Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

my hijackthis log [CLOSED]

Started by codycjb , Apr 11 2008 10:37 AM

This topic is locked

#16
andrewuk

Posted 11 April 2008 - 06:47 PM

Trusted Helper

Malware Removal
5,297 posts

well i got kind of a big problem. i downloaded avg antivirus and then did a restart and when the computer rebooted i get a fatal system error with an all blue screen, safe mode still works but thats it. and it seemed to be fixed after i ran that last scan.

this is not our night.

ok, try rebooting again.

otherwise, get into safe mode and then:

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

#17
codycjb

Posted 12 April 2008 - 09:58 AM

Member

Topic Starter
Member
89 posts

Deckard's System Scanner v20071014.68
Run by John on 2008-04-12 11:54:38
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001

Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as John.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:55 AM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\John\desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\John.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7058 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080411-141951-118 O2 - BHO: (no name) - {014A4822-BB58-44C0-A68E-CB9E579EE4BF} - C:\WINDOWS\system32\atl7.dll
backup-20080411-141951-129 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080411-141951-163 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-141951-171 O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.116.52,85.255.112.108
backup-20080411-141951-179 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.108
backup-20080411-141951-199 O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\John\MYDOCU~1\SMBOLS~1\scanregw.exe" -vt yazb
backup-20080411-141951-212 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
backup-20080411-141951-214 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-141951-246 O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
backup-20080411-141951-257 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080411-141951-264 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080411-141951-276 O21 - SSODL: hoYiTukQUTqEw - {D04D1AA3-7AE7-B009-8FF7-1FB6B1BC9023} - C:\WINDOWS\system32\en.dll
backup-20080411-141951-289 O17 - HKLM\System\CS1\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.116.52,85.255.112.108
backup-20080411-141951-303 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080411-141951-307 O4 - HKCU\..\Run: [Ershoihb] "C:\Documents and Settings\John\Application Data\?ecurity\w?wexec.exe"
backup-20080411-141951-334 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080411-141951-340 O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
backup-20080411-141951-396 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080411-141951-398 O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
backup-20080411-141951-404 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080411-141951-440 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080411-141951-532 O17 - HKLM\System\CCS\Services\Tcpip\..\{CF10C264-C3DF-47C9-B4C5-CEF2A7A7DBC8}: NameServer = 85.255.116.52,85.255.112.108
backup-20080411-141951-577 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080411-141951-592 O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
backup-20080411-141951-595 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080411-141951-671 O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
backup-20080411-141951-723 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080411-141951-737 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080411-141951-748 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080411-141951-778 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-141951-785 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-141951-801 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080411-141951-819 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080411-141951-869 O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
backup-20080411-141951-880 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080411-141951-919 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.108
backup-20080411-141951-943 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080411-141951-953 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-141951-976 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080411-141951-995 O2 - BHO: (no name) - {10319EB0-7626-0AD9-0412-2800BAC980CA} - C:\WINDOWS\system32\uudgnf.dll
backup-20080411-142037-709 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-142515-898 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143041-124 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143041-697 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143041-917 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-143554-120 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080411-143554-168 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080411-143554-174 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080411-143554-189 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-143554-217 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080411-143554-246 O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
backup-20080411-143554-307 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080411-143554-351 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143554-403 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080411-143554-506 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080411-143554-520 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143554-550 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080411-143554-597 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080411-143554-627 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080411-143554-710 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080411-143554-774 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080411-143554-792 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080411-143554-853 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080411-143554-860 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080411-143554-874 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080411-143554-894 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-143924-860 O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
backup-20080411-155004-128 O4 - HKCU\..\RunOnce: [SpybotDeletingB8184] command /c del "C:\WINDOWS\bjam.dll_tobedeleted"
backup-20080411-155004-147 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080411-155004-162 O4 - HKCU\..\RunOnce: [SpybotDeletingD8612] cmd /c del "C:\WINDOWS\system32\WER8274.DLL_tobedeleted"
backup-20080411-155004-178 O4 - HKLM\..\RunOnce: [SpybotDeletingC5140] cmd /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-264 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080411-155004-267 O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\John\LOCALS~1\Temp\3D31.tmp/r
backup-20080411-155004-290 O4 - HKCU\..\RunOnce: [SpybotDeletingB1602] command /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-295 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080411-155004-331 O4 - HKLM\..\RunOnce: [SpybotDeletingC8480] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-344 O4 - HKCU\..\RunOnce: [SpybotDeletingB1002] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-345 O4 - HKLM\..\RunOnce: [SpybotDeletingA8240] command /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-354 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080411-155004-393 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080411-155004-399 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080411-155004-407 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080411-155004-413 O4 - HKCU\..\RunOnce: [SpybotDeletingD5659] cmd /c del "C:\WINDOWS\bjam.dll_tobedeleted"
backup-20080411-155004-442 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080411-155004-473 O4 - HKLM\..\RunOnce: [SpybotDeletingC9410] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-496 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080411-155004-515 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080411-155004-517 O4 - HKCU\..\RunOnce: [SpybotDeletingD3950] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-528 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080411-155004-530 O4 - HKLM\..\RunOnce: [SpybotDeletingA5620] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-531 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080411-155004-573 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-155004-628 O4 - HKCU\..\RunOnce: [SpybotDeletingB9330] command /c del "C:\WINDOWS\system32\ctfmona.exe_tobedeleted"
backup-20080411-155004-660 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\wmsdkns.exe,
backup-20080411-155004-678 O4 - HKCU\..\RunOnce: [SpybotDeletingD826] cmd /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-690 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080411-155004-730 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080411-155004-735 O4 - HKCU\..\RunOnce: [SpybotDeletingD3335] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-763 O4 - HKCU\..\RunOnce: [SpybotDeletingB4741] command /c del "C:\WINDOWS\2020search.dll_tobedeleted"
backup-20080411-155004-791 O4 - HKCU\..\RunOnce: [SpybotDeletingD1396] cmd /c del "C:\WINDOWS\2020search.dll_tobedeleted"
backup-20080411-155004-804 O4 - HKCU\..\Run: [Yahoo! Pager] 1
backup-20080411-155004-837 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080411-155004-843 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-155004-884 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080411-155004-911 O4 - HKLM\..\RunOnce: [SpybotDeletingA4804] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-917 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-155004-930 O4 - HKCU\..\RunOnce: [SpybotDeletingD2436] cmd /c del "C:\WINDOWS\system32\ctfmona.exe_tobedeleted"
backup-20080411-155004-938 O4 - HKCU\..\RunOnce: [SpybotDeletingB6956] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-973 O4 - HKCU\..\RunOnce: [SpybotDeletingB4732] command /c del "C:\WINDOWS\system32\WER8274.DLL_tobedeleted"
backup-20080411-155004-996 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-155004-997 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080411-155005-174 O21 - SSODL: hoYiTukQUTqEw - {D04D1AA3-7AE7-B009-8FF7-1FB6B1BC9023} - C:\WINDOWS\system32\en.dll
backup-20080411-155005-384 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Qwc05 - c:\windows\system32\drivers\qwc05.sys

S2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 584)
2008-04-11 20:33:49 10752 --a------ C:\WINDOWS\system32\WLCtrl32.dll

-- Files created between 2008-03-12 and 2008-04-12 -----------------------------

2008-04-12 11:52:48 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-11 20:16:30 0 dr-h----- C:\$VAULT$.AVG
2008-04-11 20:12:27 0 d-------- C:\Documents and Settings\John\Application Data\AVG7
2008-04-11 20:11:13 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-11 20:09:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-11 20:09:42 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-11 19:35:03 192512 --a------ C:\WINDOWS\system32\cbOCR.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-11 18:46:16 0 d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-04-11 18:46:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 18:46:05 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 17:24:53 0 d-------- C:\Documents and Settings\John\Application Data\?ecurity
2008-04-11 17:17:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:17:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-11 17:17:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-11 17:17:02 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-11 17:17:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-11 17:17:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-04-11 16:40:28 0 d-------- C:\WINDOWS\network diagnostic
2008-04-11 16:36:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-11 15:00:36 10752 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-04-11 14:49:37 0 d-------- C:\WINDOWS\ERUNT
2008-04-09 18:23:19 0 d-------- C:\Program Files\Trend Micro
2008-04-09 18:22:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-09 18:20:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-09 18:18:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-09 18:18:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-09 18:18:40 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-09 18:18:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-09 18:18:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-09 18:18:40 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-09 18:18:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-04-09 18:18:39 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-09 18:18:39 638976 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-09 17:38:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-09 17:38:26 2542 --a------ C:\WINDOWS\unins000.dat
2008-04-07 10:48:37 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-07 10:47:43 25472 --a------ C:\WINDOWS\system32\drivers\Qwc05.sys
2008-04-01 04:12:22 16 --a------ C:\s3ck
2008-03-28 16:02:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-28 16:00:35 0 d-------- C:\Program Files\Dell Support Center
2008-03-28 16:00:23 0 d-------- C:\Program Files\Common Files\supportsoft
2008-03-20 00:51:30 16 --a------ C:\s2p8
2008-03-19 11:34:06 16 --a------ C:\s2i4

-- Find3M Report ---------------------------------------------------------------

2008-04-11 18:59:32 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 18:59:01 104 -r-hs---- C:\WINDOWS\system32\0628A65766.sys
2008-04-11 17:24:53 0 d-------- C:\Documents and Settings\John\Application Data\?ecurity
2008-04-11 17:15:59 0 d-------- C:\Program Files\Common Files
2008-03-20 16:07:41 0 d-------- C:\Documents and Settings\John\Application Data\Corel
2008-03-04 21:04:45 16 --a------ C:\s1uk
2008-02-23 10:22:10 16 --a------ C:\s3hk

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 09:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 07:48 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 05:12 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/22/2006 08:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/22/2006 08:27 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 07:20 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/15/2007 03:12 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 09:20 PM]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [08/31/2005 01:06 PM]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/2003 03:02 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [11/15/2006 08:07 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 09:24 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 05:16 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/11/2008 08:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/25/2007 09:04 PM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [11/14/2007 06:33 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/22/2006 8:27:10 AM]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [3/25/2006 3:12:21 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/22/2006 8:24:19 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 04/11/2008 08:33 PM 10752 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qwc05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

-- End of Deckard's System Scanner: finished at 2008-04-12 11:56:34 ------------

#18
codycjb

Posted 12 April 2008 - 09:58 AM

Member

Topic Starter
Member
89 posts

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.53GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 253.98 MiB / 107.53 MiB
Pagefile Memory (total/avail): 624.8 MiB / 521.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.29 MiB

C: is Fixed (NTFS) - 71.46 GiB total, 59 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75JHC0 - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 71.46 GiB - C:
\PARTITION2 - Unknown - 3 GiB

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\WINDOWS\\aromis.exe"="C:\\WINDOWS\\aromis.exe:*:Enabled:enable"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\John\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DJ28RP91
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\John
LOGONSERVER=\\DJ28RP91
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\John\LOCALS~1\Temp
TMP=C:\DOCUME~1\John\LOCALS~1\Temp
USERDOMAIN=DJ28RP91
USERNAME=John
USERPROFILE=C:\Documents and Settings\John
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

John (admin)
L2MFIX (new local, admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\SBCSEL~1\CustomUninstall.exe SBC
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
America Online (Choose which version to remove) --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
AT&T Self Support Tool --> C:\WINDOWS\Motive\SBC\MCCUninst.exe
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
CCC Pathways Program --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{A6D29327-F4DE-4401-A5E8-9F58AD26474F} CPL
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Corel Paint Shop Pro X --> MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
Corel Photo Album 6 --> MsiExec.exe /X{8A9B8148-DDD7-448F-BD6C-358386D32354}
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Game Console --> "C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe"
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digimax Master --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}\Setup.exe" -l0x9 -removeonly
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark Z600 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MCU --> MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Samsung USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{86D6A20D-3910-4441-A3E5-EB6977251C86}\Setup.exe" anything
SBC Yahoo! Applications --> C:\PROGRA~1\Yahoo!\common\uninstall.exe
Search Assist --> MsiExec.exe /X{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
URL Assistant --> regsvr32 /u /s "c:\Program Files\BAE\BAE.dll"
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}

-- Application Event Log -------------------------------------------------------

Event Record #/Type1007 / Warning
Event Submitted/Written: 04/11/2008 07:35:14 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type1006 / Warning
Event Submitted/Written: 04/11/2008 07:35:13 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type1005 / Warning
Event Submitted/Written: 04/11/2008 06:35:53 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type1004 / Warning
Event Submitted/Written: 04/11/2008 06:35:53 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS', component '{ACD935F6-53F3-469B-842F-2CE17B80840C}' failed. The resource 'HKEY_CURRENT_USER\Software\Corel\Auto Update\{1A15507A-8551-4626-915D-3D5FA095CC1B}\Interval' does not exist.

Event Record #/Type1003 / Warning
Event Submitted/Written: 04/11/2008 06:35:53 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{1A15507A-8551-4626-915D-3D5FA095CC1B}', feature '_ISUS' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type8189 / Error
Event Submitted/Written: 04/11/2008 08:35:40 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Avg7Core
Avg7RsW
Avg7RsXP
Fips
IntelIde
intelppm

Event Record #/Type8188 / Error
Event Submitted/Written: 04/11/2008 08:35:40 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Fax service depends on the Print Spooler service which failed to start because of the following error:
%%1068

Event Record #/Type8187 / Error
Event Submitted/Written: 04/11/2008 08:34:25 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type8185 / Warning
Event Submitted/Written: 04/11/2008 08:34:16 PM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{CF10C264-C3DF-47C9-B4C5-CEF2A7A7DBC8}.

Event Record #/Type8184 / Error
Event Submitted/Written: 04/11/2008 08:34:14 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.1.64 for the Network Card with network address 0016761B5919 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

-- End of Deckard's System Scanner: finished at 2008-04-12 11:56:34 ------------

#19
andrewuk

Posted 12 April 2008 - 12:07 PM

Trusted Helper

Malware Removal
5,297 posts

looks like you had a worm, and i dont know how far into your system it got.

given we seem to be hitting issues at every turn, could you make sure you have your Operating System discs to hand before we go any further, in case we need to go for a reinstall.....hopefully we can avoid that.

in this post i want to run a tool we did earlier again and then move into a more powerful tool after that.

====STEP 1====
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum

====STEP 2====
Close all other windows before proceeding.

Double-click on dss.exe and follow the prompts.
When it has finished, dss will open one Notepads main.txt please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

In your next reply could i see:
1. the Report.txt log
2. the DSS log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

#20
codycjb

Posted 14 April 2008 - 02:35 PM

Member

Topic Starter
Member
89 posts

sorry i havent been able to reply, i havent been able to get to this computer for the last couple days due to the weekend and this computer is my office computer. i dont think i have an XP install cd because it came on the computer. is their anyway to reinstall windows and not lose all my documents or do i have to save all my documents to a flash drive or something else of the nature.

ok i ran the SDfix and i got the same message as last time "The system cannot find the file specified" so i dont have a log for the SDfix.

heres the new dss log.

Deckard's System Scanner v20071014.68
Run by John on 2008-04-14 16:26:44
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as John.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:53 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\John\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\John.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7302 bytes

-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 16:16:02 60160 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-04-12 11:52:48 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-11 20:16:30 0 dr-h----- C:\$VAULT$.AVG
2008-04-11 20:12:27 0 d-------- C:\Documents and Settings\John\Application Data\AVG7
2008-04-11 20:11:13 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-11 20:09:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-11 20:09:42 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-11 19:35:03 192512 --a------ C:\WINDOWS\system32\cbOCR.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-11 18:46:16 0 d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-04-11 18:46:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 18:46:05 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 17:24:53 0 d-------- C:\Documents and Settings\John\Application Data\?ecurity
2008-04-11 17:17:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:17:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-11 17:17:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-11 17:17:02 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-11 17:17:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-11 17:17:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-04-11 16:40:28 0 d-------- C:\WINDOWS\network diagnostic
2008-04-11 16:36:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-11 15:00:36 10752 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-04-11 14:49:37 0 d-------- C:\WINDOWS\ERUNT
2008-04-09 18:23:19 0 d-------- C:\Program Files\Trend Micro
2008-04-09 18:22:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-09 18:20:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-09 18:18:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-09 18:18:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-09 18:18:40 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-09 18:18:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-09 18:18:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-09 18:18:40 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-09 18:18:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-04-09 18:18:39 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-09 18:18:39 638976 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-09 17:38:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-09 17:38:26 2542 --a------ C:\WINDOWS\unins000.dat
2008-04-07 10:48:37 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-07 10:47:43 25472 --a------ C:\WINDOWS\system32\drivers\Qwc05.sys
2008-04-01 04:12:22 16 --a------ C:\s3ck
2008-03-28 16:02:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-28 16:00:35 0 d-------- C:\Program Files\Dell Support Center
2008-03-28 16:00:23 0 d-------- C:\Program Files\Common Files\supportsoft
2008-03-20 00:51:30 16 --a------ C:\s2p8
2008-03-19 11:34:06 16 --a------ C:\s2i4

-- Find3M Report ---------------------------------------------------------------

2008-04-11 18:59:32 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 18:59:01 104 -r-hs---- C:\WINDOWS\system32\0628A65766.sys
2008-04-11 17:24:53 0 d-------- C:\Documents and Settings\John\Application Data\?ecurity
2008-04-11 17:15:59 0 d-------- C:\Program Files\Common Files
2008-03-20 16:07:41 0 d-------- C:\Documents and Settings\John\Application Data\Corel
2008-03-04 21:04:45 16 --a------ C:\s1uk
2008-02-23 10:22:10 16 --a------ C:\s3hk

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 09:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 07:48 PM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 05:12 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/22/2006 08:27 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/22/2006 08:27 AM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 07:20 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/15/2007 03:12 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [09/08/2005 09:20 PM]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [08/31/2005 01:06 PM]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/2003 03:02 PM]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [11/15/2006 08:07 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 09:24 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 05:16 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/11/2008 08:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/25/2007 09:04 PM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [11/14/2007 06:33 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [3/22/2006 8:27:10 AM]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [3/25/2006 3:12:21 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/22/2006 8:24:19 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 04/14/2008 04:24 PM 10752 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qwc05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@="Driver Group"

-- End of Deckard's System Scanner: finished at 2008-04-14 16:27:55 ------------

#21
andrewuk

Posted 15 April 2008 - 12:03 PM

Trusted Helper

Malware Removal
5,297 posts

i dont think i have an XP install cd because it came on the computer. is their anyway to reinstall windows and not lose all my documents or do i have to save all my documents to a flash drive or something else of the nature.

it is certainly an idea to save documents you cant afford to lose, though bare in mind that the flash drive you save onto could very likely become infected also, so it is an emergency measure only.

====STEP 1====
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean - and i will be giving the all clear at the end of all this. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

====STEP 2====
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

andrewuk

Edited by andrewuk, 15 April 2008 - 12:05 PM.

#22
codycjb

Posted 15 April 2008 - 04:01 PM

Member

Topic Starter
Member
89 posts

ComboFix 08-04-14.2 - John 2008-04-15 17:47:13.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\John\Application Data\ECURIT~1
C:\Documents and Settings\John\Application Data\ECURIT~1\w?wexec.exe
C:\Documents and Settings\John\My Documents\SMBOLS~1
C:\Documents and Settings\John\My Documents\SMBOLS~1\s?mbols\
C:\WINDOWS\system32\drivers\Qwc05.sys
C:\WINDOWS\system32\drivers\VNKQ50.sys
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QWC05
-------\Legacy_VNKQ50
-------\Service_Qwc05
-------\Service_Vnkq50
-------\Service_VNKQ50

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 16:16 . 2008-04-14 16:16 60,160 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-04-12 11:52 . 2008-04-12 11:52 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-11 20:17 . 2004-08-04 07:00 1,032,192 --a------ C:\WINDOWS\explorer.exe
2008-04-11 20:12 . 2008-04-11 20:14 <DIR> d-------- C:\Documents and Settings\John\Application Data\AVG7
2008-04-11 20:11 . 2008-04-11 20:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-11 20:09 . 2008-04-11 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-11 20:09 . 2008-04-11 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-11 19:38 . 2008-04-15 17:45 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2008-04-11 19:38 . 2008-04-11 19:38 47,104 --a------ C:\23.tmp
2008-04-11 19:38 . 2008-04-11 19:38 3,276 --a------ C:\26.tmp
2008-04-11 19:38 . 2008-04-11 19:38 3,276 --a------ C:\18.tmp
2008-04-11 19:35 . 2008-04-15 17:27 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll
2008-04-11 18:46 . 2008-04-11 18:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 18:46 . 2008-04-11 18:46 <DIR> d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-04-11 18:46 . 2008-04-11 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 18:13 . 2008-04-11 18:13 <DIR> d-------- C:\Deckard
2008-04-11 17:21 . 2008-04-11 17:21 3,276 --a------ C:\36.tmp
2008-04-11 17:21 . 2008-04-11 17:21 3,276 --a------ C:\34.tmp
2008-04-11 17:17 . 2008-04-11 17:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:08 . 2008-04-11 17:08 3,276 --a------ C:\33.tmp
2008-04-11 16:55 . 2008-04-11 16:55 3,276 --a------ C:\30.tmp
2008-04-11 16:55 . 2008-04-11 16:55 3,276 --a------ C:\28.tmp
2008-04-11 16:51 . 2008-04-11 16:51 311 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-11 16:46 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-11 16:46 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-11 16:46 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-11 16:46 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-11 16:46 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-11 16:46 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-11 16:46 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-11 16:46 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-11 16:46 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-11 16:21 . 2008-04-11 16:21 3,276 --a------ C:\27.tmp
2008-04-11 16:20 . 2008-04-11 16:21 3,276 --a------ C:\25.tmp
2008-04-11 15:57 . 2008-04-11 15:57 3,276 --a------ C:\24.tmp
2008-04-11 15:57 . 2008-04-11 15:57 3,276 --a------ C:\22.tmp
2008-04-11 15:52 . 2008-04-11 15:52 <DIR> d-------- C:\_OTMoveIt
2008-04-11 14:53 . 2008-04-11 14:53 3,276 --a------ C:\17.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\21.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\1C.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\1B.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\1A.tmp
2008-04-11 14:49 . 2008-04-11 14:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-11 14:42 . 2008-04-14 16:21 <DIR> d-------- C:\SDFix
2008-04-09 18:23 . 2008-04-09 18:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 18:22 . 2008-04-09 18:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-09 18:18 . 2006-03-22 08:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-04-09 18:18 . 2008-04-11 20:11 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-09 18:16 . 2008-04-09 18:16 2 --a------ C:\B.tmp
2008-04-09 17:38 . 2008-04-09 17:31 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-09 17:38 . 2008-04-09 17:38 2,542 --a------ C:\WINDOWS\unins000.dat
2008-04-09 14:05 . 2008-04-09 14:05 0 --a------ C:\20.tmp
2008-04-09 14:04 . 2008-04-09 14:04 0 --a------ C:\1D.tmp
2008-04-09 14:04 . 2008-04-09 14:04 0 --a------ C:\19.tmp
2008-04-09 14:03 . 2008-04-09 14:04 2 --a------ C:\15.tmp
2008-04-09 14:03 . 2008-04-09 14:03 0 --a------ C:\14.tmp
2008-04-09 06:42 . 2008-04-09 06:42 0 --a------ C:\1F.tmp
2008-04-09 06:41 . 2008-04-09 06:41 0 --a------ C:\1E.tmp
2008-04-09 06:36 . 2008-04-09 06:36 0 --a------ C:\16.tmp
2008-04-09 06:35 . 2008-04-09 06:36 2 --a------ C:\13.tmp
2008-04-09 06:35 . 2008-04-09 06:35 0 --a------ C:\F.tmp
2008-04-08 18:58 . 2008-04-08 06:49 160,256 --a------ C:\WINDOWS\system32\AF.tmp
2008-04-08 07:18 . 2008-04-08 07:18 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-08 06:50 . 2008-04-08 06:50 2 --a------ C:\12.tmp
2008-04-07 11:25 . 2008-04-07 11:25 2 --a------ C:\6.tmp
2008-04-07 10:50 . 2008-04-07 10:50 29 --a------ C:\WINDOWS\system32\qrfwapis.tmp
2008-04-07 10:49 . 2008-04-07 10:49 0 --a------ C:\2F.tmp
2008-04-07 10:48 . 2008-04-09 14:04 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-07 10:48 . 2008-04-07 10:48 0 --a------ C:\2E.tmp
2008-04-07 10:48 . 2008-04-07 10:48 0 --a------ C:\2C.tmp
2008-04-07 10:47 . 2008-04-07 10:48 2 --a------ C:\2B.tmp
2008-04-07 10:47 . 2008-04-07 10:47 0 --a------ C:\2A.tmp
2008-04-01 04:12 . 2008-04-01 04:12 16 --a------ C:\s3ck
2008-03-28 16:02 . 2008-03-28 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-28 16:00 . 2008-03-28 16:01 <DIR> d-------- C:\Program Files\Dell Support Center
2008-03-28 16:00 . 2008-03-28 16:00 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-03-20 00:51 . 2008-03-20 00:51 16 --a------ C:\s2p8
2008-03-19 11:34 . 2008-03-19 11:34 16 --a------ C:\s2i4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:57 90,112 ----a-w C:\WINDOWS\DUMP612b.tmp
2008-04-11 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-11 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 21:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-28 19:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-20 20:07 --------- d-----w C:\Documents and Settings\John\Application Data\Corel
.

#23
codycjb

Posted 15 April 2008 - 04:02 PM

Member

Topic Starter
Member
89 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02, on 2008-04-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6426 bytes

#24
andrewuk

Posted 15 April 2008 - 04:05 PM

Trusted Helper

Malware Removal
5,297 posts

the combofix report seems to have got cut off, could you repost it please.

andrewuk

#25
codycjb

Posted 15 April 2008 - 04:08 PM

Member

Topic Starter
Member
89 posts

i just went back and checked and thats all i got in the report.

#26
codycjb

Posted 15 April 2008 - 04:10 PM

Member

Topic Starter
Member
89 posts

i dont think combofix finsihed all the way i got some runtime error thing

#27
andrewuk

Posted 15 April 2008 - 04:11 PM

Trusted Helper

Malware Removal
5,297 posts

ok, try this:

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Two logs will open in notepad
could you post back only Main txt

andrewuk

#28
codycjb

Posted 15 April 2008 - 04:15 PM

Member

Topic Starter
Member
89 posts

Deckard's System Scanner v20071014.68
Run by John on 2008-04-15 18:13:02
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.

-- Last 5 Restore Point(s) --
96: 2008-04-14 20:13:00 UTC - RP737 - Restore Operation
95: 2008-04-12 00:09:40 UTC - RP736 - Installed AVG 7.5
94: 2008-04-11 22:44:09 UTC - RP735 - 4/11/08
93: 2008-04-11 22:13:51 UTC - RP734 - Deckard's System Scanner Restore Point
92: 2008-04-11 21:13:50 UTC - RP733 - Restore Operation

-- First Restore Point --
1: 2008-01-08 20:17:49 UTC - RP642 - System Checkpoint

Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as John.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13, on 2008-04-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\John\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\John.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6507 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080411-141951-118 O2 - BHO: (no name) - {014A4822-BB58-44C0-A68E-CB9E579EE4BF} - C:\WINDOWS\system32\atl7.dll
backup-20080411-141951-129 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080411-141951-163 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-141951-171 O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.116.52,85.255.112.108
backup-20080411-141951-179 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.108
backup-20080411-141951-199 O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\John\MYDOCU~1\SMBOLS~1\scanregw.exe" -vt yazb
backup-20080411-141951-212 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
backup-20080411-141951-214 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-141951-246 O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
backup-20080411-141951-257 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080411-141951-264 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080411-141951-276 O21 - SSODL: hoYiTukQUTqEw - {D04D1AA3-7AE7-B009-8FF7-1FB6B1BC9023} - C:\WINDOWS\system32\en.dll
backup-20080411-141951-289 O17 - HKLM\System\CS1\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.116.52,85.255.112.108
backup-20080411-141951-303 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080411-141951-307 O4 - HKCU\..\Run: [Ershoihb] "C:\Documents and Settings\John\Application Data\?ecurity\w?wexec.exe"
backup-20080411-141951-334 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080411-141951-340 O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
backup-20080411-141951-396 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080411-141951-398 O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
backup-20080411-141951-404 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080411-141951-440 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080411-141951-532 O17 - HKLM\System\CCS\Services\Tcpip\..\{CF10C264-C3DF-47C9-B4C5-CEF2A7A7DBC8}: NameServer = 85.255.116.52,85.255.112.108
backup-20080411-141951-577 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080411-141951-592 O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
backup-20080411-141951-595 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080411-141951-671 O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
backup-20080411-141951-723 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080411-141951-737 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080411-141951-748 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080411-141951-778 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-141951-785 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-141951-801 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080411-141951-819 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080411-141951-869 O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
backup-20080411-141951-880 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080411-141951-919 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.52 85.255.112.108
backup-20080411-141951-943 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,C:\WINDOWS\system32\ntos.exe,
backup-20080411-141951-953 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-141951-976 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080411-141951-995 O2 - BHO: (no name) - {10319EB0-7626-0AD9-0412-2800BAC980CA} - C:\WINDOWS\system32\uudgnf.dll
backup-20080411-142037-709 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-142515-898 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143041-124 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143041-697 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143041-917 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-143554-120 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080411-143554-168 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080411-143554-174 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080411-143554-189 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-143554-217 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080411-143554-246 O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
backup-20080411-143554-307 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080411-143554-351 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143554-403 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080411-143554-506 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080411-143554-520 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-143554-550 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080411-143554-597 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080411-143554-627 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080411-143554-710 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080411-143554-774 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080411-143554-792 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080411-143554-853 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080411-143554-860 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080411-143554-874 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080411-143554-894 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-143924-860 O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html
backup-20080411-155004-128 O4 - HKCU\..\RunOnce: [SpybotDeletingB8184] command /c del "C:\WINDOWS\bjam.dll_tobedeleted"
backup-20080411-155004-147 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080411-155004-162 O4 - HKCU\..\RunOnce: [SpybotDeletingD8612] cmd /c del "C:\WINDOWS\system32\WER8274.DLL_tobedeleted"
backup-20080411-155004-178 O4 - HKLM\..\RunOnce: [SpybotDeletingC5140] cmd /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-264 O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
backup-20080411-155004-267 O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\John\LOCALS~1\Temp\3D31.tmp/r
backup-20080411-155004-290 O4 - HKCU\..\RunOnce: [SpybotDeletingB1602] command /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-295 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080411-155004-331 O4 - HKLM\..\RunOnce: [SpybotDeletingC8480] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-344 O4 - HKCU\..\RunOnce: [SpybotDeletingB1002] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-345 O4 - HKLM\..\RunOnce: [SpybotDeletingA8240] command /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-354 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080411-155004-393 O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
backup-20080411-155004-399 O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
backup-20080411-155004-407 O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
backup-20080411-155004-413 O4 - HKCU\..\RunOnce: [SpybotDeletingD5659] cmd /c del "C:\WINDOWS\bjam.dll_tobedeleted"
backup-20080411-155004-442 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080411-155004-473 O4 - HKLM\..\RunOnce: [SpybotDeletingC9410] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-496 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080411-155004-515 O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
backup-20080411-155004-517 O4 - HKCU\..\RunOnce: [SpybotDeletingD3950] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-528 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080411-155004-530 O4 - HKLM\..\RunOnce: [SpybotDeletingA5620] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-531 O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
backup-20080411-155004-573 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-155004-628 O4 - HKCU\..\RunOnce: [SpybotDeletingB9330] command /c del "C:\WINDOWS\system32\ctfmona.exe_tobedeleted"
backup-20080411-155004-660 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\wmsdkns.exe,
backup-20080411-155004-678 O4 - HKCU\..\RunOnce: [SpybotDeletingD826] cmd /c del "C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe_tobedeleted"
backup-20080411-155004-690 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080411-155004-730 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080411-155004-735 O4 - HKCU\..\RunOnce: [SpybotDeletingD3335] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-763 O4 - HKCU\..\RunOnce: [SpybotDeletingB4741] command /c del "C:\WINDOWS\2020search.dll_tobedeleted"
backup-20080411-155004-791 O4 - HKCU\..\RunOnce: [SpybotDeletingD1396] cmd /c del "C:\WINDOWS\2020search.dll_tobedeleted"
backup-20080411-155004-804 O4 - HKCU\..\Run: [Yahoo! Pager] 1
backup-20080411-155004-837 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080411-155004-843 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\John\cftmon.exe
backup-20080411-155004-884 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080411-155004-911 O4 - HKLM\..\RunOnce: [SpybotDeletingA4804] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll_tobedeleted"
backup-20080411-155004-917 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-155004-930 O4 - HKCU\..\RunOnce: [SpybotDeletingD2436] cmd /c del "C:\WINDOWS\system32\ctfmona.exe_tobedeleted"
backup-20080411-155004-938 O4 - HKCU\..\RunOnce: [SpybotDeletingB6956] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll_tobedeleted"
backup-20080411-155004-973 O4 - HKCU\..\RunOnce: [SpybotDeletingB4732] command /c del "C:\WINDOWS\system32\WER8274.DLL_tobedeleted"
backup-20080411-155004-996 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080411-155004-997 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080411-155005-174 O21 - SSODL: hoYiTukQUTqEw - {D04D1AA3-7AE7-B009-8FF7-1FB6B1BC9023} - C:\WINDOWS\system32\en.dll
backup-20080411-155005-384 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 catchme - c:\docume~1\john\locals~1\temp\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 USB2_04 (USB2_04 driver) - c:\windows\system32\drivers\nkv2.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Process Modules -------------------------------------------------------------

All modules okay.

-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 17:47:12 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-15 17:40:02 0 d-------- C:\cmdcons
2008-04-15 17:38:47 68096 --a------ C:\WINDOWS\zip.exe
2008-04-15 17:38:47 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-15 17:38:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-15 17:38:47 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-15 17:38:47 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-15 17:38:47 98816 --a------ C:\WINDOWS\sed.exe
2008-04-15 17:38:47 80412 --a------ C:\WINDOWS\grep.exe
2008-04-15 17:38:47 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-14 16:16:02 60160 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-04-12 11:52:48 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-11 20:16:30 0 dr-h----- C:\$VAULT$.AVG
2008-04-11 20:12:27 0 d-------- C:\Documents and Settings\John\Application Data\AVG7
2008-04-11 20:11:13 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-11 20:09:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-11 20:09:42 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-11 19:38:24 0 d--hs---- C:\WINDOWS\system32\wsnpoem
2008-04-11 19:35:03 192512 --a------ C:\WINDOWS\system32\cbOCR.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-11 18:46:16 0 d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-04-11 18:46:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 18:46:05 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 17:17:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:17:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-11 17:17:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-11 17:17:02 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-11 17:17:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-11 17:17:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-11 17:17:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-04-11 16:40:28 0 d-------- C:\WINDOWS\network diagnostic
2008-04-11 16:36:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-11 14:49:37 0 d-------- C:\WINDOWS\ERUNT
2008-04-09 18:23:19 0 d-------- C:\Program Files\Trend Micro
2008-04-09 18:22:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-09 18:20:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-09 18:18:40 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-09 18:18:40 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-09 18:18:40 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-09 18:18:40 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-09 18:18:40 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-09 18:18:40 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-09 18:18:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-04-09 18:18:39 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-09 18:18:39 638976 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-09 17:38:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-09 17:38:26 2542 --a------ C:\WINDOWS\unins000.dat
2008-04-07 10:48:37 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-01 04:12:22 16 --a------ C:\s3ck
2008-03-28 16:02:15 0 d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-28 16:00:35 0 d-------- C:\Program Files\Dell Support Center
2008-03-28 16:00:23 0 d-------- C:\Program Files\Common Files\supportsoft
2008-03-20 00:51:30 16 --a------ C:\s2p8
2008-03-19 11:34:06 16 --a------ C:\s2i4

-- Find3M Report ---------------------------------------------------------------

2008-04-11 18:59:32 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 18:59:01 104 -r-hs---- C:\WINDOWS\system32\0628A65766.sys
2008-04-11 17:15:59 0 d-------- C:\Program Files\Common Files
2008-03-20 16:07:41 0 d-------- C:\Documents and Settings\John\Application Data\Corel
2008-03-04 21:04:45 16 --a------ C:\s1uk
2008-02-23 10:22:10 16 --a------ C:\s3hk

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-22 08:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-22 08:27]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 07:20]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 03:12]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 15:02]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-11-15 08:07]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-11 20:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 21:04]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-11-14 18:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-03-22 08:27:10]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-03-25 15:12:21]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-22 08:24:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qwc05.sys]
@="Driver"

-- End of Deckard's System Scanner: finished at 2008-04-15 18:14:19 ------------

#29
andrewuk

Posted 15 April 2008 - 04:40 PM

Trusted Helper

Malware Removal
5,297 posts

things are starting to look better.

in this post i want to clear a bad item, scan for a root kit and scan a couple of suspicious looking files.

====STEP 1====
1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qwc05.sys]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

====STEP 2====
Download Sophos Anti-Rootkit & save it to your desktop after filling out the questionaire and reading the EULA.

Note: You will need to enter your name, e-mail address and location in order to access the download page.

Double-click sarsfx.exe to extract the files.
Click the Accept button at the EULA, then Install to the default directory
At the next prompt, click Yes to start the program
Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
Click the "Start Scan" button.
Allow the program to scan your computer - please be patient as it may take some time
Once the scan has completed a window will pop-up with the results of the scan - click OK to this
In the main window, you will see each of the entries found by the scan (if any)
- If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
- Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
To clean up these entries click on the Clean up checked items button
If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now

====STEP 3====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\drivers\nkv2.sys

Click on the submit button

Please also do the same with the following file:
C:\WINDOWS\system32\0628A65766.sys

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal

In your next reply could i see:
1. the combofix log
2. the rootkit log, if any
3. the 2 jotti scan logs
4 a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

#30
codycjb

Posted 15 April 2008 - 05:09 PM

Member

Topic Starter
Member
89 posts

ComboFix 08-04-14.2 - John 2008-04-15 18:43:30.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.127 [GMT -4:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
.
---- Previous Run -------
.
C:\Documents and Settings\John\Application Data\ECURIT~1
C:\Documents and Settings\John\Application Data\ECURIT~1\w?wexec.exe
C:\Documents and Settings\John\My Documents\SMBOLS~1
C:\Documents and Settings\John\My Documents\SMBOLS~1\s?mbols\
C:\WINDOWS\system32\drivers\Qwc05.sys
C:\WINDOWS\system32\drivers\VNKQ50.sys
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QWC05
-------\Legacy_VNKQ50
-------\Service_Qwc05
-------\Service_Vnkq50
-------\Service_VNKQ50

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 16:16 . 2008-04-14 16:16 60,160 --a------ C:\WINDOWS\system32\drivers\nkv2.sys
2008-04-12 11:52 . 2008-04-12 11:52 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-11 20:17 . 2004-08-04 07:00 1,032,192 --a------ C:\WINDOWS\explorer.exe
2008-04-11 20:12 . 2008-04-11 20:14 <DIR> d-------- C:\Documents and Settings\John\Application Data\AVG7
2008-04-11 20:11 . 2008-04-11 20:11 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-11 20:09 . 2008-04-11 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-11 20:09 . 2008-04-11 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-11 19:38 . 2008-04-11 19:38 47,104 --a------ C:\23.tmp
2008-04-11 19:38 . 2008-04-11 19:38 3,276 --a------ C:\26.tmp
2008-04-11 19:38 . 2008-04-11 19:38 3,276 --a------ C:\18.tmp
2008-04-11 19:35 . 2008-04-15 17:27 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll
2008-04-11 18:46 . 2008-04-11 18:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 18:46 . 2008-04-11 18:46 <DIR> d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-04-11 18:46 . 2008-04-11 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 18:13 . 2008-04-11 18:13 <DIR> d-------- C:\Deckard
2008-04-11 17:21 . 2008-04-11 17:21 3,276 --a------ C:\36.tmp
2008-04-11 17:21 . 2008-04-11 17:21 3,276 --a------ C:\34.tmp
2008-04-11 17:17 . 2008-04-11 17:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:08 . 2008-04-11 17:08 3,276 --a------ C:\33.tmp
2008-04-11 16:55 . 2008-04-11 16:55 3,276 --a------ C:\30.tmp
2008-04-11 16:55 . 2008-04-11 16:55 3,276 --a------ C:\28.tmp
2008-04-11 16:51 . 2008-04-11 16:51 311 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-11 16:46 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-11 16:46 . 2007-06-30 23:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-11 16:46 . 2007-06-30 23:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-11 16:46 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-11 16:46 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-11 16:46 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-11 16:46 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-11 16:46 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-11 16:46 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-11 16:21 . 2008-04-11 16:21 3,276 --a------ C:\27.tmp
2008-04-11 16:20 . 2008-04-11 16:21 3,276 --a------ C:\25.tmp
2008-04-11 15:57 . 2008-04-11 15:57 3,276 --a------ C:\24.tmp
2008-04-11 15:57 . 2008-04-11 15:57 3,276 --a------ C:\22.tmp
2008-04-11 15:52 . 2008-04-11 15:52 <DIR> d-------- C:\_OTMoveIt
2008-04-11 14:53 . 2008-04-11 14:53 3,276 --a------ C:\17.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\21.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\1C.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\1B.tmp
2008-04-11 14:53 . 2008-04-11 14:53 0 --a------ C:\1A.tmp
2008-04-11 14:49 . 2008-04-11 14:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-11 14:42 . 2008-04-14 16:21 <DIR> d-------- C:\SDFix
2008-04-09 18:23 . 2008-04-09 18:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 18:22 . 2008-04-09 18:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-04-09 18:18 . 2006-03-22 08:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-04-09 18:18 . 2008-04-11 20:11 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-09 18:16 . 2008-04-09 18:16 2 --a------ C:\B.tmp
2008-04-09 17:38 . 2008-04-09 17:31 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-09 17:38 . 2008-04-09 17:38 2,542 --a------ C:\WINDOWS\unins000.dat
2008-04-09 14:05 . 2008-04-09 14:05 0 --a------ C:\20.tmp
2008-04-09 14:04 . 2008-04-09 14:04 0 --a------ C:\1D.tmp
2008-04-09 14:04 . 2008-04-09 14:04 0 --a------ C:\19.tmp
2008-04-09 14:03 . 2008-04-09 14:04 2 --a------ C:\15.tmp
2008-04-09 14:03 . 2008-04-09 14:03 0 --a------ C:\14.tmp
2008-04-09 06:42 . 2008-04-09 06:42 0 --a------ C:\1F.tmp
2008-04-09 06:41 . 2008-04-09 06:41 0 --a------ C:\1E.tmp
2008-04-09 06:36 . 2008-04-09 06:36 0 --a------ C:\16.tmp
2008-04-09 06:35 . 2008-04-09 06:36 2 --a------ C:\13.tmp
2008-04-09 06:35 . 2008-04-09 06:35 0 --a------ C:\F.tmp
2008-04-08 18:58 . 2008-04-08 06:49 160,256 --a------ C:\WINDOWS\system32\AF.tmp
2008-04-08 07:18 . 2008-04-08 07:18 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-08 06:50 . 2008-04-08 06:50 2 --a------ C:\12.tmp
2008-04-07 11:25 . 2008-04-07 11:25 2 --a------ C:\6.tmp
2008-04-07 10:50 . 2008-04-07 10:50 29 --a------ C:\WINDOWS\system32\qrfwapis.tmp
2008-04-07 10:49 . 2008-04-07 10:49 0 --a------ C:\2F.tmp
2008-04-07 10:48 . 2008-04-09 14:04 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-07 10:48 . 2008-04-07 10:48 0 --a------ C:\2E.tmp
2008-04-07 10:48 . 2008-04-07 10:48 0 --a------ C:\2C.tmp
2008-04-07 10:47 . 2008-04-07 10:48 2 --a------ C:\2B.tmp
2008-04-07 10:47 . 2008-04-07 10:47 0 --a------ C:\2A.tmp
2008-04-01 04:12 . 2008-04-01 04:12 16 --a------ C:\s3ck
2008-03-28 16:02 . 2008-03-28 16:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-03-28 16:00 . 2008-03-28 16:01 <DIR> d-------- C:\Program Files\Dell Support Center
2008-03-28 16:00 . 2008-03-28 16:00 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-03-20 00:51 . 2008-03-20 00:51 16 --a------ C:\s2p8
2008-03-19 11:34 . 2008-03-19 11:34 16 --a------ C:\s2i4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:57 90,112 ----a-w C:\WINDOWS\DUMP612b.tmp
2008-04-11 22:59 5,018 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-11 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-04-11 22:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 21:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-28 19:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-20 20:07 --------- d-----w C:\Documents and Settings\John\Application Data\Corel
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 09:32 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-02-16 09:32 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-02-16 09:32 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-02-16 09:32 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-02-16 09:32 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.

------- Sigcheck -------

2004-08-04 07:00 17408 1b2d5bde0478a770eccb28eb45017cb2 C:\WINDOWS\system32\svchost.exe

2004-08-04 07:00 506368 19aba4dbec658fba6611906ab35c7c2b C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 21:04 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-11-14 18:33 8716288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48 32881]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 05:12 94208]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-22 08:27 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-22 08:27 98304]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 07:20 122940]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 03:12 1838592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06 106496]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 15:02 57344]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2006-11-15 08:07 380928]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 17:16 1121792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-11 20:10 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-11-14 18:33 8716288]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-11 20:10 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2006-03-22 08:27:10 156784]
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-03-25 15:12:21 217088]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-22 08:24:19 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Qwc05.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

S3 USB2_04;USB2_04 driver;C:\WINDOWS\system32\drivers\nkv2.sys [2008-04-14 16:16]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 18:46:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-15 18:47:28
ComboFix-quarantined-files.txt 2008-04-15 22:47:24

Pre-Run: 63,274,119,168 bytes free
Post-Run: 63,262,650,368 bytes free
.
2008-02-14 08:03:07 --- E O F ---