Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware ads, Task manager blocked, slow, popups, etc. [RESOLVED]


  • This topic is locked This topic is locked

#1
vegimo

vegimo

    Member

  • Member
  • PipPip
  • 17 posts
Hi Geeks, thanks in advance...

steps taken so far:
ran ATF cleaner
created system restore point
ran AVG Anti-Spyware in safe mode, but there were no report results available to post here
tried to run Super Anti-Spyware, but after 11 hours it was not complete and the computer was nearly dead
I had run it earlier in the day, so the log from that run is below
tried to run Panda Activescan but could not get the download to complete
ran Hijack This - log is below
could not get the uninstall list to save




HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:58 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wmsdkns.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\QdrModule\QdrModule15.exe
C:\WINDOWS\system32\atstqjmh.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.freescale.net:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.freescale.net; *.freescale.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsbxxspA] C:\WINDOWS\lsbxxspA.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [{64-4F-F0-0A-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [ShareSearcher] c:\wsusupd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [rkpibcfy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rkpibcfy.dll"
O4 - HKLM\..\Run: [ozyvwdkt] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Upazulsr] C:\WINDOWS\system32\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [Riqsqgy] "C:\Program Files\Common Files\?icrosoft\w?nlogon.exe"
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\RACLE~1\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\MARKEV~1\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [lnznvolr] C:\WINDOWS\system32\atstqjmh.exe
O4 - HKLM\..\Policies\Explorer\Run: [OrfHnI9DaH] C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {032B436A-1BA6-47D9-B183-A0E013C94A25} (FgIoOcx Control) - http://172.18.2.66/F...Dll/FgIoOcx.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {3A2BF2DC-FDE5-4026-99B4-60F2999137AD} (FgConfigExecOcx Control) - http://172.18.2.66/F...nfigExecOcx.cab
O16 - DPF: {3AED1953-E7E9-418F-888C-7B497E038B77} (FgViewOcx Control) - http://172.18.2.66/F...l/FgViewOcx.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {5FF6BD84-D9FA-497E-BD43-FAA0DE338754} (FgStartupOcx Control) - http://172.18.2.66/F...gStartupOcx.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {921DB7E5-1292-460F-AA99-217245A44330} (FgRawOcx Control) - http://172.18.2.66/F...ll/FgRawOcx.cab
O16 - DPF: {94279BAD-0B3C-4747-8869-8FBF27A675F8} (FgRecipeOcx Control) - http://172.18.2.66/F...FgRecipeOcx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A97CF130-1C5E-4E07-A3FF-14BBE848DAC9} (FgAlarmOcx Control) - http://172.18.8.23/F.../FgAlarmOcx.cab
O16 - DPF: {B84BBE57-87E8-4335-8FD0-4B45A50E055E} (FgDbReportOcx Control) - http://172.18.2.66/F...DbReportOcx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex....eck/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Security Agent Service (IpmSecurityAgentService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11738 bytes



SUPER ANTI-SPYWARE LOG

SUPERAntiSpyware Scan Log
Generated 04/07/2008 at 11:07 AM

Application Version : 3.6.1000

Core Rules Database Version : 3343
Trace Rules Database Version: 1344

Scan type : Complete Scan
Total Scan Time : 02:20:58

Memory items scanned : 354
Memory threats detected : 1
Registry items scanned : 4991
Registry threats detected : 34
File items scanned : 64994
File threats detected : 228

Trojan.Downloader-LDCORE
C:\WINDOWS\SYSTEM32\LDCORE.DLL
C:\WINDOWS\SYSTEM32\LDCORE.DLL

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE

Adware.Tracking Cookie
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][3].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][1].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt
C:\Documents and Settings\mark everett\Cookies\[email protected][2].txt

Adware.180solutions/ZangoSearch
C:\Program Files\Zango\zango.exe
C:\Program Files\Zango

Adware.180solutions/Seekmo
C:\Program Files\Seekmo\seekmohook.dll
C:\Program Files\Seekmo

Malware.DriveCleaner
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files#C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files#C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#INF
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion#LastModified
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UDC6_0001_D19M1908NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UDC6_0001_D19M1908NETINSTALLER.EXE

Malware.MalwareAlarm
HKCR\MalwareAlarm.WebInstall
HKCR\MalwareAlarm.WebInstall\CLSID
HKCR\MalwareAlarm.WebInstall\CurVer
HKCR\MalwareAlarm.WebInstall.1
HKCR\MalwareAlarm.WebInstall.1\CLSID

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
C:\Program Files\Outerinfo\FF\components
C:\Program Files\Outerinfo\FF
C:\Program Files\Outerinfo
C:\Documents and Settings\mark everett\Start Menu\Programs\Outerinfo

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A ]

Adware.AdSponsor/ISM
C:\Documents and Settings\mark everett\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\mark everett\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\mark everett\Start Menu\Programs\Internet Speed Monitor

Trojan.Downloader-Gen/DDC
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\QPFEYOKD.EXE
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\WXNYOCRP.EXE
C:\WINDOWS\SYSTEM32\AEQQXYMQ.EXE
C:\WINDOWS\SYSTEM32\AGHONSNG.EXE
C:\WINDOWS\SYSTEM32\AQJEBJPW.EXE
C:\WINDOWS\SYSTEM32\BECSKNVR.EXE
C:\WINDOWS\SYSTEM32\BUCCEWBJ.EXE
C:\WINDOWS\SYSTEM32\BYVSOIDQ.EXE
C:\WINDOWS\SYSTEM32\CLRYGCPY.EXE
C:\WINDOWS\SYSTEM32\DDKTSHLW.EXE
C:\WINDOWS\SYSTEM32\DEWGEHXR.EXE
C:\WINDOWS\SYSTEM32\DLKTTWAX.EXE
C:\WINDOWS\SYSTEM32\DRRIJAKK.EXE
C:\WINDOWS\SYSTEM32\EGLJCTSR.EXE
C:\WINDOWS\SYSTEM32\FAWAANSV.EXE
C:\WINDOWS\SYSTEM32\FBWFJYAO.EXE
C:\WINDOWS\SYSTEM32\FDYCPHEU.EXE
C:\WINDOWS\SYSTEM32\FEEGUJVK.EXE
C:\WINDOWS\SYSTEM32\GEMSUNNQ.EXE
C:\WINDOWS\SYSTEM32\GODPWNDB.EXE
C:\WINDOWS\SYSTEM32\HIHQHVIU.EXE
C:\WINDOWS\SYSTEM32\HJCVFRPT.EXE
C:\WINDOWS\SYSTEM32\HQKPXHQV.EXE
C:\WINDOWS\SYSTEM32\HTKJFDIX.EXE
C:\WINDOWS\SYSTEM32\IENPWCBV.EXE
C:\WINDOWS\SYSTEM32\IFBOBDCB.EXE
C:\WINDOWS\SYSTEM32\IJIXQMPD.EXE
C:\WINDOWS\SYSTEM32\INHRBOCO.EXE
C:\WINDOWS\SYSTEM32\ISRIICSX.EXE
C:\WINDOWS\SYSTEM32\IUIQFTXQ.EXE
C:\WINDOWS\SYSTEM32\IUKJOQVO.EXE
C:\WINDOWS\SYSTEM32\IXVPBQDJ.EXE
C:\WINDOWS\SYSTEM32\JBSSEKPE.EXE
C:\WINDOWS\SYSTEM32\JSMIXUHJ.EXE
C:\WINDOWS\SYSTEM32\JUXFRXPC.EXE
C:\WINDOWS\SYSTEM32\KFHYUWRA.EXE
C:\WINDOWS\SYSTEM32\LNBVJEWE.EXE
C:\WINDOWS\SYSTEM32\LPVLCEJM.EXE
C:\WINDOWS\SYSTEM32\LXEBWNKE.EXE
C:\WINDOWS\SYSTEM32\MCMVSMYO.EXE
C:\WINDOWS\SYSTEM32\MHOQNJWT.EXE
C:\WINDOWS\SYSTEM32\MJEQAFBV.EXE
C:\WINDOWS\SYSTEM32\MLYQUAGN.EXE
C:\WINDOWS\SYSTEM32\NAXJILHB.EXE
C:\WINDOWS\SYSTEM32\NEXDCDCI.EXE
C:\WINDOWS\SYSTEM32\NICAVQGY.EXE
C:\WINDOWS\SYSTEM32\NRNEIARL.EXE
C:\WINDOWS\SYSTEM32\NXSVNYVL.EXE
C:\WINDOWS\SYSTEM32\PARARTXD.EXE
C:\WINDOWS\SYSTEM32\PFOXVUWL.EXE
C:\WINDOWS\SYSTEM32\PPTJUQKA.EXE
C:\WINDOWS\SYSTEM32\QCXEGPIL.EXE
C:\WINDOWS\SYSTEM32\QDSVDQNI.EXE
C:\WINDOWS\SYSTEM32\QEECWPYT.EXE
C:\WINDOWS\SYSTEM32\QGFAPATU.EXE
C:\WINDOWS\SYSTEM32\SAOXHHMO.EXE
C:\WINDOWS\SYSTEM32\SYVBDAFC.EXE
C:\WINDOWS\SYSTEM32\TCKVEDSN.EXE
C:\WINDOWS\SYSTEM32\THJPOREY.EXE
C:\WINDOWS\SYSTEM32\TPIGNKNO.EXE
C:\WINDOWS\SYSTEM32\TPPLKKNQ.EXE
C:\WINDOWS\SYSTEM32\TSBFPHWI.EXE
C:\WINDOWS\SYSTEM32\TXOYHOQK.EXE
C:\WINDOWS\SYSTEM32\UWUSJXSW.EXE
C:\WINDOWS\SYSTEM32\VHLMEATU.EXE
C:\WINDOWS\SYSTEM32\WPNRNADJ.EXE
C:\WINDOWS\SYSTEM32\WRHQGMPQ.EXE
C:\WINDOWS\SYSTEM32\WRVCXJQT.EXE
C:\WINDOWS\SYSTEM32\XTUHFOFD.EXE
C:\WINDOWS\SYSTEM32\YAGJNLJG.EXE
C:\WINDOWS\SYSTEM32\YJEHYMIL.EXE
C:\WINDOWS\SYSTEM32\YNOXETAR.EXE
C:\WINDOWS\SYSTEM32\YWLBSPPC.EXE

Adware.webHancer
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\RARSFX0\WEBHDLL.DLL
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\RARSFX0\WHAGENT.EXE
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\RARSFX0\WHIEHLPR.DLL
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\RARSFX0\WHINSTALLER.EXE
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\SYSWCC32.EXE
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\EV6XYTOP\SYSWCC32[1].EXE

Trojan.Downloader-Gen/SnapSNet
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\SNAPSNET.EXE

Adware.WINSHOW
C:\DOCUMENTS AND SETTINGS\MARK EVERETT\LOCAL SETTINGS\TEMP\WINSHOW.EXE

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINADMIN.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE

Trojan.Downloader-CREW
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP373\A0022640.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP393\A0023839.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP397\A0025865.DLL

Malware.LocusSoftware Inc-Installer
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UGA6P_0001_N120M1710NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\UGA6P_0001_N120M1710NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\UGA6P_0001_N120M1710NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.4\UGA6P_0001_N120M1710NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.5\UGA6P_0001_N120M1710NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UGA6P_0001_N120M1710NETINSTALLER.EXE

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWA7P_0001_N99M2908NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\UWA7P_0001_N99M2908NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\UWA7P_0001_N99M2908NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA7P_0001_N99M2908NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWAS7_0001_N99M3108NETINSTALLER.EXE

Trojan.ErrorSafe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UERS_9999_N91S1502NETINSTALLER.EXE

Torjan.SecondThoughtInstaller
C:\WINDOWS\INSTALLER\ID53.EXE

Adware.Vundo/Traff-2
C:\WINDOWS\SYSTEM32\AOWRMAIM.EXE
C:\WINDOWS\SYSTEM32\CAOFIBUR.EXE
C:\WINDOWS\SYSTEM32\CTSQCEKT.EXE
C:\WINDOWS\SYSTEM32\DLMVUJPL.EXE
C:\WINDOWS\SYSTEM32\FODYDJKB.EXE
C:\WINDOWS\SYSTEM32\HFFBVGMW.EXE
C:\WINDOWS\SYSTEM32\JUTMNGDU.EXE
C:\WINDOWS\SYSTEM32\KCUTUMRO.EXE
C:\WINDOWS\SYSTEM32\MOEDAJGA.EXE
C:\WINDOWS\SYSTEM32\MSFUVORX.EXE
C:\WINDOWS\SYSTEM32\OCKKGEOC.EXE
C:\WINDOWS\SYSTEM32\RPEEAXTU.EXE
C:\WINDOWS\SYSTEM32\RVPRDLWN.EXE
C:\WINDOWS\SYSTEM32\SPHLSBFM.EXE
C:\WINDOWS\SYSTEM32\XSJGGXJT.EXE
C:\WINDOWS\SYSTEM32\YFJNPXQV.EXE

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WNSTSSV32.EXE

Trace.Known Threat Sources
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\4J97CD51\ctxad-576[1].0000
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\49UZKP63\ctxad-576[1].0004
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\49UZKP63\ajax[1].htm
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\Q3M3U9UZ\checksoft[1].js
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\GLEF4PM7\CAR28FNL.htm
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\YV5PEN7Z\ctxad-576[1].0002
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\GLEF4PM7\ctxad-576[1].0005
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\LXYMS0O4\CADS2X9V.htm
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\LXYMS0O4\ctxad-576[1].0001
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\UHWZ8V4H\ctxad-576[1].sig
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\S9E3S9M7\errorhandler[1].htm
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\Q3M3U9UZ\test[1].gif
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello vegimo

Welcome to G2Go. :)
=====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
vegimo

vegimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thank you, and here are the results:

Deckard's System Scanner v20071014.68
Run by meverett on 2008-04-08 12:44:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-04-08 17:44:43 UTC - RP455 - Deckard's System Scanner Restore Point
1: 2008-04-08 00:34:47 UTC - RP454 - new malware


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as meverett.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:33 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wmsdkns.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\QdrModule\QdrModule15.exe
C:\WINDOWS\system32\atstqjmh.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mark everett\Local Settings\Temporary Internet Files\Content.IE5\SPW1U9YF\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\meverett.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.freescale.net:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.freescale.net; *.freescale.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {08542C85-E1F2-424B-ADA3-02B81B6A8FDD} - C:\WINDOWS\system32\khfDwttQ.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsbxxspA] C:\WINDOWS\lsbxxspA.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [{64-4F-F0-0A-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [ShareSearcher] c:\wsusupd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [rkpibcfy] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rkpibcfy.dll"
O4 - HKLM\..\Run: [ozyvwdkt] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Upazulsr] C:\WINDOWS\system32\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [Riqsqgy] "C:\Program Files\Common Files\?icrosoft\w?nlogon.exe"
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\RACLE~1\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\MARKEV~1\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [lnznvolr] C:\WINDOWS\system32\atstqjmh.exe
O4 - HKLM\..\Policies\Explorer\Run: [OrfHnI9DaH] C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {032B436A-1BA6-47D9-B183-A0E013C94A25} (FgIoOcx Control) - http://172.18.2.66/F...Dll/FgIoOcx.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {3A2BF2DC-FDE5-4026-99B4-60F2999137AD} (FgConfigExecOcx Control) - http://172.18.2.66/F...nfigExecOcx.cab
O16 - DPF: {3AED1953-E7E9-418F-888C-7B497E038B77} (FgViewOcx Control) - http://172.18.2.66/F...l/FgViewOcx.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {5FF6BD84-D9FA-497E-BD43-FAA0DE338754} (FgStartupOcx Control) - http://172.18.2.66/F...gStartupOcx.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {921DB7E5-1292-460F-AA99-217245A44330} (FgRawOcx Control) - http://172.18.2.66/F...ll/FgRawOcx.cab
O16 - DPF: {94279BAD-0B3C-4747-8869-8FBF27A675F8} (FgRecipeOcx Control) - http://172.18.2.66/F...FgRecipeOcx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A97CF130-1C5E-4E07-A3FF-14BBE848DAC9} (FgAlarmOcx Control) - http://172.18.8.23/F.../FgAlarmOcx.cab
O16 - DPF: {B84BBE57-87E8-4335-8FD0-4B45A50E055E} (FgDbReportOcx Control) - http://172.18.2.66/F...DbReportOcx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex....eck/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hggff - C:\WINDOWS\system32\hggff.dll (file missing)
O20 - Winlogon Notify: opnnnmli - opnnnmli.dll (file missing)
O20 - Winlogon Notify: oppom - C:\WINDOWS\system32\oppom.dll (file missing)
O20 - Winlogon Notify: winyxm32 - winyxm32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Security Agent Service (IpmSecurityAgentService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13358 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NIPALK - c:\windows\system32\drivers\nipalk.sys <Not Verified; National Instruments Corporation; NI-PAL>
R1 IpmSecurityAgent1 (Security Agent Filter Driver) - c:\windows\system32\drivers\ipmsecurityagent1.sys <Not Verified; Lightspeed Systems; Total Traffic Control (TTC)>
R1 IpmSecurityAgent2 (Security Agent Driver) - c:\windows\system32\drivers\ipmsecurityagent2.sys <Not Verified; Lightspeed Systems; Total Traffic Control (TTC)>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 niarbk - c:\windows\system32\drivers\niarbk.dll <Not Verified; National Instruments Corporation; NI-ARB>
R2 nibffrk - c:\windows\system32\drivers\nibffrk.dll <Not Verified; National Instruments Corporation; NI Buffer Services>
R2 Nidaq32k - c:\windows\system32\drivers\nidaq32k.sys <Not Verified; National Instruments Corporation; NI-DAQ>
R2 nidmmk (NI DMM and Data Logger Kernel Driver) - c:\windows\system32\drivers\nidmmk.dll <Not Verified; National Instruments Corporation; NIDMM User and Kernel Mode Component for NIDAQ 6.9.0>
R2 nimdsk - c:\windows\system32\drivers\nimdsk.dll <Not Verified; National Instruments Corporation; NI-MDS>
R2 nistck - c:\windows\system32\drivers\nistck.dll <Not Verified; National Instruments Corporation; NISTC>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S1 core - c:\windows\system32\drivers\core.sys (file missing)
S3 ApiMon - c:\windows\system32\drivers\apimon.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Lotus Notes Single Logon - c:\windows\system32\nslsvice.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 Multi-user Cleanup Service - c:\lotus\notes\ntmulti.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S2 Ati HotKey Poller - c:\windows\system32\ati2evxx.exe (file missing)
S2 Net Agent - c:\windows\dls0523pmw.exe (file missing)
S2 WinVNC4 (VNC Server Version 4) - "c:\program files\realvnc\vnc4\winvnc4.exe" -service <Not Verified; RealVNC Ltd.; VNC Server 4.0>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {E0CBF06C-CD8B-4647-BB8A-263B43F0F974}
Description: Dell TrueMobile Bluetooth Module
Device ID: USB\VID_413C&PID_8000\5&14223E91&0&2
Manufacturer: Dell
Name: Dell TrueMobile Bluetooth Module
PNP Device ID: USB\VID_413C&PID_8000\5&14223E91&0&2
Service: BTHUSB

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27218086&REV_05\4&39A85202&0&18F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27218086&REV_05\4&39A85202&0&18F0
Service: w22n51


-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 08:48:40 0 d-------- C:\Program Files\Trend Micro
2008-04-08 08:34:54 0 d-------- C:\Program Files\Panda Security
2008-04-08 08:34:50 0 d-------- C:\WINDOWS\LastGood
2008-04-08 08:29:22 22016 --a------ C:\WINDOWS\stcloader.exe
2008-04-08 08:29:22 10496 --a------ C:\WINDOWS\bokja.exe
2008-04-07 20:58:36 0 d-------- C:\Program Files\180search assistant
2008-04-07 20:58:35 0 d-------- C:\Program Files\180searchassistant
2008-04-07 15:40:40 85056 --a------ C:\WINDOWS\system32\ejjlaiik.dll
2008-04-07 15:37:49 90176 --a------ C:\WINDOWS\system32\uckchqbq.dll
2008-04-07 15:37:40 88128 --a------ C:\WINDOWS\system32\plvtxnsk.dll
2008-04-07 11:22:42 0 d-------- C:\Program Files\seekmo
2008-04-07 11:22:41 0 d-------- C:\Program Files\zango
2008-04-07 10:55:27 77383 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>
2008-04-06 15:56:54 16384 --a------ C:\WINDOWS\voiceip.dll
2008-04-06 15:56:54 0 d-------- C:\Program Files\stc
2008-04-06 15:56:53 18176 --a------ C:\WINDOWS\swin32.dll
2008-04-06 15:56:53 32512 --a------ C:\WINDOWS\cdsm32.dll
2008-04-06 15:56:51 25856 --a------ C:\WINDOWS\mssvr.exe
2008-04-06 15:56:51 18688 --a------ C:\WINDOWS\mspphe.dll
2008-04-06 15:56:51 32256 --a------ C:\WINDOWS\bjam.dll
2008-04-06 15:56:50 21504 --a------ C:\WINDOWS\2020search2.dll
2008-04-06 15:56:50 18688 --a------ C:\WINDOWS\2020search.dll
2008-04-06 15:56:48 24064 --a------ C:\WINDOWS\system32\WER8274.DLL
2008-04-06 15:56:48 31488 --a------ C:\WINDOWS\system32\MSIXU.DLL
2008-04-06 15:56:47 32512 --a------ C:\WINDOWS\updatetc.exe
2008-04-06 15:56:47 8448 --a------ C:\WINDOWS\salm.exe
2008-04-06 15:56:47 32256 --a------ C:\WINDOWS\180ax.exe
2008-04-06 15:56:47 0 d-------- C:\Program Files\180solutions
2008-04-06 15:56:46 8448 --a------ C:\WINDOWS\saiemod.dll
2008-04-06 15:56:46 0 d-------- C:\WINDOWS\FLEOK
2008-04-06 15:56:45 22784 --a------ C:\WINDOWS\system32\MSNSA32.dll
2008-04-06 15:56:45 31744 --a------ C:\WINDOWS\msapasrc.dll
2008-04-06 15:56:44 22016 --a------ C:\WINDOWS\msa64chk.dll
2008-04-06 15:56:43 27136 --a------ C:\WINDOWS\system32\SIPSPI32.dll
2008-04-06 15:56:43 18688 --a------ C:\WINDOWS\system32\shdocpe.dll
2008-04-06 15:56:43 14848 --a------ C:\WINDOWS\system32\ntnut32.exe
2008-04-06 15:56:43 14848 --a------ C:\WINDOWS\shdocpl.dll
2008-04-06 15:56:42 30208 --a------ C:\WINDOWS\shdocpe.dll
2008-04-06 15:56:42 8960 --a------ C:\WINDOWS\ntnut.exe
2008-04-06 15:56:41 32256 --a------ C:\WINDOWS\winsb.dll
2008-04-06 15:56:41 0 d-------- C:\Program Files\Sysmnt
2008-04-06 15:56:40 9728 --a------ C:\WINDOWS\browserad.dll
2008-04-06 15:56:40 13824 --a------ C:\WINDOWS\aviwrap32.dll
2008-04-06 15:56:40 19712 --a------ C:\WINDOWS\avisynthex32.dll
2008-04-06 15:56:39 22016 --a------ C:\WINDOWS\avifile32.dll
2008-04-06 15:56:39 20992 --a------ C:\WINDOWS\autodisc32.dll
2008-04-06 15:56:39 14848 --a------ C:\WINDOWS\audiosrv32.dll
2008-04-06 15:56:39 32512 --a------ C:\WINDOWS\ati2dvag32.dll
2008-04-06 15:56:38 9728 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-04-06 15:56:38 21760 --a------ C:\WINDOWS\athprxy32.dll
2008-04-06 15:56:38 21504 --a------ C:\WINDOWS\asycfilt32.dll
2008-04-06 15:56:37 30976 --a------ C:\WINDOWS\changeurl_30.dll
2008-04-06 15:56:37 16896 --a------ C:\WINDOWS\asferror32.dll
2008-04-06 15:56:37 17664 --a------ C:\WINDOWS\apphelp32.dll
2008-04-06 15:38:56 89664 --a------ C:\WINDOWS\system32\hlcqnfmh.dll
2008-04-06 15:36:39 85056 --a------ C:\WINDOWS\system32\ybukhsnm.dll
2008-04-06 15:36:30 87104 --a------ C:\WINDOWS\system32\wgxggumi.dll
2008-04-06 15:35:50 287369 --ahs---- C:\WINDOWS\system32\QttwDfhk.ini2
2008-04-06 15:35:47 268288 --a------ C:\WINDOWS\system32\khfDwttQ.dll
2008-04-06 15:33:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 15:32:07 0 d-------- C:\Documents and Settings\All Users\Application Data\itqrwnef
2008-04-06 15:32:06 114688 --a------ C:\WINDOWS\system32\atstqjmh.exe
2008-04-06 15:32:04 0 d-------- C:\WINDOWS\uprjiefj
2008-04-06 15:32:04 0 d-------- C:\WINDOWS\PerfInfo
2008-04-06 15:32:03 67584 --a------ C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll
2008-04-06 15:32:02 182784 --a------ C:\WINDOWS\fuhmxgxs.dll
2008-04-06 15:32:01 67584 --a------ C:\WINDOWS\apudyzaz.dll
2008-04-06 15:31:51 0 d-------- C:\WINDOWS\system32\?racle
2008-04-06 15:31:50 0 d-------- C:\Program Files\Bat
2008-04-06 15:31:24 0 d-------- C:\Program Files\QdrModule
2008-04-06 15:31:20 0 d-------- C:\Program Files\QdrDrive
2008-04-06 15:31:16 0 d-------- C:\Program Files\ISM
2008-04-06 15:31:08 37376 --a------ C:\WINDOWS\mrofinu72.exe
2008-04-06 15:31:05 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-04-06 15:30:56 91561 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-04-05 00:29:14 270694 --a------ C:\WINDOWS\system32\000090.exe
2008-04-04 11:26:00 229527 --a------ C:\WINDOWS\system32\000080.exe
2008-03-12 02:28:18 86592 --a------ C:\WINDOWS\system32\vphpexew.dll
2008-03-12 02:25:18 93248 --a------ C:\WINDOWS\system32\tkoskknk.dll
2008-03-12 02:22:17 90688 --a------ C:\WINDOWS\system32\tvhnadjp.dll
2008-03-11 02:27:39 93760 --a------ C:\WINDOWS\system32\lxqmtcao.dll
2008-03-11 02:24:39 87616 --a------ C:\WINDOWS\system32\nfyynelw.dll
2008-03-11 02:21:39 89152 --a------ C:\WINDOWS\system32\xidsmnsm.dll
2008-03-10 02:23:11 91200 --a------ C:\WINDOWS\system32\clifsucm.dll
2008-03-10 02:20:11 89664 --a------ C:\WINDOWS\system32\nsggppwx.dll
2008-03-09 02:26:08 92224 --a------ C:\WINDOWS\system32\uroeukpo.dll
2008-03-09 02:20:08 88640 --a------ C:\WINDOWS\system32\fobanyrp.dll
2008-03-08 02:25:15 87104 --a------ C:\WINDOWS\system32\wdduboqp.dll
2008-03-08 02:22:15 90688 --a------ C:\WINDOWS\system32\fvqfwcyf.dll
2008-03-08 02:19:15 88640 --a------ C:\WINDOWS\system32\wimkuskk.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-08 09:29:10 0 d-------- C:\Program Files\PokerStars.NET
2008-04-08 08:31:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 08:35:42 0 d-------- C:\Documents and Settings\mark everett\Application Data\Adobe
2008-04-07 08:31:51 0 d-------- C:\Program Files\Common Files\?icrosoft
2008-04-06 15:31:10 0 d-------- C:\Program Files\Common Files
2008-03-18 11:41:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 02:20:30 244633 ---hs---- C:\WINDOWS\system32\hkllm.bak2
2008-03-10 02:19:42 240866 ---hs---- C:\WINDOWS\system32\hkllm.bak1
2008-03-07 02:22:09 96320 --a------ C:\WINDOWS\system32\fxxodspc.dll
2008-03-07 02:19:09 92736 --a------ C:\WINDOWS\system32\wbvmaemt.dll
2008-03-06 02:18:27 96832 --a------ C:\WINDOWS\system32\yxcjjyew.dll
2008-03-06 02:17:42 91712 --a------ C:\WINDOWS\system32\yvtuuqhy.dll
2008-03-04 22:14:39 96832 --a------ C:\WINDOWS\system32\nmyrfoyu.dll
2008-03-04 22:11:39 89664 --a------ C:\WINDOWS\system32\jpdvavax.dll
2008-03-04 22:08:38 91712 --a------ C:\WINDOWS\system32\fygvbntr.dll
2008-03-03 22:14:35 95296 --a------ C:\WINDOWS\system32\euatjeiu.dll
2008-03-03 22:08:34 91712 --a------ C:\WINDOWS\system32\qvnaffee.dll
2008-03-02 22:12:23 89664 --a------ C:\WINDOWS\system32\dbrdhykj.dll
2008-03-02 22:09:23 91712 --a------ C:\WINDOWS\system32\yrvxqfen.dll
2008-03-01 22:12:20 89664 --a------ C:\WINDOWS\system32\hpcyjdaf.dll
2008-03-01 22:09:19 91712 --a------ C:\WINDOWS\system32\apfakggp.dll
2008-02-29 22:11:32 84544 --a------ C:\WINDOWS\system32\ldvvnehm.dll
2008-02-29 22:08:39 88640 --a------ C:\WINDOWS\system32\obwjnosj.dll
2008-02-29 22:08:31 91712 --a------ C:\WINDOWS\system32\osfcvmlo.dll
2008-02-28 22:08:35 89664 --a------ C:\WINDOWS\system32\pwvpjepl.dll
2008-02-28 22:08:26 91712 --a------ C:\WINDOWS\system32\nagklfrx.dll
2008-02-27 22:08:24 90176 --a------ C:\WINDOWS\system32\cetnfmsn.dll
2008-02-27 22:05:32 91712 --a------ C:\WINDOWS\system32\tfwakdfc.dll
2008-02-26 22:09:50 89152 --a------ C:\WINDOWS\system32\rlavvcrp.dll
2008-02-26 22:06:48 91712 --a------ C:\WINDOWS\system32\fcxlxbee.dll
2008-02-25 22:09:55 85056 --a------ C:\WINDOWS\system32\thmvbsth.dll
2008-02-25 22:06:54 90688 --a------ C:\WINDOWS\system32\gwhfgyvu.dll
2008-02-24 22:07:01 90176 --a------ C:\WINDOWS\system32\hgotdcua.dll
2008-02-23 22:03:31 89152 --a------ C:\WINDOWS\system32\wljllqre.dll
2008-02-21 16:59:16 88128 --a------ C:\WINDOWS\system32\otrhigrn.dll
2008-02-21 16:56:19 93760 --a------ C:\WINDOWS\system32\fuqjiuaa.dll
2008-02-20 16:56:03 87616 --a------ C:\WINDOWS\system32\eewtdmuh.dll
2008-02-20 16:53:05 94784 --a------ C:\WINDOWS\system32\gtaactpt.dll
2008-02-19 17:00:21 89152 --a------ C:\WINDOWS\system32\sgcbmwkh.dll
2008-02-19 16:57:20 88128 --a------ C:\WINDOWS\system32\djelulrb.dll
2008-02-18 16:55:42 91200 --a------ C:\WINDOWS\system32\rbjohatu.dll
2008-02-18 16:52:42 93248 --a------ C:\WINDOWS\system32\cftqscfp.dll
2008-02-17 16:49:42 97344 --a------ C:\WINDOWS\system32\iqpbuprf.dll
2008-02-16 16:52:22 92736 --a------ C:\WINDOWS\system32\ltqbcsrg.dll
2008-02-15 16:52:53 85568 --a------ C:\WINDOWS\system32\xsmwkdvn.dll
2008-02-15 16:49:53 91712 --a------ C:\WINDOWS\system32\rlaxlpsv.dll
2008-02-14 16:48:53 91200 --a------ C:\WINDOWS\system32\gwpxgpfd.dll
2008-02-14 09:39:07 0 d-------- C:\Program Files\UBNet
2008-02-13 16:48:50 98368 --a------ C:\WINDOWS\system32\kmvobopu.dll
2008-02-12 16:51:29 86080 --a------ C:\WINDOWS\system32\luildlah.dll
2008-02-12 16:48:30 93248 --a------ C:\WINDOWS\system32\apkdpwqe.dll
2008-02-11 16:48:25 93248 --a------ C:\WINDOWS\system32\oibjlhpy.dll
2008-02-10 16:50:30 86080 --a------ C:\WINDOWS\system32\dpksukxm.dll
2008-02-10 16:47:30 93248 --a------ C:\WINDOWS\system32\jhlcbscx.dll
2008-02-09 16:47:42 89664 --a------ C:\WINDOWS\system32\bytpdfnn.dll
2008-02-09 16:47:33 93760 --a------ C:\WINDOWS\system32\nxxjieig.dll
2008-02-09 16:46:26 89664 --a------ C:\WINDOWS\system32\mirxhlru.dll
2008-02-09 16:46:17 93760 --a------ C:\WINDOWS\system32\smxvrxno.dll
2008-02-08 16:42:01 94784 --a------ C:\WINDOWS\system32\gteexowo.dll
2008-02-07 16:44:12 87616 --a------ C:\WINDOWS\system32\eearvsgq.dll
2008-02-06 16:41:09 92224 --a------ C:\WINDOWS\system32\pbkmhutj.dll
2008-02-05 16:41:06 94272 --a------ C:\WINDOWS\system32\wgellrna.dll
2008-02-04 16:41:19 88128 --a------ C:\WINDOWS\system32\fcllxhqd.dll
2008-02-04 16:41:16 93248 --a------ C:\WINDOWS\system32\oxbbmkmv.dll
2008-02-04 09:46:21 93248 --a------ C:\WINDOWS\system32\yxrnxmxh.dll
2008-02-02 16:43:10 88128 --a------ C:\WINDOWS\system32\tjytjmye.dll
2008-02-01 16:40:06 92736 --a------ C:\WINDOWS\system32\bscjthdj.dll
2008-01-31 16:40:01 94784 --a------ C:\WINDOWS\system32\uafeaeoh.dll
2008-01-30 16:40:04 92736 --a------ C:\WINDOWS\system32\celwfkgx.dll
2008-01-29 16:42:54 78912 --a------ C:\WINDOWS\system32\jvqewfeh.dll
2008-01-28 16:44:50 79936 --a------ C:\WINDOWS\system32\yftsvaec.dll
2008-01-27 16:41:48 78912 --a------ C:\WINDOWS\system32\hwufpbye.dll
2008-01-26 16:44:44 78912 --a------ C:\WINDOWS\system32\rgbsafqr.dll
2008-01-25 16:40:41 87104 --a------ C:\WINDOWS\system32\hevnyotx.dll
2008-01-25 16:40:32 81472 --a------ C:\WINDOWS\system32\fiwtjbjj.dll
2008-01-24 16:46:27 87616 --a------ C:\WINDOWS\system32\cfxjlniw.dll
2008-01-24 16:43:27 80448 --a------ C:\WINDOWS\system32\imqrbrfn.dll
2008-01-23 16:40:24 80960 --a------ C:\WINDOWS\system32\vnvvymub.dll
2008-01-22 16:43:19 77376 --a------ C:\WINDOWS\system32\pbmqcxvb.dll
2008-01-21 16:39:25 78912 --a------ C:\WINDOWS\system32\jirdxjxi.dll
2008-01-20 16:39:21 79424 --a------ C:\WINDOWS\system32\ejtxsise.dll
2008-01-19 16:42:18 78400 --a------ C:\WINDOWS\system32\ibnlnoxf.dll
2008-01-18 16:43:43 88128 --a------ C:\WINDOWS\system32\yjdxjxgd.dll
2008-01-18 16:37:43 81984 --a------ C:\WINDOWS\system32\xajuhhec.dll
2008-01-17 16:40:25 86592 --a------ C:\WINDOWS\system32\ubnlnehg.dll
2008-01-17 16:40:21 77376 --a------ C:\WINDOWS\system32\tnulikpv.dll
2008-01-16 16:37:19 76864 --a------ C:\WINDOWS\system32\avpjamft.dll
2008-01-15 16:42:56 89152 --a------ C:\WINDOWS\system32\dhwrsluc.dll
2008-01-15 16:39:55 79936 --a------ C:\WINDOWS\system32\shailahf.dll
2008-01-14 16:44:31 89152 --a------ C:\WINDOWS\system32\expwgths.dll
2008-01-13 16:38:31 79936 --a------ C:\WINDOWS\system32\rroggpkq.dll
2008-01-12 16:38:30 76864 --a------ C:\WINDOWS\system32\hjorgkpg.dll
2008-01-11 16:36:38 76864 --a------ C:\WINDOWS\system32\mypqyfwn.dll
2008-01-08 01:47:56 90176 --a------ C:\WINDOWS\system32\fkdllnhv.dll
2008-01-08 01:41:56 77888 --a------ C:\WINDOWS\system32\vyiwsjci.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08542C85-E1F2-424B-ADA3-02B81B6A8FDD}]
04/06/2008 03:35 PM 268288 --a------ C:\WINDOWS\system32\khfDwttQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [06/10/2004 09:10 PM]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [12/19/2003 12:49 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/13/2004 01:05 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 01:01 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 05:00 AM C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/14/2007 12:37 AM]
"lsbxxspA"="C:\WINDOWS\lsbxxspA.exe" []
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 12:21 PM]
"{64-4F-F0-0A-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"ShareSearcher"="c:\wsusupd.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"rkpibcfy"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\rkpibcfy.dll" []
"ozyvwdkt"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Upazulsr"="C:\WINDOWS\system32\?ssembly\c?rss.exe" []
"Riqsqgy"="C:\Program Files\Common Files\?icrosoft\w?nlogon.exe" []
"Tair"="C:\WINDOWS\RACLE~1\chkdsk.exe" []
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [04/03/2008 08:53 AM]
"Microsoft Windows Installer"="C:\DOCUME~1\MARKEV~1\LOCALS~1\Temp\ie.exe" []
"lnznvolr"="C:\WINDOWS\system32\atstqjmh.exe" [04/06/2008 03:32 PM]

C:\Documents and Settings\mark everett\Start Menu\Programs\Startup\
Bat - Auto Update.lnk - C:\Program Files\Bat\Bat.exe [4/6/2008 3:31:19 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"OrfHnI9DaH"=C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 12:39 PM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggff]
C:\WINDOWS\system32\hggff.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmli]
opnnnmli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppom]
C:\WINDOWS\system32\oppom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 01/13/2004 03:17 PM 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winyxm32]
winyxm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfDwttQ

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-04-08 12:47:55 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 2.00GHz
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 1023.23 MiB / 479.91 MiB
Pagefile Memory (total/avail): 2461.36 MiB / 1922.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.05 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 43.3 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2060AH - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: Lightspeed Systems Security Agent 6.1 v6.1 (Lightspeed Systems) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\mark everett\\Application Data\\trant.exe"="C:\\Documents and Settings\\mark everett\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\mark everett\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\mark everett\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"="C:\\Program Files\\National Instruments\\MAX\\NIMax.exe:*:Enabled:NIMax"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\cjtbrexs.exe"="C:\\WINDOWS\\system32\\cjt"
"C:\\Documents and Settings\\mark everett\\Application Data\\trant.exe"="C:\\Documents and Settings\\mark everett\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\mark everett\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\mark everett\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ijixqmpd.exe"="C:\\WINDOWS\\system32\\iji"
"C:\\WINDOWS\\system32\\tpplkknq.exe"="C:\\WINDOWS\\system32\\tpp"
"C:\\WINDOWS\\system32\\godpwndb.exe"="C:\\WINDOWS\\system32\\god"
"C:\\WINDOWS\\system32\\dewgehxr.exe"="C:\\WINDOWS\\system32\\dew"
"C:\\WINDOWS\\system32\\drrijakk.exe"="C:\\WINDOWS\\system32\\drr"
"C:\\WINDOWS\\system32\\ynoxetar.exe"="C:\\WINDOWS\\system32\\yno"
"C:\\WINDOWS\\system32\\nxsvnyvl.exe"="C:\\WINDOWS\\system32\\nxs"
"C:\\WINDOWS\\system32\\ddktshlw.exe"="C:\\WINDOWS\\system32\\ddk"
"C:\\WINDOWS\\system32\\iuiqftxq.exe"="C:\\WINDOWS\\system32\\iui"
"C:\\WINDOWS\\system32\\qgfapatu.exe"="C:\\WINDOWS\\system32\\qgf"
"C:\\WINDOWS\\system32\\vhlmeatu.exe"="C:\\WINDOWS\\system32\\vhl"
"C:\\WINDOWS\\system32\\mlyquagn.exe"="C:\\WINDOWS\\system32\\mly"
"C:\\WINDOWS\\system32\\wpnrnadj.exe"="C:\\WINDOWS\\system32\\wpn"
"C:\\Inficon\\FabGuardExecutive.exe"="C:\\Inficon\\FabGuardExecutive.exe:*:Enabled:FabGuard"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mark everett\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MEVERETT1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mark everett
LOGONSERVER=\\MEVERETT1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Lightspeed Systems\SecurityAgent\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MARKEV~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MARKEV~1\LOCALS~1\Temp
USERDOMAIN=MEVERETT1
USERNAME=meverett
USERPROFILE=C:\Documents and Settings\mark everett
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

IS Support (admin)
mark everett (admin)
Administrator.HAPSREPAIR (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{B5D8CCBF-08D8-46C0-8B04-3BC0CAEDA094}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bat --> "C:\Program Files\Bat\un_BatSetup_15041.exe"
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Conexant D480 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exe
eTIMEsheet --> C:\WINDOWS\IsUninst.exe -f"c:\Program Files\e-TIMEsheet\Uninst.isu" -c"c:\Program Files\e-TIMEsheet\_UNODBC.DLL"
FabGuard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{076CA8A5-1258-11D5-B441-0060B0FBB665}\Setup.exe" -l0x9
FabGuardExecutive --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{707801A3-4520-4365-B2F8-2DBC027A2A20}\Setup.exe" -l0x9
Google Video Player --> "C:\Program Files\Google\Google Video Player\Uninstall.exe"
Hardwood Solitaire III Lite --> C:\DOCUME~1\MARKEV~1\LOCALS~1\Temp\sce__0\ -Uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® mDriver --> MsiExec.exe /I{DDD512C6-2251-4046-8F25-1A5EB355015E}
Intel® PROSet for Wireless --> MsiExec.exe /I{5380063E-2909-4d72-BFA3-625881F2E78B}
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lightspeed Systems Security Agent v6.0 --> MsiExec.exe /X{07190788-714A-42D9-8628-C0F0B38826B9}
Lotus Notes 6.5.4 --> MsiExec.exe /I{1AAE3976-3167-4BDF-B785-00E19C6671A3}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\mark everett\Application Data\Move Networks\ie_bin\Uninst.exe
NI-DAQ 6.9.2 --> C:\PROGRA~1\NATION~1\NI-DAQ\DAQUNI~1.EXE daquninstall.dat /x
NI Measurement & Automation Explorer 2.2.0 --> C:\PROGRA~1\NATION~1\MAX\UNINST~1.EXE Uninstall.txt /x
O2Micro Smartcard Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C5BED10B-42A9-4142-B4C2-008C0FDE27D5} /l1033
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PokerStars.net --> C:\Program Files\PokerStars.NET\Uninstall.EXE /u:"PokerStars.net"
SAP Front End --> "C:\WINDOWS\SAPwksta\setup\sapsetup.exe" /uninstall
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
UBNet --> C:\PROGRA~1\UBNet\UNWISE.EXE C:\PROGRA~1\UBNet\INSTALL.LOG
VNC 4.0 --> "C:\Program Files\RealVNC\VNC4\unins
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
vegimo

vegimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ComboFix and new HijackThis logs:

ComboFix 08-04-08.4 - meverett 2008-04-08 13:13:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT -5:00]
Running from: C:\Documents and Settings\mark everett\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\mark everett\Application Data\WinAntiSpyware 2006
C:\Documents and Settings\mark everett\Application Data\WinAntiSpyware 2006\Logs\update.log
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\icroso~1
C:\Program Files\fnts~1
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\temp\0c2
C:\temp\0c2\tmpFF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tOasF.log
C:\Temp\bkR11
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\BMe3e57c39.xml
C:\WINDOWS\bokja.exe
C:\WINDOWS\Casino.ico
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\crosof~1.net
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\MyWebEx
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atarm.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atas32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasanot.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasctrl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasnt40.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atdl2006.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atkbctl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atlchat.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atnetext.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atpack.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\attp.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\h264dec.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\h264enc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ieatgpc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mmssl32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\msess.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mticket.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mvc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwm.ini
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmtrace.txt
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmupd.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ratrace.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\raurl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\uilibres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\webexmgr.dll
C:\WINDOWS\fnts~1
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\OrfHnI9DaHwp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\racle~1
C:\WINDOWS\racle~1\?racle\
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\afrnhkor.ini
C:\WINDOWS\system32\akgpuyxj.ini
C:\WINDOWS\system32\amqvheck.ini
C:\WINDOWS\system32\avpjamft.dll
C:\WINDOWS\system32\axesrxbm.dll
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B11
C:\WINDOWS\system32\B3
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\B7
C:\WINDOWS\system32\B9
C:\WINDOWS\system32\bcnafxfj.dll
C:\WINDOWS\system32\bnmmuewu.ini
C:\WINDOWS\system32\bqkxkhig.dll
C:\WINDOWS\system32\brlulejd.ini
C:\WINDOWS\system32\bscjthdj.dll
C:\WINDOWS\system32\bytpdfnn.dll
C:\WINDOWS\system32\celwfkgx.dll
C:\WINDOWS\system32\cetnfmsn.dll
C:\WINDOWS\system32\cfxjlniw.dll
C:\WINDOWS\system32\clifsucm.dll
C:\WINDOWS\system32\culsrwhd.ini
C:\WINDOWS\system32\dbrdhykj.dll
C:\WINDOWS\system32\dgxjxdjy.ini
C:\WINDOWS\system32\dhwrsluc.dll
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dirkccxk.dll
C:\WINDOWS\system32\djelulrb.dll
C:\WINDOWS\system32\dpksukxm.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\dqhxllcf.ini
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dwdywtyf.ini
C:\WINDOWS\system32\eearvsgq.dll
C:\WINDOWS\system32\eewtdmuh.dll
C:\WINDOWS\system32\ejjlaiik.dll
C:\WINDOWS\system32\ejtxsise.dll
C:\WINDOWS\system32\euiklssi.dll
C:\WINDOWS\system32\expwgths.dll
C:\WINDOWS\system32\eymjtyjt.ini
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fahybnow.ini
C:\WINDOWS\system32\fcllxhqd.dll
C:\WINDOWS\system32\fiwtjbjj.dll
C:\WINDOWS\system32\fkdllnhv.dll
C:\WINDOWS\system32\fobanyrp.dll
C:\WINDOWS\system32\fvqfwcyf.dll
C:\WINDOWS\system32\fytwydwd.dll
C:\WINDOWS\system32\ghenlnbu.ini
C:\WINDOWS\system32\gjcysikv.dll
C:\WINDOWS\system32\gpygfeyo.dll
C:\WINDOWS\system32\grrljrdc.ini
C:\WINDOWS\system32\grrmhavw.ini
C:\WINDOWS\system32\gsemkiwp.dll
C:\WINDOWS\system32\gtaactpt.dll
C:\WINDOWS\system32\gteexowo.dll
C:\WINDOWS\system32\haldliul.ini
C:\WINDOWS\system32\hevnyotx.dll
C:\WINDOWS\system32\hgotdcua.dll
C:\WINDOWS\system32\hgthlcqn.ini
C:\WINDOWS\system32\hjorgkpg.dll
C:\WINDOWS\system32\hkllm.bak1
C:\WINDOWS\system32\hkllm.bak2
C:\WINDOWS\system32\hkllm.ini
C:\WINDOWS\system32\hlcqnfmh.dll
C:\WINDOWS\system32\hpcyjdaf.dll
C:\WINDOWS\system32\hqqgjjsn.dll
C:\WINDOWS\system32\hsrdepgu.ini
C:\WINDOWS\system32\htsbvmht.ini
C:\WINDOWS\system32\humdtwee.ini
C:\WINDOWS\system32\hwufpbye.dll
C:\WINDOWS\system32\ibnlnoxf.dll
C:\WINDOWS\system32\imqrbrfn.dll
C:\WINDOWS\system32\isslkiue.ini
C:\WINDOWS\system32\jfxfancb.ini
C:\WINDOWS\system32\jirdxjxi.dll
C:\WINDOWS\system32\jpdvavax.dll
C:\WINDOWS\system32\jvqewfeh.dll
C:\WINDOWS\system32\khfDwttQ.dll
C:\WINDOWS\system32\kiialjje.ini
C:\WINDOWS\system32\ktvucgjl.ini
C:\WINDOWS\system32\kxcckrid.ini
C:\WINDOWS\system32\ldhtevtu.ini
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\ldvvnehm.dll
C:\WINDOWS\system32\ljgcuvtk.dll
C:\WINDOWS\system32\ltqbcsrg.dll
C:\WINDOWS\system32\luildlah.dll
C:\WINDOWS\system32\lxqmtcao.dll
C:\WINDOWS\system32\mbxrsexa.ini
C:\WINDOWS\system32\mhenvvdl.ini
C:\WINDOWS\system32\mhvxrdou.dll
C:\WINDOWS\system32\mirxhlru.dll
C:\WINDOWS\system32\mnshkuby.ini
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\mxkuskpd.ini
C:\WINDOWS\system32\myguftfw.ini
C:\WINDOWS\system32\mypqyfwn.dll
C:\WINDOWS\system32\nbqorqxp.dll
C:\WINDOWS\system32\nbucsygs.ini
C:\WINDOWS\system32\nfyynelw.dll
C:\WINDOWS\system32\nknxeyxp.dll
C:\WINDOWS\system32\nmyywfaa.ini
C:\WINDOWS\system32\nnfdptyb.ini
C:\WINDOWS\system32\npsdfsto.ini
C:\WINDOWS\system32\nqclhtgh.dll
C:\WINDOWS\system32\nrgihrto.ini
C:\WINDOWS\system32\nsagpass.dll
C:\WINDOWS\system32\nsggppwx.dll
C:\WINDOWS\system32\nvdkwmsx.ini
C:\WINDOWS\system32\nwvgwxfo.ini
C:\WINDOWS\system32\obwjnosj.dll
C:\WINDOWS\system32\otrhigrn.dll
C:\WINDOWS\system32\otsfdspn.dll
C:\WINDOWS\system32\oyefgypg.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pbmqcxvb.dll
C:\WINDOWS\system32\plvtxnsk.dll
C:\WINDOWS\system32\pqobuddw.ini
C:\WINDOWS\system32\pwikmesg.ini
C:\WINDOWS\system32\pwvpjepl.dll
C:\WINDOWS\system32\pxqroqbn.ini
C:\WINDOWS\system32\pxyexnkn.ini
C:\WINDOWS\system32\qgsvraee.ini
C:\WINDOWS\system32\qkqqyqav.ini
C:\WINDOWS\system32\QttwDfhk.ini
C:\WINDOWS\system32\QttwDfhk.ini2
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\rgbsafqr.dll
C:\WINDOWS\system32\rlavvcrp.dll
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rokhnrfa.dll
C:\WINDOWS\system32\rroggpkq.dll
C:\WINDOWS\system32\sgcbmwkh.dll
C:\WINDOWS\system32\sgehqxrw.ini
C:\WINDOWS\system32\shailahf.dll
C:\WINDOWS\system32\shtgwpxe.ini
C:\WINDOWS\system32\ssapgasn.ini
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sxvrhmci.ini
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\tgpysyyy.dll
C:\WINDOWS\system32\thjrhqoy.dll
C:\WINDOWS\system32\thlvabwf.ini
C:\WINDOWS\system32\thmvbsth.dll
C:\WINDOWS\system32\tjytjmye.dll
C:\WINDOWS\system32\tkoskknk.dll
C:\WINDOWS\system32\tnulikpv.dll
C:\WINDOWS\system32\tvhnadjp.dll
C:\WINDOWS\system32\uafeaeoh.dll
C:\WINDOWS\system32\ubnlnehg.dll
C:\WINDOWS\system32\uckchqbq.dll
C:\WINDOWS\system32\uodrxvhm.ini
C:\WINDOWS\system32\urlhxrim.ini
C:\WINDOWS\system32\uroeukpo.dll
C:\WINDOWS\system32\usrrjjwn.ini
C:\WINDOWS\system32\utahojbr.ini
C:\WINDOWS\system32\utvethdl.dll
C:\WINDOWS\system32\vaqyqqkq.dll
C:\WINDOWS\system32\vhnlldkf.ini
C:\WINDOWS\system32\vkisycjg.ini
C:\WINDOWS\system32\vnvvymub.dll
C:\WINDOWS\system32\vphpexew.dll
C:\WINDOWS\system32\vyiwsjci.dll
C:\WINDOWS\system32\wbvmaemt.dll
C:\WINDOWS\system32\wdduboqp.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wexephpv.ini
C:\WINDOWS\system32\wftfugym.dll
C:\WINDOWS\system32\wgxggumi.dll
C:\WINDOWS\system32\wimkuskk.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\winljxfc.ini
C:\WINDOWS\system32\wlenyyfn.ini
C:\WINDOWS\system32\wljllqre.dll
C:\WINDOWS\system32\wonbyhaf.dll
C:\WINDOWS\system32\wtsumkgq.dll
C:\WINDOWS\system32\wvahmrrg.dll
C:\WINDOWS\system32\xajuhhec.dll
C:\WINDOWS\system32\xavavdpj.ini
C:\WINDOWS\system32\xidsmnsm.dll
C:\WINDOWS\system32\xsmwkdvn.dll
C:\WINDOWS\system32\xtoynveh.ini
C:\WINDOWS\system32\xutospeo.ini
C:\WINDOWS\system32\ybukhsnm.dll
C:\WINDOWS\system32\yftsvaec.dll
C:\WINDOWS\system32\yjdxjxgd.dll
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\wr.txt

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE
-------\Legacy_FOPN
-------\Legacy_NET_AGENT
-------\Service_ApiMon
-------\Service_core
-------\Service_Net Agent


((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 13:28 . 2008-04-08 13:28 94,208 --a------ C:\WINDOWS\system32\hmxsfwtu.exe
2008-04-08 13:22 . 2008-04-08 13:25 <DIR> d-------- C:\Program Files\zango
2008-04-08 13:22 . 2008-04-08 13:28 <DIR> d-------- C:\Program Files\stc
2008-04-08 13:22 . 2008-04-08 13:25 <DIR> d-------- C:\Program Files\seekmo
2008-04-08 13:22 . 2008-04-08 13:28 <DIR> d-------- C:\Program Files\180searchassistant
2008-04-08 13:22 . 2008-04-08 13:28 <DIR> d-------- C:\Program Files\180search assistant
2008-04-08 13:21 . 2008-04-08 13:28 <DIR> d-------- C:\Program Files\Sysmnt
2008-04-08 13:21 . 2008-04-08 13:28 <DIR> d-------- C:\Program Files\180solutions
2008-04-08 12:44 . 2008-04-08 12:44 <DIR> d-------- C:\Deckard
2008-04-08 08:48 . 2008-04-08 08:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 08:34 . 2008-04-08 08:35 <DIR> d-------- C:\Program Files\Panda Security
2008-04-07 10:55 . 2008-04-07 10:55 77,383 --a------ C:\WINDOWS\system32\atasnt40.dll
2008-04-06 15:33 . 2008-04-06 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-06 15:32 . 2008-04-06 15:32 <DIR> d-------- C:\WINDOWS\uprjiefj
2008-04-06 15:32 . 2008-04-06 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\itqrwnef
2008-04-06 15:32 . 2008-04-06 15:32 182,784 --a------ C:\WINDOWS\fuhmxgxs.dll
2008-04-06 15:32 . 2008-04-06 15:32 114,688 --a------ C:\WINDOWS\system32\atstqjmh.exe
2008-04-06 15:32 . 2008-04-06 15:32 67,584 --a------ C:\WINDOWS\apudyzaz.dll
2008-04-06 15:32 . 2008-04-06 15:32 67,584 --a------ C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll
2008-04-06 15:31 . 2008-04-06 15:34 <DIR> d-------- C:\Program Files\Bat
2008-04-06 15:31 . 2008-04-06 15:31 37,376 --a------ C:\WINDOWS\mrofinu72.exe
2008-04-06 15:30 . 2008-04-06 15:30 91,561 --a------ C:\WINDOWS\system32\wmsdkns.exe
2008-04-06 15:30 . 2008-04-06 15:30 396 --a------ C:\WINDOWS\system32\L6B26.tmp
2008-04-06 15:30 . 2008-04-06 15:30 396 --a------ C:\WINDOWS\system32\L69B3.tmp
2008-04-06 15:30 . 2008-04-06 15:30 396 --a------ C:\WINDOWS\system32\L68A5.tmp
2008-04-06 15:30 . 2008-04-06 15:30 396 --a------ C:\WINDOWS\system32\L64E3.tmp
2008-03-18 11:46 . 2008-03-18 11:46 0 --a------ C:\WINDOWS\FabGuardExecutive.INI
2008-03-10 02:26 . 2008-03-10 16:34 1,318,445 ---hs---- C:\WINDOWS\system32\seqdenkd.ini
2008-03-09 02:23 . 2008-03-10 02:23 1,318,193 ---hs---- C:\WINDOWS\system32\ikvobusb.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 18:22 9,472 ----a-w C:\WINDOWS\swin32.dll
2008-04-08 18:22 30,208 ----a-w C:\WINDOWS\cdsm32.dll
2008-04-08 18:22 26,880 ----a-w C:\WINDOWS\bjam.dll
2008-04-08 18:22 26,112 ----a-w C:\WINDOWS\mssvr.exe
2008-04-08 18:22 24,320 ----a-w C:\WINDOWS\mspphe.dll
2008-04-08 18:22 22,528 ----a-w C:\WINDOWS\salm.exe
2008-04-08 18:22 20,736 ----a-w C:\WINDOWS\180ax.exe
2008-04-08 18:22 18,176 ----a-w C:\WINDOWS\2020search2.dll
2008-04-08 18:22 16,896 ----a-w C:\WINDOWS\2020search.dll
2008-04-08 18:22 15,104 ----a-w C:\WINDOWS\voiceip.dll
2008-04-08 18:21 24,320 ----a-w C:\WINDOWS\updatetc.exe
2008-04-08 18:21 16,128 ----a-w C:\WINDOWS\saiemod.dll
2008-04-08 14:29 --------- d-----w C:\Program Files\PokerStars.NET
2008-04-08 13:35 8,705,686 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity
2008-04-08 13:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 15:06 8,704,774 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak3
2008-03-24 15:06 23,040 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys
2008-03-24 15:06 113,152 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys
2008-03-20 14:09 8,704,280 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak2
2008-03-18 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 14:39 --------- d-----w C:\Program Files\UBNet
2008-02-13 19:14 23,200 ----a-w C:\WINDOWS\system32\drivers\FileID.idx
2008-02-13 19:14 14,070,906 ----a-w C:\WINDOWS\system32\drivers\FileID.dat
2008-02-13 19:14 1,825,471 ----a-w C:\WINDOWS\system32\drivers\FileID.def
2008-02-13 19:13 37,388,889 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures
2008-02-13 19:12 8,701,658 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak1
2007-11-12 15:37 123 ----a-w C:\Documents and Settings\mark everett\mit.bat
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
2007-08-22 09:06 1,590,470 --sh--w C:\WINDOWS\system32\ffggh.bak1
2007-08-23 09:06 1,597,256 --sh--w C:\WINDOWS\system32\ffggh.bak2
2007-08-18 23:24 6,473 --sh--w C:\WINDOWS\system32\moppo.bak1
2007-07-24 09:46 6,471 --sh--w C:\WINDOWS\system32\suwvw.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Upazulsr"="C:\WINDOWS\system32\?ssembly\c?rss.exe" [ ]
"Riqsqgy"="C:\Program Files\Common Files\?icrosoft\w?nlogon.exe" [ ]
"Tair"="C:\WINDOWS\RACLE~1\chkdsk.exe" [ ]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
"lnznvolr"="C:\WINDOWS\system32\atstqjmh.exe" [2008-04-06 15:32 114688]
"nafnssxs"="C:\WINDOWS\system32\hmxsfwtu.exe" [2008-04-08 13:28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10 339968]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 12:49 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-14 00:37 282624]
"lsbxxspA"="C:\WINDOWS\lsbxxspA.exe" [ ]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"{64-4F-F0-0A-ZN}"="c:\windows\system32\dwdsrngt.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"OrfHnI9DaH"= C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 12:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggff]
C:\WINDOWS\system32\hggff.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmli]
opnnnmli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppom]
C:\WINDOWS\system32\oppom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-01-13 15:17 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winyxm32]
winyxm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"=
"%windir%\\system32\\winav.exe"=
"C:\\Inficon\\FabGuardExecutive.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1305:TCP"= 1305:TCP:Lightspeed Security Agent (TCP)
"1305:UDP"= 1305:UDP:Lightspeed Security Agent (UDP)

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\NIPALK.sys [2002-01-07 21:01]
R1 IpmSecurityAgent1;Security Agent Filter Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys [2008-03-24 10:06]
R1 IpmSecurityAgent2;Security Agent Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys [2008-03-24 10:06]
R2 IpmSecurityAgentService;Security Agent Service;C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe [2008-03-11 16:34]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2002-01-28 13:59]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2002-01-28 13:59]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2002-01-28 15:40]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2002-01-28 15:41]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2002-01-28 14:02]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2002-01-28 14:04]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 20:58]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 13:28:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\Update.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
.
**************************************************************************
.
Completion time: 2008-04-08 13:31:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-08 18:31:38
Pre-Run: 46,431,014,912 bytes free
Post-Run: 46,350,753,792 bytes free
.
2008-03-12 18:06:08 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:12 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\hmxsfwtu.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bat\X_Bat.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.freescale.net:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.freescale.net; *.freescale.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lsbxxspA] C:\WINDOWS\lsbxxspA.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [{64-4F-F0-0A-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Upazulsr] C:\WINDOWS\system32\?ssembly\c?rss.exe
O4 - HKCU\..\Run: [Riqsqgy] "C:\Program Files\Common Files\?icrosoft\w?nlogon.exe"
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\RACLE~1\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [lnznvolr] C:\WINDOWS\system32\atstqjmh.exe
O4 - HKCU\..\Run: [nafnssxs] C:\WINDOWS\system32\hmxsfwtu.exe
O4 - HKLM\..\Policies\Explorer\Run: [OrfHnI9DaH] C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {032B436A-1BA6-47D9-B183-A0E013C94A25} (FgIoOcx Control) - http://172.18.2.66/F...Dll/FgIoOcx.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {3A2BF2DC-FDE5-4026-99B4-60F2999137AD} (FgConfigExecOcx Control) - http://172.18.2.66/F...nfigExecOcx.cab
O16 - DPF: {3AED1953-E7E9-418F-888C-7B497E038B77} (FgViewOcx Control) - http://172.18.2.66/F...l/FgViewOcx.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {5FF6BD84-D9FA-497E-BD43-FAA0DE338754} (FgStartupOcx Control) - http://172.18.2.66/F...gStartupOcx.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {921DB7E5-1292-460F-AA99-217245A44330} (FgRawOcx Control) - http://172.18.2.66/F...ll/FgRawOcx.cab
O16 - DPF: {94279BAD-0B3C-4747-8869-8FBF27A675F8} (FgRecipeOcx Control) - http://172.18.2.66/F...FgRecipeOcx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A97CF130-1C5E-4E07-A3FF-14BBE848DAC9} (FgAlarmOcx Control) - http://172.18.8.23/F.../FgAlarmOcx.cab
O16 - DPF: {B84BBE57-87E8-4335-8FD0-4B45A50E055E} (FgDbReportOcx Control) - http://172.18.2.66/F...DbReportOcx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex....eck/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hggff - C:\WINDOWS\system32\hggff.dll (file missing)
O20 - Winlogon Notify: opnnnmli - opnnnmli.dll (file missing)
O20 - Winlogon Notify: oppom - C:\WINDOWS\system32\oppom.dll (file missing)
O20 - Winlogon Notify: winyxm32 - winyxm32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Security Agent Service (IpmSecurityAgentService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11650 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#7
vegimo

vegimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\atstqjmh.exe
C:\WINDOWS\system32\hmxsfwtu.exe
C:\WINDOWS\system32\hmxsfwtu.exe
C:\WINDOWS\system32\atasnt40.dll
C:\WINDOWS\fuhmxgxs.dll
C:\WINDOWS\system32\atstqjmh.exe
C:\WINDOWS\apudyzaz.dll
C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\L6B26.tmp
C:\WINDOWS\system32\L69B3.tmp
C:\WINDOWS\system32\L68A5.tmp
C:\WINDOWS\system32\L64E3.tmp
C:\WINDOWS\system32\seqdenkd.ini
C:\WINDOWS\system32\ikvobusb.ini
C:\WINDOWS\swin32.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\system32\ffggh.bak1
C:\WINDOWS\system32\ffggh.bak2
C:\WINDOWS\system32\moppo.bak1
C:\WINDOWS\system32\suwvw.bak1
C:\WINDOWS\system32\hggff.dll
C:\WINDOWS\lsbxxspA.exe
c:\windows\system32\dwdsrngt.exe 
Folder::
C:\Program Files\zango
C:\Program Files\stc
C:\Program Files\seekmo
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\Program Files\Sysmnt
C:\Program Files\180solutions
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\uprjiefj
C:\Documents and Settings\All Users\Application Data\itqrwnef
C:\Program Files\Bat
C:\Program Files\QdrModule
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Upazulsr"=-
"Riqsqgy"=-
"Tair"=-
"QdrModule15"=-
"lnznvolr"=-
"nafnssxs"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lsbxxspA"=-
"{64-4F-F0-0A-ZN}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"OrfHnI9DaH"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggff]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\winav.exe"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
vegimo

vegimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ComboFix 08-04-08.4 - meverett 2008-04-08 21:55:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.693 [GMT -5:00]
Running from: C:\Documents and Settings\mark everett\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mark everett\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apudyzaz.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\fuhmxgxs.dll
C:\WINDOWS\lsbxxspA.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\atasnt40.dll
C:\WINDOWS\system32\atstqjmh.exe
c:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\ffggh.bak1
C:\WINDOWS\system32\ffggh.bak2
C:\WINDOWS\system32\hggff.dll
C:\WINDOWS\system32\hmxsfwtu.exe
C:\WINDOWS\system32\ikvobusb.ini
C:\WINDOWS\system32\L64E3.tmp
C:\WINDOWS\system32\L68A5.tmp
C:\WINDOWS\system32\L69B3.tmp
C:\WINDOWS\system32\L6B26.tmp
C:\WINDOWS\system32\moppo.bak1
C:\WINDOWS\system32\seqdenkd.ini
C:\WINDOWS\system32\suwvw.bak1
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\itqrwnef
C:\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe
C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\mark everett\err.log
C:\Program Files\180search assistant
C:\Program Files\180searchassistant
C:\Program Files\180solutions
C:\Program Files\Bat
C:\Program Files\Bat\Bat.dll
C:\Program Files\Bat\Bat.dll.intermediate.manifest
C:\Program Files\Bat\Bat.exe
C:\Program Files\Bat\Bat.info
C:\Program Files\Bat\Bat.original
C:\Program Files\Bat\Info.dll
C:\Program Files\Bat\un_BatSetup_15041.exe
C:\Program Files\Bat\un_BatSetup_15041.txt
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Bat\X_Bat.log
C:\Program Files\seekmo
C:\Program Files\stc
C:\Program Files\Sysmnt
C:\Program Files\zango
C:\WINDOWS\apudyzaz.dll
C:\WINDOWS\fuhmxgxs.dll
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\atasnt40.dll
C:\WINDOWS\system32\atstqjmh.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ffggh.bak1
C:\WINDOWS\system32\ffggh.bak2
C:\WINDOWS\system32\hmxsfwtu.exe
C:\WINDOWS\system32\ikvobusb.ini
C:\WINDOWS\system32\L64E3.tmp
C:\WINDOWS\system32\L68A5.tmp
C:\WINDOWS\system32\L69B3.tmp
C:\WINDOWS\system32\L6B26.tmp
C:\WINDOWS\system32\moppo.bak1
C:\WINDOWS\system32\seqdenkd.ini
C:\WINDOWS\system32\suwvw.bak1
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\uprjiefj
C:\WINDOWS\uprjiefj\1.png
C:\WINDOWS\uprjiefj\2.png
C:\WINDOWS\uprjiefj\3.png
C:\WINDOWS\uprjiefj\4.png
C:\WINDOWS\uprjiefj\5.png
C:\WINDOWS\uprjiefj\6.png
C:\WINDOWS\uprjiefj\7.png
C:\WINDOWS\uprjiefj\8.png
C:\WINDOWS\uprjiefj\9.png
C:\WINDOWS\uprjiefj\bottom-rc.gif
C:\WINDOWS\uprjiefj\config.png
C:\WINDOWS\uprjiefj\content.png
C:\WINDOWS\uprjiefj\download.gif
C:\WINDOWS\uprjiefj\frame-bg.gif
C:\WINDOWS\uprjiefj\frame-bottom-left.gif
C:\WINDOWS\uprjiefj\frame-h1bg.gif
C:\WINDOWS\uprjiefj\head.png
C:\WINDOWS\uprjiefj\icon.png
C:\WINDOWS\uprjiefj\indexwp.html
C:\WINDOWS\uprjiefj\main.css
C:\WINDOWS\uprjiefj\memory-prots.png
C:\WINDOWS\uprjiefj\net.png
C:\WINDOWS\uprjiefj\pc-mag.gif
C:\WINDOWS\uprjiefj\pc.gif
C:\WINDOWS\uprjiefj\poloska1.png
C:\WINDOWS\uprjiefj\poloska2.png
C:\WINDOWS\uprjiefj\poloska3.png
C:\WINDOWS\uprjiefj\promowp1.html
C:\WINDOWS\uprjiefj\promowp2.html
C:\WINDOWS\uprjiefj\promowp3.html
C:\WINDOWS\uprjiefj\promowp4.html
C:\WINDOWS\uprjiefj\promowp5.html
C:\WINDOWS\uprjiefj\reg.png
C:\WINDOWS\uprjiefj\repair.png
C:\WINDOWS\uprjiefj\scr-1.png
C:\WINDOWS\uprjiefj\scr-2.png
C:\WINDOWS\uprjiefj\start.png
C:\WINDOWS\uprjiefj\styles.css
C:\WINDOWS\uprjiefj\Thumbs.db
C:\WINDOWS\uprjiefj\top-rc.gif
C:\WINDOWS\uprjiefj\vline.gif
C:\WINDOWS\uprjiefj\wp.png

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 15:40 . 2008-04-08 15:40 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-08 12:44 . 2008-04-08 12:44 <DIR> d-------- C:\Deckard
2008-04-08 08:48 . 2008-04-08 08:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 08:34 . 2008-04-08 08:35 <DIR> d-------- C:\Program Files\Panda Security
2008-03-18 11:46 . 2008-03-18 11:46 0 --a------ C:\WINDOWS\FabGuardExecutive.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 14:29 --------- d-----w C:\Program Files\PokerStars.NET
2008-04-08 13:35 8,705,686 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity
2008-04-08 13:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 15:06 8,704,774 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak3
2008-03-24 15:06 23,040 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys
2008-03-24 15:06 113,152 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys
2008-03-20 14:09 8,704,280 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak2
2008-03-18 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 07:22 96,320 ----a-w C:\WINDOWS\system32\fxxodspc.dll
2008-03-06 07:18 96,832 ----a-w C:\WINDOWS\system32\yxcjjyew.dll
2008-03-06 07:17 91,712 ----a-w C:\WINDOWS\system32\yvtuuqhy.dll
2008-03-05 03:14 96,832 ----a-w C:\WINDOWS\system32\nmyrfoyu.dll
2008-03-05 03:08 91,712 ----a-w C:\WINDOWS\system32\fygvbntr.dll
2008-03-04 03:14 95,296 ----a-w C:\WINDOWS\system32\euatjeiu.dll
2008-03-04 03:08 91,712 ----a-w C:\WINDOWS\system32\qvnaffee.dll
2008-03-03 03:09 91,712 ----a-w C:\WINDOWS\system32\yrvxqfen.dll
2008-03-02 03:09 91,712 ----a-w C:\WINDOWS\system32\apfakggp.dll
2008-03-01 03:08 91,712 ----a-w C:\WINDOWS\system32\osfcvmlo.dll
2008-02-29 03:08 91,712 ----a-w C:\WINDOWS\system32\nagklfrx.dll
2008-02-28 03:05 91,712 ----a-w C:\WINDOWS\system32\tfwakdfc.dll
2008-02-27 03:06 91,712 ----a-w C:\WINDOWS\system32\fcxlxbee.dll
2008-02-26 03:06 90,688 ----a-w C:\WINDOWS\system32\gwhfgyvu.dll
2008-02-21 21:56 93,760 ----a-w C:\WINDOWS\system32\fuqjiuaa.dll
2008-02-18 21:55 91,200 ----a-w C:\WINDOWS\system32\rbjohatu.dll
2008-02-18 21:52 93,248 ----a-w C:\WINDOWS\system32\cftqscfp.dll
2008-02-17 21:49 97,344 ----a-w C:\WINDOWS\system32\iqpbuprf.dll
2008-02-15 21:49 91,712 ----a-w C:\WINDOWS\system32\rlaxlpsv.dll
2008-02-14 21:48 91,200 ----a-w C:\WINDOWS\system32\gwpxgpfd.dll
2008-02-14 14:39 --------- d-----w C:\Program Files\UBNet
2008-02-13 21:48 98,368 ----a-w C:\WINDOWS\system32\kmvobopu.dll
2008-02-13 19:14 23,200 ----a-w C:\WINDOWS\system32\drivers\FileID.idx
2008-02-13 19:14 14,070,906 ----a-w C:\WINDOWS\system32\drivers\FileID.dat
2008-02-13 19:14 1,825,471 ----a-w C:\WINDOWS\system32\drivers\FileID.def
2008-02-13 19:13 37,388,889 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures
2008-02-13 19:12 8,701,658 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak1
2008-02-12 21:48 93,248 ----a-w C:\WINDOWS\system32\apkdpwqe.dll
2008-02-11 21:48 93,248 ----a-w C:\WINDOWS\system32\oibjlhpy.dll
2008-02-10 21:47 93,248 ----a-w C:\WINDOWS\system32\jhlcbscx.dll
2008-02-09 21:47 93,760 ----a-w C:\WINDOWS\system32\nxxjieig.dll
2008-02-09 21:46 93,760 ----a-w C:\WINDOWS\system32\smxvrxno.dll
2008-02-06 21:41 92,224 ----a-w C:\WINDOWS\system32\pbkmhutj.dll
2008-02-05 21:41 94,272 ----a-w C:\WINDOWS\system32\wgellrna.dll
2008-02-04 21:41 93,248 ----a-w C:\WINDOWS\system32\oxbbmkmv.dll
2008-02-04 14:46 93,248 ----a-w C:\WINDOWS\system32\yxrnxmxh.dll
2007-11-12 15:37 123 ----a-w C:\Documents and Settings\mark everett\mit.bat
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( [email protected]_13.31.11.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 21:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2008-04-06 21:39:48 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-08 20:40:32 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10 339968]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 12:49 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-14 00:37 282624]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 12:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmli]
opnnnmli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppom]
C:\WINDOWS\system32\oppom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-01-13 15:17 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winyxm32]
winyxm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"=
"C:\\Inficon\\FabGuardExecutive.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1305:TCP"= 1305:TCP:Lightspeed Security Agent (TCP)
"1305:UDP"= 1305:UDP:Lightspeed Security Agent (UDP)

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\NIPALK.sys [2002-01-07 21:01]
R1 IpmSecurityAgent1;Security Agent Filter Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys [2008-03-24 10:06]
R1 IpmSecurityAgent2;Security Agent Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys [2008-03-24 10:06]
R2 IpmSecurityAgentService;Security Agent Service;C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe [2008-03-11 16:34]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2002-01-28 13:59]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2002-01-28 13:59]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2002-01-28 15:40]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2002-01-28 15:41]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2002-01-28 14:02]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2002-01-28 14:04]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 20:58]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 21:57:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-08 21:58:20
ComboFix-quarantined-files.txt 2008-04-09 02:57:52
ComboFix2.txt 2008-04-08 18:31:47
Pre-Run: 46,299,406,336 bytes free
Post-Run: 46,285,467,648 bytes free
.
2008-03-12 18:06:08 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:37 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.freescale.net:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.freescale.net; *.freescale.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {032B436A-1BA6-47D9-B183-A0E013C94A25} (FgIoOcx Control) - http://172.18.2.66/F...Dll/FgIoOcx.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {3A2BF2DC-FDE5-4026-99B4-60F2999137AD} (FgConfigExecOcx Control) - http://172.18.2.66/F...nfigExecOcx.cab
O16 - DPF: {3AED1953-E7E9-418F-888C-7B497E038B77} (FgViewOcx Control) - http://172.18.2.66/F...l/FgViewOcx.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {5FF6BD84-D9FA-497E-BD43-FAA0DE338754} (FgStartupOcx Control) - http://172.18.2.66/F...gStartupOcx.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {921DB7E5-1292-460F-AA99-217245A44330} (FgRawOcx Control) - http://172.18.2.66/F...ll/FgRawOcx.cab
O16 - DPF: {94279BAD-0B3C-4747-8869-8FBF27A675F8} (FgRecipeOcx Control) - http://172.18.2.66/F...FgRecipeOcx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A97CF130-1C5E-4E07-A3FF-14BBE848DAC9} (FgAlarmOcx Control) - http://172.18.8.23/F.../FgAlarmOcx.cab
O16 - DPF: {B84BBE57-87E8-4335-8FD0-4B45A50E055E} (FgDbReportOcx Control) - http://172.18.2.66/F...DbReportOcx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex....eck/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: opnnnmli - opnnnmli.dll (file missing)
O20 - Winlogon Notify: oppom - C:\WINDOWS\system32\oppom.dll (file missing)
O20 - Winlogon Notify: winyxm32 - winyxm32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Security Agent Service (IpmSecurityAgentService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10578 bytes
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
For some reason the Recovery Console did not install can you retry it please.

Edited by kahdah, 09 April 2008 - 03:28 AM.
spelling

  • 0

Advertisements


#11
vegimo

vegimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
sure thing -
new cf-rc

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


new ComboFix

ComboFix 08-04-08.4 - meverett 2008-04-09 7:25:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.686 [GMT -5:00]
Running from: C:\Documents and Settings\mark everett\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mark everett\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\All Users\Application Data\ozyvwdkt.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apudyzaz.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\fuhmxgxs.dll
C:\WINDOWS\lsbxxspA.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\atasnt40.dll
C:\WINDOWS\system32\atstqjmh.exe
c:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\ffggh.bak1
C:\WINDOWS\system32\ffggh.bak2
C:\WINDOWS\system32\hggff.dll
C:\WINDOWS\system32\hmxsfwtu.exe
C:\WINDOWS\system32\ikvobusb.ini
C:\WINDOWS\system32\L64E3.tmp
C:\WINDOWS\system32\L68A5.tmp
C:\WINDOWS\system32\L69B3.tmp
C:\WINDOWS\system32\L6B26.tmp
C:\WINDOWS\system32\moppo.bak1
C:\WINDOWS\system32\seqdenkd.ini
C:\WINDOWS\system32\suwvw.bak1
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 15:40 . 2008-04-09 04:40 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-08 12:44 . 2008-04-08 12:44 <DIR> d-------- C:\Deckard
2008-04-08 08:48 . 2008-04-08 08:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 08:34 . 2008-04-08 08:35 <DIR> d-------- C:\Program Files\Panda Security
2008-03-18 11:46 . 2008-03-18 11:46 0 --a------ C:\WINDOWS\FabGuardExecutive.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 14:29 --------- d-----w C:\Program Files\PokerStars.NET
2008-04-08 13:35 8,705,686 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity
2008-04-08 13:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 15:06 8,704,774 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak3
2008-03-24 15:06 23,040 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys
2008-03-24 15:06 113,152 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys
2008-03-20 14:09 8,704,280 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak2
2008-03-18 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 07:22 96,320 ----a-w C:\WINDOWS\system32\fxxodspc.dll
2008-03-06 07:18 96,832 ----a-w C:\WINDOWS\system32\yxcjjyew.dll
2008-03-06 07:17 91,712 ----a-w C:\WINDOWS\system32\yvtuuqhy.dll
2008-03-05 03:14 96,832 ----a-w C:\WINDOWS\system32\nmyrfoyu.dll
2008-03-05 03:08 91,712 ----a-w C:\WINDOWS\system32\fygvbntr.dll
2008-03-04 03:14 95,296 ----a-w C:\WINDOWS\system32\euatjeiu.dll
2008-03-04 03:08 91,712 ----a-w C:\WINDOWS\system32\qvnaffee.dll
2008-03-03 03:09 91,712 ----a-w C:\WINDOWS\system32\yrvxqfen.dll
2008-03-02 03:09 91,712 ----a-w C:\WINDOWS\system32\apfakggp.dll
2008-03-01 03:08 91,712 ----a-w C:\WINDOWS\system32\osfcvmlo.dll
2008-02-29 03:08 91,712 ----a-w C:\WINDOWS\system32\nagklfrx.dll
2008-02-28 03:05 91,712 ----a-w C:\WINDOWS\system32\tfwakdfc.dll
2008-02-27 03:06 91,712 ----a-w C:\WINDOWS\system32\fcxlxbee.dll
2008-02-26 03:06 90,688 ----a-w C:\WINDOWS\system32\gwhfgyvu.dll
2008-02-21 21:56 93,760 ----a-w C:\WINDOWS\system32\fuqjiuaa.dll
2008-02-18 21:55 91,200 ----a-w C:\WINDOWS\system32\rbjohatu.dll
2008-02-18 21:52 93,248 ----a-w C:\WINDOWS\system32\cftqscfp.dll
2008-02-17 21:49 97,344 ----a-w C:\WINDOWS\system32\iqpbuprf.dll
2008-02-15 21:49 91,712 ----a-w C:\WINDOWS\system32\rlaxlpsv.dll
2008-02-14 21:48 91,200 ----a-w C:\WINDOWS\system32\gwpxgpfd.dll
2008-02-14 14:39 --------- d-----w C:\Program Files\UBNet
2008-02-13 21:48 98,368 ----a-w C:\WINDOWS\system32\kmvobopu.dll
2008-02-13 19:14 23,200 ----a-w C:\WINDOWS\system32\drivers\FileID.idx
2008-02-13 19:14 14,070,906 ----a-w C:\WINDOWS\system32\drivers\FileID.dat
2008-02-13 19:14 1,825,471 ----a-w C:\WINDOWS\system32\drivers\FileID.def
2008-02-13 19:13 37,388,889 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures
2008-02-13 19:12 8,701,658 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak1
2008-02-12 21:48 93,248 ----a-w C:\WINDOWS\system32\apkdpwqe.dll
2008-02-11 21:48 93,248 ----a-w C:\WINDOWS\system32\oibjlhpy.dll
2008-02-10 21:47 93,248 ----a-w C:\WINDOWS\system32\jhlcbscx.dll
2008-02-09 21:47 93,760 ----a-w C:\WINDOWS\system32\nxxjieig.dll
2008-02-09 21:46 93,760 ----a-w C:\WINDOWS\system32\smxvrxno.dll
2008-02-06 21:41 92,224 ----a-w C:\WINDOWS\system32\pbkmhutj.dll
2008-02-05 21:41 94,272 ----a-w C:\WINDOWS\system32\wgellrna.dll
2008-02-04 21:41 93,248 ----a-w C:\WINDOWS\system32\oxbbmkmv.dll
2008-02-04 14:46 93,248 ----a-w C:\WINDOWS\system32\yxrnxmxh.dll
2007-11-12 15:37 123 ----a-w C:\Documents and Settings\mark everett\mit.bat
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( [email protected]_13.31.11.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 21:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2008-04-06 21:39:48 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-08 20:40:32 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10 339968]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 12:49 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-14 00:37 282624]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 12:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmli]
opnnnmli.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppom]
C:\WINDOWS\system32\oppom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-01-13 15:17 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winyxm32]
winyxm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"=
"C:\\Inficon\\FabGuardExecutive.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1305:TCP"= 1305:TCP:Lightspeed Security Agent (TCP)
"1305:UDP"= 1305:UDP:Lightspeed Security Agent (UDP)

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\NIPALK.sys [2002-01-07 21:01]
R1 IpmSecurityAgent1;Security Agent Filter Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys [2008-03-24 10:06]
R1 IpmSecurityAgent2;Security Agent Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys [2008-03-24 10:06]
R2 IpmSecurityAgentService;Security Agent Service;C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe [2008-03-11 16:34]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2002-01-28 13:59]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2002-01-28 13:59]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2002-01-28 15:40]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2002-01-28 15:41]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2002-01-28 14:02]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2002-01-28 14:04]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 20:58]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 07:26:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-09 7:27:16
ComboFix-quarantined-files.txt 2008-04-09 12:26:46
ComboFix2.txt 2008-04-09 02:58:23
ComboFix3.txt 2008-04-08 18:31:47
Pre-Run: 46,236,807,168 bytes free
Post-Run: 46,226,264,064 bytes free
.
2008-03-12 18:06:08 --- E O F ---


new HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:53 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.freescale.net:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.freescale.net; *.freescale.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {032B436A-1BA6-47D9-B183-A0E013C94A25} (FgIoOcx Control) - http://172.18.2.66/F...Dll/FgIoOcx.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {3A2BF2DC-FDE5-4026-99B4-60F2999137AD} (FgConfigExecOcx Control) - http://172.18.2.66/F...nfigExecOcx.cab
O16 - DPF: {3AED1953-E7E9-418F-888C-7B497E038B77} (FgViewOcx Control) - http://172.18.2.66/F...l/FgViewOcx.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {5FF6BD84-D9FA-497E-BD43-FAA0DE338754} (FgStartupOcx Control) - http://172.18.2.66/F...gStartupOcx.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {921DB7E5-1292-460F-AA99-217245A44330} (FgRawOcx Control) - http://172.18.2.66/F...ll/FgRawOcx.cab
O16 - DPF: {94279BAD-0B3C-4747-8869-8FBF27A675F8} (FgRecipeOcx Control) - http://172.18.2.66/F...FgRecipeOcx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A97CF130-1C5E-4E07-A3FF-14BBE848DAC9} (FgAlarmOcx Control) - http://172.18.8.23/F.../FgAlarmOcx.cab
O16 - DPF: {B84BBE57-87E8-4335-8FD0-4B45A50E055E} (FgDbReportOcx Control) - http://172.18.2.66/F...DbReportOcx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex....eck/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: opnnnmli - opnnnmli.dll (file missing)
O20 - Winlogon Notify: oppom - C:\WINDOWS\system32\oppom.dll (file missing)
O20 - Winlogon Notify: winyxm32 - winyxm32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Security Agent Service (IpmSecurityAgentService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10610 bytes
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok great now the Recovery Console is installed. :)
==================================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\fxxodspc.dll
C:\WINDOWS\system32\yxcjjyew.dll
C:\WINDOWS\system32\yvtuuqhy.dll
C:\WINDOWS\system32\nmyrfoyu.dll
C:\WINDOWS\system32\fygvbntr.dll
C:\WINDOWS\system32\euatjeiu.dll
C:\WINDOWS\system32\qvnaffee.dll
C:\WINDOWS\system32\yrvxqfen.dll
C:\WINDOWS\system32\apfakggp.dll
C:\WINDOWS\system32\osfcvmlo.dll
C:\WINDOWS\system32\nagklfrx.dll
C:\WINDOWS\system32\tfwakdfc.dll
C:\WINDOWS\system32\fcxlxbee.dll
C:\WINDOWS\system32\gwhfgyvu.dll
C:\WINDOWS\system32\fuqjiuaa.dll
C:\WINDOWS\system32\rbjohatu.dll
C:\WINDOWS\system32\cftqscfp.dll
C:\WINDOWS\system32\iqpbuprf.dll
C:\WINDOWS\system32\rlaxlpsv.dll
C:\WINDOWS\system32\gwpxgpfd.dll
C:\WINDOWS\system32\kmvobopu.dll
C:\WINDOWS\system32\apkdpwqe.dll
C:\WINDOWS\system32\oibjlhpy.dll
C:\WINDOWS\system32\jhlcbscx.dll
C:\WINDOWS\system32\nxxjieig.dll
C:\WINDOWS\system32\smxvrxno.dll
C:\WINDOWS\system32\pbkmhutj.dll
C:\WINDOWS\system32\wgellrna.dll
C:\WINDOWS\system32\oxbbmkmv.dll
C:\WINDOWS\system32\yxrnxmxh.dll
C:\Documents and Settings\mark everett\mit.bat
C:\WINDOWS\system32\oppom.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnnmli]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppom]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winyxm32]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#13
vegimo

vegimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ComboFix 08-04-08.4 - meverett 2008-04-09 11:29:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT -5:00]
Running from: C:\Documents and Settings\mark everett\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mark everett\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\mark everett\mit.bat
C:\WINDOWS\system32\apfakggp.dll
C:\WINDOWS\system32\apkdpwqe.dll
C:\WINDOWS\system32\cftqscfp.dll
C:\WINDOWS\system32\euatjeiu.dll
C:\WINDOWS\system32\fcxlxbee.dll
C:\WINDOWS\system32\fuqjiuaa.dll
C:\WINDOWS\system32\fxxodspc.dll
C:\WINDOWS\system32\fygvbntr.dll
C:\WINDOWS\system32\gwhfgyvu.dll
C:\WINDOWS\system32\gwpxgpfd.dll
C:\WINDOWS\system32\iqpbuprf.dll
C:\WINDOWS\system32\jhlcbscx.dll
C:\WINDOWS\system32\kmvobopu.dll
C:\WINDOWS\system32\nagklfrx.dll
C:\WINDOWS\system32\nmyrfoyu.dll
C:\WINDOWS\system32\nxxjieig.dll
C:\WINDOWS\system32\oibjlhpy.dll
C:\WINDOWS\system32\oppom.dll
C:\WINDOWS\system32\osfcvmlo.dll
C:\WINDOWS\system32\oxbbmkmv.dll
C:\WINDOWS\system32\pbkmhutj.dll
C:\WINDOWS\system32\qvnaffee.dll
C:\WINDOWS\system32\rbjohatu.dll
C:\WINDOWS\system32\rlaxlpsv.dll
C:\WINDOWS\system32\smxvrxno.dll
C:\WINDOWS\system32\tfwakdfc.dll
C:\WINDOWS\system32\wgellrna.dll
C:\WINDOWS\system32\yrvxqfen.dll
C:\WINDOWS\system32\yvtuuqhy.dll
C:\WINDOWS\system32\yxcjjyew.dll
C:\WINDOWS\system32\yxrnxmxh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\mark everett\mit.bat
C:\WINDOWS\system32\apfakggp.dll
C:\WINDOWS\system32\apkdpwqe.dll
C:\WINDOWS\system32\cftqscfp.dll
C:\WINDOWS\system32\euatjeiu.dll
C:\WINDOWS\system32\fcxlxbee.dll
C:\WINDOWS\system32\fuqjiuaa.dll
C:\WINDOWS\system32\fxxodspc.dll
C:\WINDOWS\system32\fygvbntr.dll
C:\WINDOWS\system32\gwhfgyvu.dll
C:\WINDOWS\system32\gwpxgpfd.dll
C:\WINDOWS\system32\iqpbuprf.dll
C:\WINDOWS\system32\jhlcbscx.dll
C:\WINDOWS\system32\kmvobopu.dll
C:\WINDOWS\system32\nagklfrx.dll
C:\WINDOWS\system32\nmyrfoyu.dll
C:\WINDOWS\system32\nxxjieig.dll
C:\WINDOWS\system32\oibjlhpy.dll
C:\WINDOWS\system32\osfcvmlo.dll
C:\WINDOWS\system32\oxbbmkmv.dll
C:\WINDOWS\system32\pbkmhutj.dll
C:\WINDOWS\system32\qvnaffee.dll
C:\WINDOWS\system32\rbjohatu.dll
C:\WINDOWS\system32\rlaxlpsv.dll
C:\WINDOWS\system32\smxvrxno.dll
C:\WINDOWS\system32\tfwakdfc.dll
C:\WINDOWS\system32\wgellrna.dll
C:\WINDOWS\system32\yrvxqfen.dll
C:\WINDOWS\system32\yvtuuqhy.dll
C:\WINDOWS\system32\yxcjjyew.dll
C:\WINDOWS\system32\yxrnxmxh.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 15:40 . 2008-04-09 04:40 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-08 12:44 . 2008-04-08 12:44 <DIR> d-------- C:\Deckard
2008-04-08 08:48 . 2008-04-08 08:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-08 08:34 . 2008-04-08 08:35 <DIR> d-------- C:\Program Files\Panda Security
2008-03-18 11:46 . 2008-03-18 11:46 0 --a------ C:\WINDOWS\FabGuardExecutive.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 16:26 --------- d-----w C:\Program Files\PokerStars.NET
2008-04-08 13:35 8,705,686 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity
2008-04-08 13:31 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-24 15:06 8,704,774 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak3
2008-03-24 15:06 23,040 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys
2008-03-24 15:06 113,152 ----a-w C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys
2008-03-20 14:09 8,704,280 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak2
2008-03-18 16:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-14 14:39 --------- d-----w C:\Program Files\UBNet
2008-02-13 19:14 23,200 ----a-w C:\WINDOWS\system32\drivers\FileID.idx
2008-02-13 19:14 14,070,906 ----a-w C:\WINDOWS\system32\drivers\FileID.dat
2008-02-13 19:14 1,825,471 ----a-w C:\WINDOWS\system32\drivers\FileID.def
2008-02-13 19:13 37,388,889 ----a-w C:\WINDOWS\system32\drivers\VirusSignatures
2008-02-13 19:12 8,701,658 ----a-w C:\WINDOWS\system32\drivers\FileIntegrity.bak1
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( [email protected]_13.31.11.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 21:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2008-04-06 21:39:48 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-04-08 20:40:32 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10 339968]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-19 12:49 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 01:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-14 00:37 282624]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 12:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2004-01-13 15:17 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\National Instruments\\MAX\\NIMax.exe"=
"C:\\Inficon\\FabGuardExecutive.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1305:TCP"= 1305:TCP:Lightspeed Security Agent (TCP)
"1305:UDP"= 1305:UDP:Lightspeed Security Agent (UDP)

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\NIPALK.sys [2002-01-07 21:01]
R1 IpmSecurityAgent1;Security Agent Filter Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent1.sys [2008-03-24 10:06]
R1 IpmSecurityAgent2;Security Agent Driver;C:\WINDOWS\system32\drivers\IpmSecurityAgent2.sys [2008-03-24 10:06]
R2 IpmSecurityAgentService;Security Agent Service;C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe [2008-03-11 16:34]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2002-01-28 13:59]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2002-01-28 13:59]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2002-01-28 15:40]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2002-01-28 15:41]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2002-01-28 14:02]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2002-01-28 14:04]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 20:58]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 11:31:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-04-09 11:31:52
ComboFix-quarantined-files.txt 2008-04-09 16:31:25
ComboFix2.txt 2008-04-09 12:27:17
ComboFix3.txt 2008-04-09 02:58:23
ComboFix4.txt 2008-04-08 18:31:47
Pre-Run: 46,216,503,296 bytes free
Post-Run: 46,205,050,880 bytes free
.
2008-03-12 18:06:08 --- E O F ---










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:14 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lightspeed Systems\SecurityAgent\SAAlert.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.freescale.net:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; *.freescale.net; *.freescale.com;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...IOS/tgctlcm.cab
O16 - DPF: {032B436A-1BA6-47D9-B183-A0E013C94A25} (FgIoOcx Control) - http://172.18.2.66/F...Dll/FgIoOcx.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/...nx.1.0.0.87.cab
O16 - DPF: {3A2BF2DC-FDE5-4026-99B4-60F2999137AD} (FgConfigExecOcx Control) - http://172.18.2.66/F...nfigExecOcx.cab
O16 - DPF: {3AED1953-E7E9-418F-888C-7B497E038B77} (FgViewOcx Control) - http://172.18.2.66/F...l/FgViewOcx.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://zone.msn.com/...rs.1.0.0.39.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {5FF6BD84-D9FA-497E-BD43-FAA0DE338754} (FgStartupOcx Control) - http://172.18.2.66/F...gStartupOcx.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/...t/atomaders.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn...s/heartbeat.cab
O16 - DPF: {921DB7E5-1292-460F-AA99-217245A44330} (FgRawOcx Control) - http://172.18.2.66/F...ll/FgRawOcx.cab
O16 - DPF: {94279BAD-0B3C-4747-8869-8FBF27A675F8} (FgRecipeOcx Control) - http://172.18.2.66/F...FgRecipeOcx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn...gr.cab31267.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/...he.cab55579.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {A97CF130-1C5E-4E07-A3FF-14BBE848DAC9} (FgAlarmOcx Control) - http://172.18.8.23/F.../FgAlarmOcx.cab
O16 - DPF: {B84BBE57-87E8-4335-8FD0-4B45A50E055E} (FgDbReportOcx Control) - http://172.18.2.66/F...DbReportOcx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/...tg.1.0.0.37.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn...6/heartbeat.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab42858.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/ct.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.98.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex....eck/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.211.1.10 10.211.1.8
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Security Agent Service (IpmSecurityAgentService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\SecurityAgent\SecurityAgent.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10408 bytes
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#15
vegimo

vegimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Malwarebytes' Anti-Malware 1.11
Database version: 604

Scan type: Full Scan (C:\|)
Objects scanned: 77744
Time elapsed: 51 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 66

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7543fbd5-2279-4d03-8f29-eb21531fa2fe} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf442538-be32-4055-a549-2f3b699f55eb} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{4a3d609a-43b8-4406-b793-84f244246325} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\webinst.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\FLEOK (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\oilvnish.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsinvlio.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\MARKEV~1\LOCALS~1\Temp\outerinfo.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\MARKEV~1\LOCALS~1\Temp\wr-1-77.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\MARKEV~1\LOCALS~1\Temp\nsm6A.tmp\System.dll (Worm.Voterai) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\itqrwnef\cbsvazev.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Bat\Bat.dll.vir (Adware.Batco) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Bat\Bat.exe.vir (Adware.Batco) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Bat\un_BatSetup_15041.exe.vir (Adware.Rabio) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Bat\X_Bat.exe.vir (Adware.Batco) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\mrofinu72.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\atstqjmh.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hmxsfwtu.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0034763.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0034768.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0034769.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0034770.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0034775.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0034776.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0034792.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP454\A0035793.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP456\A0036043.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036150.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036151.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036153.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036155.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036156.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036160.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036162.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036163.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BF3FE299-69A3-4A2F-AFD6-76A865DC0766}\RP458\A0036166.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\FLEOK\180ax.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntnut32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iiffdec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\tcb.pmw (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jpewocmz.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\mark everett\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP