04-02 23:06 1038336 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007056.exe

C:\Documents and Settings\Jenny Zhao\Application Data\Microsoft\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
2008-04-02 23:06 178688 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007057.exe

2008-03-03 12:19 731136 C:\Documents and Settings\Jenny Zhao\Desktop\avenger\avenger.exe
2008-03-03 12:19 731136 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013401.exe
2008-03-03 12:19 731136 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014928.exe

C:\Documents and Settings\Jenny Zhao\Desktop\OTScanIt\OTScanIt\MovedFiles\04072008_105658\WINDOWS\system32\fmybdslr.dll
2008-04-07 08:15 88128 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0013851.dll

C:\Documents and Settings\Jenny Zhao\Desktop\OTScanIt\OTScanIt\MovedFiles\04072008_105658\WINDOWS\system32\xkpepeaw.dll
2008-04-07 08:21 85056 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0013849.dll

C:\Documents and Settings\Jenny Zhao\Desktop\OTScanIt\OTScanIt\MovedFiles\04072008_105658\WINDOWS\system32\ycgovuwc.dll
2008-04-07 08:18 90176 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0013850.dll

C:\Documents and Settings\Jenny Zhao\Desktop\OTScanIt\OTScanIt\MovedFiles\04072008_105658\WINDOWS\Temp\removalfile.bat
2008-04-07 09:17 43 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0013853.bat

C:\Documents and Settings\Jenny Zhao\Desktop\OTScanIt\OTScanIt\MovedFiles\04072008_110757\WINDOWS\Temp\removalfile.bat
2008-04-07 10:59 43 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0013854.bat

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\attrib.exe
2001-08-23 08:00 11264 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013482.exe

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\AppInit_DLLs.reg
2008-04-07 09:07 624 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013451.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\bat_shell_open.reg
2008-04-07 09:07 204 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013452.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\BHO.reg
2008-04-07 09:07 2288 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013453.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\com_shell_open.reg
2008-04-07 09:07 204 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013454.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\ControlPanel_Load.reg
2008-04-07 09:07 22476 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013455.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\Drivers32.reg
2008-04-07 09:07 3066 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013456.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\exe_shell_open.reg
2008-04-07 09:07 204 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013457.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKCU_SOFTWARE_Policy.reg
2008-04-07 09:07 3810 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013460.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKCU_WINDOWS_Policy.reg
2008-04-07 09:07 1704 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013461.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKCURun.reg
2008-04-07 09:07 482 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013458.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKCURunServices.reg
2008-04-07 09:07 228 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013459.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKLM_SOFTWARE_Policy.reg
2008-04-07 09:07 118942 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013464.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKLM_WINDOWS_Policy.reg
2008-04-07 09:07 2782 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013465.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKLMRun.reg
2008-04-07 09:07 2738 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013462.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\HKLMRunServices.reg
2008-04-07 09:07 230 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013463.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\hta_shell_open.reg
2008-04-07 09:07 270 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013466.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\IEDesktop.reg
2008-04-07 09:07 4748 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013467.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\IEMain.reg
2008-04-07 09:07 4352 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013468.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\Installed_Components.reg
2008-04-07 09:07 26492 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013469.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\pif_shell_open.reg
2008-04-07 09:07 204 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013470.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\reg_shell_open.reg
2008-04-07 09:07 228 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013471.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\SecurityProviders.reg
2008-04-07 09:07 8004 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013472.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\SharedTaskScheduler.reg
2008-04-07 09:07 546 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013473.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\ShellServiceObjectDelayLoad.reg
2008-04-07 09:07 696 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013474.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\SubSystems.reg
2008-04-07 09:07 5282 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013475.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\txt_shell_open.reg
2008-04-07 09:07 668 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013476.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\Winlogon.reg
2008-04-07 09:07 30268 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013477.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backupreg\WinlogonNotify.reg
2008-04-07 09:07 13618 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013478.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\byXQJAro.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013441.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\fccbCutu.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013442.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\iiffCTKD.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013443.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\jkkJbcBs.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013444.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\jkkLFxvT.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013445.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\removalfile.bat
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013446.bat

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\rqRLbxUn.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013447.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\tuvTmNHb.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013448.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\userinit.reg
2008-04-07 09:08 141 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013449.reg

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\backups\xxyAtULD.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013450.dll

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\dummy.exe
2008-04-07 12:18 6656 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013479.exe

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\find.exe
2001-08-23 08:00 9216 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013480.exe

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\findstr.exe
2004-08-04 00:56 27136 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013481.exe

C:\Documents and Settings\Jenny Zhao\Desktop\SDFix\SDFix\regedit.exe
2004-08-04 00:56 146432 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013483.exe

C:\EECTRL.SYS
2008-03-18 16:13 385072 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014913.SYS

C:\NAVENG.SYS
2008-03-18 16:13 82256 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014916.SYS

2008-03-18 16:13 109616 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2008-03-18 16:13 109616 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007071.sys

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\CCERASER.DLL
2008-03-18 16:13 2561072 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013382.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\ECMSVR32.DLL
2008-03-18 16:13 284016 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013384.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\EECTRL.SYS
2008-03-18 16:13 385072 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013385.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\ERASER.SYS
2008-03-18 16:13 109616 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013387.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\NAVENG.SYS
2008-03-18 16:13 82256 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013388.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\NAVENG32.DLL
2008-03-18 16:13 128368 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013390.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\NAVEX15.SYS
2008-03-18 16:13 895408 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013391.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080404.003\NAVEX32A.DLL
2008-03-18 16:13 943472 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013393.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\CCERASER.DLL
2008-03-18 16:13 2561072 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013582.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\ECMSVR32.DLL
2008-03-18 16:13 284016 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013584.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\EECTRL.SYS
2008-03-18 16:13 385072 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013585.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\ERASER.SYS
2008-03-18 16:13 109616 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013587.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\NAVENG.SYS
2008-03-18 16:13 82256 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013588.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\NAVENG32.DLL
2008-03-18 16:13 128368 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013590.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\NAVEX15.SYS
2008-03-18 16:13 895408 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013591.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080405.003\NAVEX32A.DLL
2008-03-18 16:13 943472 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP46\A0013593.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\CCERASER.DLL
2008-03-18 16:13 2561072 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014910.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\ECMSVR32.DLL
2008-03-18 16:13 284016 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014912.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\EECTRL.SYS
2008-03-18 16:13 385072 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014913.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\ERASER.SYS
2008-03-18 16:13 109616 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014915.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\NAVENG.SYS
2008-03-18 16:13 82256 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014916.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\NAVENG32.DLL
2008-03-18 16:13 128368 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014918.DLL

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\NAVEX15.SYS
2008-03-18 16:13 895408 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014919.SYS

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080406.003\NAVEX32A.DLL
2008-03-18 16:13 943472 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014921.DLL

C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustCall64.dll
2008-04-06 08:00 37376 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007050.dll

C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCall.dll
2008-04-06 08:00 22195 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007051.dll

C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP\WiseCustomCalla.dll
2008-04-06 08:00 73728 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007052.dll

2008-03-03 20:29 761856 C:\WINDOWS\gmer.exe
2008-03-03 20:29 761856 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011295.exe
2008-03-03 20:29 761856 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014899.exe

C:\WINDOWS\system32\ajjvymmn.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP43\A0008112.dll

C:\WINDOWS\system32\awtsRlLD.dll
2008-04-05 17:59 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38\A0006887.dll

C:\WINDOWS\system32\bckgegsf.dll
2008-04-09 14:54 89664 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP53\A0014989.dll

C:\WINDOWS\system32\bddnsens.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38\A0006873.dll

C:\WINDOWS\system32\bmcjjfgw.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP49\A0013787.dll

C:\WINDOWS\system32\byXPGVpP.dll
2008-04-06 19:04 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0012298.dll

C:\WINDOWS\system32\byXQJAro.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013429.dll

C:\WINDOWS\system32\ddcAtuTL.dll
2008-04-07 11:09 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013673.dll

C:\WINDOWS\system32\ddcCrpOH.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38\A0006874.dll

C:\WINDOWS\system32\ddcyvSMf.dll
2008-04-04 19:08 269312 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006812.dll

C:\WINDOWS\system32\dfcndxig.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0012288.dll

C:\WINDOWS\system32\drivers\advts.sys
2008-04-09 16:44 61440 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014955.sys

C:\WINDOWS\system32\drivers\bozwnh.sys
2008-04-07 08:34 61440 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013403.sys

C:\WINDOWS\system32\drivers\goclkhbm.sys
2008-04-08 19:22 61440 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014879.sys

C:\WINDOWS\system32\drivers\kpje.sys
2008-04-09 16:51 61440 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014969.sys

C:\WINDOWS\system32\drivers\lhwzc.sys
2008-04-06 11:39 61440 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008080.sys

C:\WINDOWS\system32\drivers\ubwt.sys
2008-04-06 21:12 61440 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013361.sys

C:\WINDOWS\system32\drivers\vdi2mzq2.sys
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007059.sys

C:\WINDOWS\system32\drivers\yzxiiv.sys
2008-04-09 14:46 61440 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014930.sys

C:\WINDOWS\system32\efcDWOEU.dll
2008-04-04 21:23 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006795.dll

C:\WINDOWS\system32\epnbplqj.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0012302.dll

C:\WINDOWS\system32\fccbCutu.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013430.dll

C:\WINDOWS\system32\fkqycafn.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP43\A0008113.dll

C:\WINDOWS\system32\hgGxULfe.dll
2008-04-05 19:29 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP40\A0006953.dll

C:\WINDOWS\system32\hlukrhgj.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38\A0006875.dll

C:\WINDOWS\system32\hwwrjskk.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP40\A0006941.dll

C:\WINDOWS\system32\hylhhekb.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007060.dll

C:\WINDOWS\system32\igcwvpbu.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP40\A0006942.dll

C:\WINDOWS\system32\iifcBtRk.dll
2008-04-06 07:36 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007077.dll

C:\WINDOWS\system32\iiffCRkJ.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP49\A0013788.dll

C:\WINDOWS\system32\iiffCTKD.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013431.dll

C:\WINDOWS\system32\iykxsash.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006796.dll

C:\WINDOWS\system32\jkkJbcBs.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013432.dll

C:\WINDOWS\system32\jkkLBrQj.dll
2008-04-05 19:31 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007061.dll

C:\WINDOWS\system32\jkkLFXno.dll
2008-04-09 16:46 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP53\A0015002.dll

C:\WINDOWS\system32\jkkLFxvT.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013433.dll

C:\WINDOWS\system32\jmefkjto.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007074.dll

C:\WINDOWS\system32\jmilinxq.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007062.dll

C:\WINDOWS\system32\jxfuyvrr.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007063.dll

C:\WINDOWS\system32\khfEVMFX.dll
2008-04-09 16:53 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP53\A0014990.dll

C:\WINDOWS\system32\khfGvsqp.dll
2008-04-06 19:34 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013329.dll

C:\WINDOWS\system32\knewlysr.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013674.dll

C:\WINDOWS\system32\ktpobcsq.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013675.dll

C:\WINDOWS\system32\kvpdsmyb.dll
2008-04-06 11:17 85056 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008078.dll

C:\WINDOWS\system32\kyhqpyjp.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP49\A0013789.dll

C:\WINDOWS\system32\lahofkve.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP40\A0006943.dll

C:\WINDOWS\system32\lcbmxxkn.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013676.dll

C:\WINDOWS\system32\ljJARiJc.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011288.dll

C:\WINDOWS\system32\lpeayooo.dll
2008-04-08 11:27 88640 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0014859.dll

C:\WINDOWS\system32\mlJYrono.dll
2008-04-05 11:56 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006797.dll

C:\WINDOWS\system32\MRT.exe
2008-03-05 09:30 19148408 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP48\A0013777.exe

C:\WINDOWS\system32\nnnllKAr.dll
2008-04-07 20:18 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013677.dll

C:\WINDOWS\system32\nnnnLcyX.dll
2008-04-04 19:03 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006813.dll

C:\WINDOWS\system32\nnnnLdAP.dll
2008-04-06 15:40 268288 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP44\A0011233.dll

C:\WINDOWS\system32\opnnonLD.dll
2008-04-06 17:34 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011245.dll

C:\WINDOWS\system32\opnommlk.dll
2008-04-05 20:42 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007078.dll

C:\WINDOWS\system32\pbrjaetc.dll
2008-04-06 11:17 87104 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008093.dll

C:\WINDOWS\system32\pmnljKbX.dll
2008-04-06 07:21 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007064.dll

C:\WINDOWS\system32\pmnnLBqn.dll
2008-04-05 16:53 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38\A0006876.dll

2008-04-06 20:40 53248 C:\WINDOWS\system32\process.exe
2008-04-06 18:01 53248 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011258.exe
2008-04-06 20:23 53248 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013353.exe

C:\WINDOWS\system32\pyegtnmd.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013678.dll

C:\WINDOWS\system32\qfwjhygg.dll
2008-04-06 15:40 85056 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP44\A0011237.dll

C:\WINDOWS\system32\qqjlvygc.dll
2008-04-09 15:03 95808 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP53\A0014991.dll

C:\WINDOWS\system32\rdwmwoku.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013342.dll

2008-04-06 20:40 4096 C:\WINDOWS\system32\reboot.exe
2008-04-06 18:01 4096 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011255.exe
2008-04-06 20:23 4096 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013350.exe

2008-04-06 20:40 90112 C:\WINDOWS\system32\regdacl.exe
2008-04-06 18:01 90112 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011254.exe
2008-04-06 20:23 90112 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013349.exe

2008-04-06 20:40 4175 C:\WINDOWS\system32\regdacl\doc\SMWNCV.cmd
2008-04-06 18:01 4175 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011253.cmd
2008-04-06 20:23 4175 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013348.cmd

2008-04-06 20:40 16384 C:\WINDOWS\system32\restart.exe
2008-04-06 18:01 16384 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0011257.exe
2008-04-06 20:23 16384 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013352.exe

C:\WINDOWS\system32\rqRHaXOE.dll
2008-04-07 08:36 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013693.dll

C:\WINDOWS\system32\rqRHbBTk.dll
2008-04-08 11:26 269824 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0014860.dll

C:\WINDOWS\system32\rqRHxuvS.dll
2008-04-06 14:24 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP43\A0008187.dll

C:\WINDOWS\system32\rqRJAqPI.dll
2008-04-08 09:11 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013679.dll

C:\WINDOWS\system32\rqRKDWqo.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP40\A0006944.dll

C:\WINDOWS\system32\rqRLbcBs.dll
2008-04-06 15:40 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP44\A0011239.dll

C:\WINDOWS\system32\rqRLbxUn.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013434.dll

C:\WINDOWS\system32\rqRLeeBQ.dll
2008-04-07 10:59 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013680.dll

C:\WINDOWS\system32\rqRLfcaB.dll
2008-04-07 08:14 267776 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013694.dll

C:\WINDOWS\system32\rtqojtph.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013355.dll

C:\WINDOWS\system32\sbmajava.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013681.dll

C:\WINDOWS\system32\seprddxt.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006798.dll

C:\WINDOWS\system32\spxysetk.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0012301.dll

C:\WINDOWS\system32\ssqOIAsT.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007073.dll

C:\WINDOWS\system32\ssqPifcC.dll
2008-04-08 11:20 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0014861.dll

C:\WINDOWS\system32\ssqqPGVN.dll
2008-04-09 14:54 270336 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP53\A0015003.dll

C:\WINDOWS\system32\ssqRKede.dll
2008-04-06 08:10 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007076.dll

C:\WINDOWS\system32\taymlamm.dll
2008-04-08 11:32 83520 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP50\A0014858.dll

C:\WINDOWS\system32\tuvSIbXq.dll
2008-04-06 18:03 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0012300.dll

C:\WINDOWS\system32\tuvTmNHb.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013435.dll

C:\WINDOWS\system32\uegrsndm.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP49\A0013790.dll

C:\WINDOWS\system32\ugnrkwjs.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP38\A0006877.dll

C:\WINDOWS\system32\uhevhedr.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP43\A0008111.dll

C:\WINDOWS\system32\ulecybox.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP47\A0013682.dll

C:\WINDOWS\system32\urqPhgfd.dll
2008-04-06 11:17 268288 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008089.dll

C:\WINDOWS\system32\urqRhHxx.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007065.dll

C:\WINDOWS\system32\uvutasfw.dll
2008-04-06 15:40 87104 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP44\A0011240.dll

C:\WINDOWS\system32\vatboehv.dll
2008-04-09 15:06 84544 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP53\A0014992.dll

C:\WINDOWS\system32\vtUlIyWQ.dll
2008-04-06 14:22 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP43\A0008127.dll

C:\WINDOWS\system32\vtUlIyyA.dll
2008-04-06 18:18 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0012299.dll

C:\WINDOWS\system32\wixkdkcv.dll
2008-04-06 11:17 85056 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008091.dll

C:\WINDOWS\system32\wvUMGvSm.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013316.dll

C:\WINDOWS\system32\xcnfubbo.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013302.dll

C:\WINDOWS\system32\xdebcngd.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0007075.dll

C:\WINDOWS\system32\xxyAtULD.dll
2008-04-07 08:35 0 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP45\A0013436.dll

C:\WINDOWS\system32\xxyvusRH.dll
2008-04-06 13:29 268288 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP43\A0008128.dll

C:\WINDOWS\system32\xxyxYsSK.dll
2008-04-08 11:18 38912 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP49\A0013800.dll

C:\WINDOWS\system32\yarputtw.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP36\A0006799.dll

C:\WINDOWS\system32\ykuidpyg.dll
{FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP43\A0008114.dll

C:\zip.exe
2008-04-06 11:39 135168 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP42\A0008085.exe
2008-04-09 16:51 135168 {FC28582C-DBF4-4B0E-BC7E-F7504CB5F12E}\RP51\A0014975.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-03-19 12:01 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37 2178832]
"WinFast Schedule"="C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" [2007-10-18 13:47 876544]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}"= C:\WINDOWS\system32\geBuTkhe.dll [2008-04-09 18:59 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-02 19:24 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuTkhe]
geBuTkhe.dll 2008-04-09 18:59 38912 C:\WINDOWS\system32\geBuTkhe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLFXno]
jkkLFXno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2002-08-29 07:52]
R2 BT848;WinFast TV2000 XP WDM Video Capture;C:\WINDOWS\system32\drivers\wf2kvcap.sys [2006-04-20 14:50]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;C:\WINDOWS\system32\drivers\wf2ktunr.sys [2006-04-20 15:20]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;C:\WINDOWS\system32\drivers\wf2kxbar.sys [2006-04-20 14:49]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 16:55]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 18:59:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\geBuTkhe.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-04-09 19:00:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 23:00:41
ComboFix2.txt 2008-04-08 15:21:35
ComboFix3.txt 2008-04-08 14:50:18
ComboFix4.txt 2008-04-06 18:38:10
Pre-Run: 115,364,577,280 bytes free
Post-Run: 115,348,942,848 bytes free

Here is the DSS log:

Deckard's System Scanner v20071014.68
Run by Jenny Zhao on 2008-04-09 19:01:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Jenny Zhao.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:42 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jenny Zhao\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JENNYZ~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra bu

#120
Rorschach112

Posted 09 April 2008 - 05:37 PM

Ralphie

Retired Staff
47,710 posts

Yes please unplug the external hard drive to be safe and try not to use your USB key

That log has shown something very important. Don't want to get my hopes up though

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\geBuTkhe.dll
C:\WINDOWS\system32\gsrgpjjq.dll
C:\WINDOWS\system32\ajjvymmn.dll
C:\WINDOWS\system32\awtsRlLD.dll
C:\WINDOWS\system32\bckgegsf.dll
C:\WINDOWS\system32\bddnsens.dll
C:\WINDOWS\system32\bmcjjfgw.dll
C:\WINDOWS\system32\byXPGVpP.dll
C:\WINDOWS\system32\byXQJAro.dll
C:\WINDOWS\system32\ddcAtuTL.dll
C:\WINDOWS\system32\ddcCrpOH.dll
C:\WINDOWS\system32\ddcyvSMf.dll
C:\WINDOWS\system32\dfcndxig.dll
C:\WINDOWS\system32\drivers\advts.sys
C:\WINDOWS\system32\drivers\bozwnh.sys
C:\WINDOWS\system32\drivers\goclkhbm.sys
C:\WINDOWS\system32\drivers\kpje.sys
C:\WINDOWS\system32\drivers\lhwzc.sys
C:\WINDOWS\system32\drivers\ubwt.sys
C:\WINDOWS\system32\drivers\vdi2mzq2.sys
C:\WINDOWS\system32\drivers\yzxiiv.sys
C:\WINDOWS\system32\efcDWOEU.dll
C:\WINDOWS\system32\epnbplqj.dll
C:\WINDOWS\system32\fccbCutu.dll
C:\WINDOWS\system32\fkqycafn.dll
C:\WINDOWS\system32\hgGxULfe.dll
C:\WINDOWS\system32\hlukrhgj.dll
C:\WINDOWS\system32\hwwrjskk.dll
C:\WINDOWS\system32\hylhhekb.dll
C:\WINDOWS\system32\igcwvpbu.dll
C:\WINDOWS\system32\iifcBtRk.dll
C:\WINDOWS\system32\iiffCRkJ.dll
C:\WINDOWS\system32\iiffCTKD.dll
C:\WINDOWS\system32\iykxsash.dll
C:\WINDOWS\system32\jkkJbcBs.dll
C:\WINDOWS\system32\jkkLBrQj.dll
C:\WINDOWS\system32\jkkLFXno.dll
C:\WINDOWS\system32\jkkLFxvT.dll
C:\WINDOWS\system32\jmefkjto.dll
C:\WINDOWS\system32\jmilinxq.dll
C:\WINDOWS\system32\jxfuyvrr.dll
C:\WINDOWS\system32\khfEVMFX.dll
C:\WINDOWS\system32\khfGvsqp.dll
C:\WINDOWS\system32\knewlysr.dll
C:\WINDOWS\system32\ktpobcsq.dll
C:\WINDOWS\system32\kvpdsmyb.dll
C:\WINDOWS\system32\kyhqpyjp.dll
C:\WINDOWS\system32\lahofkve.dll
C:\WINDOWS\system32\lcbmxxkn.dll
C:\WINDOWS\system32\ljJARiJc.dll
C:\WINDOWS\system32\lpeayooo.dll
C:\WINDOWS\system32\mlJYrono.dll
C:\WINDOWS\system32\nnnllKAr.dll
C:\WINDOWS\system32\nnnnLcyX.dll
C:\WINDOWS\system32\nnnnLdAP.dll
C:\WINDOWS\system32\opnnonLD.dll
C:\WINDOWS\system32\opnommlk.dll
C:\WINDOWS\system32\pbrjaetc.dll
C:\WINDOWS\system32\pmnljKbX.dll
C:\WINDOWS\system32\pmnnLBqn.dll
C:\WINDOWS\system32\qfwjhygg.dll
C:\WINDOWS\system32\qqjlvygc.dll
C:\WINDOWS\system32\rdwmwoku.dll
C:\WINDOWS\system32\rqRHaXOE.dll
C:\WINDOWS\system32\rqRHbBTk.dll
C:\WINDOWS\system32\rqRHxuvS.dll
C:\WINDOWS\system32\rqRJAqPI.dll
C:\WINDOWS\system32\rqRKDWqo.dll
C:\WINDOWS\system32\rqRLbcBs.dll
C:\WINDOWS\system32\rqRLbxUn.dll
C:\WINDOWS\system32\rqRLeeBQ.dll
C:\WINDOWS\system32\rqRLfcaB.dll
C:\WINDOWS\system32\rtqojtph.dll
C:\WINDOWS\system32\sbmajava.dll
C:\WINDOWS\system32\seprddxt.dll
C:\WINDOWS\system32\spxysetk.dll
C:\WINDOWS\system32\ssqOIAsT.dll
C:\WINDOWS\system32\ssqPifcC.dll
C:\WINDOWS\system32\ssqqPGVN.dll
C:\WINDOWS\system32\ssqRKede.dll
C:\WINDOWS\system32\taymlamm.dll
C:\WINDOWS\system32\tuvSIbXq.dll
C:\WINDOWS\system32\tuvTmNHb.dll
C:\WINDOWS\system32\uegrsndm.dll
C:\WINDOWS\system32\ugnrkwjs.dll
C:\WINDOWS\system32\uhevhedr.dll
C:\WINDOWS\system32\ulecybox.dll
C:\WINDOWS\system32\urqPhgfd.dll
C:\WINDOWS\system32\urqRhHxx.dll
C:\WINDOWS\system32\uvutasfw.dll
C:\WINDOWS\system32\vatboehv.dll
C:\WINDOWS\system32\vtUlIyWQ.dll
C:\WINDOWS\system32\vtUlIyyA.dll
C:\WINDOWS\system32\wixkdkcv.dll
C:\WINDOWS\system32\wvUMGvSm.dll
C:\WINDOWS\system32\xcnfubbo.dll
C:\WINDOWS\system32\xdebcngd.dll
C:\WINDOWS\system32\xxyAtULD.dll
C:\WINDOWS\system32\xxyvusRH.dll
C:\WINDOWS\system32\xxyxYsSK.dll
C:\WINDOWS\system32\yarputtw.dll
C:\WINDOWS\system32\ykuidpyg.dll
C:\zip.exe

Folders to delete:
C:\Documents and Settings\Jenny Zhao\Application Data\Microsoft\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}

Drivers to delete:
advts
bozwnh
goclkhbm
kpje
lhwzc
ubwt
vdi2mzq2
yzxiiv

Registry values to delete:
hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks | {BFA7416F-6EBA-43E5-B485-D32C6C78E1DB}

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuTkhe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLFXno

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.