Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I desprately need assistance.

Started by Jaereloaded , Apr 13 2008 01:06 PM

  • Please log in to reply

#1
Jaereloaded
Posted 13 April 2008 - 01:06 PM

Jaereloaded

    Member

  • Member
  • PipPip
  • 22 posts
I need help getting rid of spyware/malwear. I went to a site called "Watch-movies.net" a friend told me about it... so I assumed it would be safe. When I did so, it disabled my "kaspersky" and downloaded something on to my computer. What it did was disabled my task manager, and set a new background on my computer. I quickly restarted Kaspersky, and it said that something was trying to write things to the registry. It wouldn't allow me to do anything that involved the internet. So I had to turn off kaspersky just to write to you guys... so I'm sure this thing is probably destroying my computer as I type. Can someone please help me. I did find something that enabled my task manager.... but I don't know what to look for... PLEASE HELP.
  • 0

Advertisements

#2
kahdah
Posted 13 April 2008 - 01:31 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Jaereloaded

Welcome back to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
Jaereloaded
Posted 13 April 2008 - 08:44 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:15 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jamael\Application Data\s?stem\w?auclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [35380754] rundll32.exe "C:\WINDOWS\system32\cdhgffji.dll",b
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.EXE" -quiet
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Ccy] "C:\Documents and Settings\Jamael\Application Data\s?stem\w?auclt.exe"
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4996 bytes
  • 0

#4
kahdah
Posted 13 April 2008 - 09:50 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please disable any protection program or shield that you have running.
Tea-timer and Spyware Doctor and KAspersky.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
==================
Then download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
Jaereloaded
Posted 14 April 2008 - 12:52 AM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
So what I did was run the Combo Fix, and an older version of "HJT" by mistake... so when I tried to post the logs that I pasted in the reply.... I got a message telling me to download another version. But I'd already closed the Combo Fix Log. Here is the HJT log. Should I run Combo Fix again?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:49 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {ACC8F873-19E3-4411-BCAA-BECB8F3BF342} - C:\WINDOWS\system32\pmnoLdBr.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Ccy] "C:\Documents and Settings\Jamael\Application Data\s?stem\w?auclt.exe"
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5523 bytes
  • 0

#6
kahdah
Posted 14 April 2008 - 02:21 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Can you check to see if it is here C:\Combofix.txt.

Edited by kahdah, 14 April 2008 - 02:22 AM.

  • 0

#7
Jaereloaded
Posted 15 April 2008 - 10:07 AM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ComboFix 08-04-13.2 - Jamael 2008-04-14 22:56:10.4 - FAT32x86
Running from: C:\Documents and Settings\Jamael\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\diblnaui.dll
C:\WINDOWS\system32\jkmlfqno.dll
C:\WINDOWS\system32\lgwwlwta.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\onqflmkj.ini
C:\WINDOWS\system32\rBdLonmp.ini
C:\WINDOWS\system32\rBdLonmp.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NEW_DRV


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 22:52 . 2008-04-14 22:52 3,648 --a------ C:\WINDOWS\system32\ccyavuny.dll
2008-04-14 03:51 . 2008-04-14 09:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 03:51 . 2008-04-14 03:51 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-11 14:44 . 2008-04-11 14:44 187,904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 03:06 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-15 03:06 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-15 03:06 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-15 03:06 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-14 04:48 3,648 ----a-w C:\WINDOWS\system32\fohvkjcs.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-04 15:27 2,560 ----a-w C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-26 15:37 91,700 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-02-26 15:37 85,860 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-02-26 15:36 --------- d-----w C:\Program Files\Kaspersky Lab
2008-02-26 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-25 20:40 --------- d-----w C:\Program Files\Panda Security
2008-02-25 18:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-25 15:16 --------- d-----w C:\Documents and Settings\Jamael\Application Data\Malwarebytes
2008-02-25 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-20 03:04 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-17 03:21 2,856 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-08 22:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2006-05-12 16:29 59,504 ----a-w C:\Documents and Settings\Jamael\Application Data\GDIPFONTCACHEV1.DAT
2005-05-22 13:36 271 --sh--w C:\Program Files\desktop.ini
2005-05-22 13:36 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-04-14_ 1.20.52.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-07 01:21:46 124,928 ------w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-12-19 22:01:06 347,136 ------w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-12-07 01:21:46 214,528 ------w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-12-07 01:21:46 133,120 ------w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-12-07 01:21:46 63,488 ------w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-12-06 10:00:58 70,656 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-12-07 01:21:46 153,088 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-12-07 01:21:46 230,400 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-12-06 03:59:52 161,792 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-12-07 01:21:46 383,488 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-12-07 01:21:46 384,512 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-12-07 01:21:46 6,066,176 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-12-07 01:21:46 44,544 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-12-07 01:21:46 267,776 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-08-13 22:39:10 13,312 ------w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-12-06 10:01:26 625,664 ------w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-12-07 01:21:48 27,648 ------w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-12-07 01:21:48 459,264 ------w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-12-07 01:21:48 52,224 ------w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-12-08 14:51:48 3,592,192 ------w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-12-07 01:21:48 478,208 ------w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-12-07 01:21:48 193,024 ------w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-12-07 01:21:48 671,232 ------w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-12-07 01:21:48 102,912 ------w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2008-01-11 04:53:32 44,544 ------w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:40 213,216 ------w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:52 371,424 ------w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-12-07 01:21:48 105,984 ------w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-12-07 01:21:48 1,159,680 ------w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-12-07 01:21:48 233,472 ------w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-12-07 01:21:48 824,832 ------w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
+ 2003-07-07 17:36:00 2,058,343 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2003-07-08 15:48:00 115,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040111900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
- 2005-11-26 22:41:40 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-04-14 07:40:30 593,920 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2005-11-26 22:41:40 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-04-14 07:40:30 12,288 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2005-11-26 22:41:40 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-14 07:40:28 135,168 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2005-11-26 22:41:40 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-04-14 07:40:30 11,264 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2005-11-26 22:41:40 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-04-14 07:40:30 27,136 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-11-26 22:41:40 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-14 07:40:30 4,096 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-11-26 22:41:40 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-04-14 07:40:30 794,624 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-11-26 22:41:40 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-04-14 07:40:30 249,856 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-11-26 22:41:40 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-04-14 07:40:30 61,440 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2005-11-26 22:41:40 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-04-14 07:40:30 23,040 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-11-26 22:41:40 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-04-14 07:40:28 286,720 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-11-26 22:41:40 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-14 07:40:28 409,600 ----a-r C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-07 01:21:46 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-12-07 01:21:46 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-12-19 22:01:06 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:22 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 01:21:46 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:22 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 01:21:46 133,120 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-12-07 01:21:46 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-03-01 13:06:22 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-12-07 01:21:46 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-12-07 01:21:46 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-12-07 01:21:46 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-12-07 01:21:46 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-12-07 01:21:46 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-12-07 01:21:46 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-12-07 01:21:46 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-03-01 13:06:26 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-12-07 01:21:48 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:26 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 01:21:48 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-12-07 01:21:48 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-12-07 01:21:48 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 01:21:48 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 01:21:48 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 01:21:48 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-01-11 04:53:32 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:30 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 01:21:48 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:30 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2007-12-07 01:21:48 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-07 01:21:48 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-12-07 01:21:48 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:32 826,368 ------w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 16:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:44 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2007-12-19 22:01:06 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:22 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 01:21:46 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:22 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 01:21:46 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:22 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-04-14 05:14:12 243,920 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-14 08:54:56 243,920 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-12-07 01:21:46 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:22 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-12-06 10:00:58 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:24 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2007-12-07 01:21:46 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:22 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2007-12-07 01:21:46 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:22 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2007-12-06 03:59:52 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:26 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2007-12-07 01:21:46 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-12-07 01:21:46 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2007-12-07 01:21:46 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-12-07 01:21:46 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2007-12-07 01:21:46 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:26 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-13 22:39:10 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:52 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2005-12-15 02:41:50 92,224 ----a-w C:\WINDOWS\system32\inquhqaj.dll
- 2007-12-07 01:21:48 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:26 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2005-12-15 02:10:08 3,648 ----a-w C:\WINDOWS\system32\motuxeol.dll
- 2007-12-07 01:21:48 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-12-07 01:21:48 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-12-08 14:51:48 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-01 22:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 01:21:48 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 01:21:48 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 01:21:48 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:30 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2007-12-07 01:21:48 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:30 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-01-11 04:53:32 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:30 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-09-06 21:43:16 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:34 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-12-07 01:21:48 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-12-07 01:21:48 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-07 01:21:48 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-12-07 01:21:48 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-03-01 13:06:32 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2005-12-15 02:09:54 96,320 ----a-w C:\WINDOWS\system32\xogldogt.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2cf29e3f-f68d-49b8-b424-e943b9cdf216}]
2005-12-14 22:41 92224 --a------ C:\WINDOWS\system32\inquhqaj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EE6FA70-0D90-486C-8B84-C01776975898}]
2005-12-13 17:08 272384 --a------ C:\WINDOWS\system32\pmnoLdBr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe" [2005-02-16 11:06 218112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.exe" [2007-12-17 17:13 3810544]
"QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ]
"Ccy"="C:\Documents and Settings\Jamael\Application Data\s?stem\w?auclt.exe" [ ]
"QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-26 13:59 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-03-04 11:27]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-13 15:33]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 15:13:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 23:11:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-14 23:15:56 - machine was rebooted
ComboFix3.txt 2008-02-25 04:30:52
ComboFix-quarantined-files.txt 2008-04-15 03:15:42
ComboFix2.txt 2008-04-14 05:26:36

Pre-Run: 81,930,321,920 bytes free
Post-Run: 81,978,327,040 bytes free
.
2008-04-14 07:41:17 --- E O F ---
  • 0

#8
kahdah
Posted 15 April 2008 - 04:35 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#9
Jaereloaded
Posted 15 April 2008 - 08:17 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#10
kahdah
Posted 15 April 2008 - 08:26 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ccyavuny.dll
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2cf29e3f-f68d-49b8-b424-e943b9cdf216}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EE6FA70-0D90-486C-8B84-C01776975898}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QdrModule15"=-
"Ccy"=-
"QdrPack15"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

Advertisements

#11
Jaereloaded
Posted 15 April 2008 - 10:52 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ComboFix 08-04-13.2 - Jamael 2008-04-15 23:29:00.5 - FAT32x86
Running from: C:\Documents and Settings\Jamael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jamael\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\WINDOWS\system32\ccyavuny.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\WINDOWS\system32\ccyavuny.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NEW_DRV


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-14 03:51 . 2008-04-14 09:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 03:51 . 2008-04-14 03:51 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 03:37 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-16 03:37 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-16 03:37 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-16 03:37 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-14 04:48 3,648 ----a-w C:\WINDOWS\system32\fohvkjcs.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-04 15:27 2,560 ----a-w C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-26 15:37 91,700 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-02-26 15:37 85,860 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-02-26 15:36 --------- d-----w C:\Program Files\Kaspersky Lab
2008-02-26 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-25 20:40 --------- d-----w C:\Program Files\Panda Security
2008-02-25 18:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-25 15:16 --------- d-----w C:\Documents and Settings\Jamael\Application Data\Malwarebytes
2008-02-25 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-20 03:04 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-17 03:21 2,856 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-08 22:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2006-05-12 16:29 59,504 ----a-w C:\Documents and Settings\Jamael\Application Data\GDIPFONTCACHEV1.DAT
2005-05-22 13:36 271 --sh--w C:\Program Files\desktop.ini
2005-05-22 13:36 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="C:\Documents and Settings\Jamael\Desktop\My Content\Stuff\New Folder\HijackThis.exe" [2005-02-16 11:06 218112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.exe" [2007-12-17 17:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-26 13:59 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-03-04 11:27]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-13 15:33]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 15:13:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 23:40:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-15 23:44:56 - machine was rebooted
ComboFix4.txt 2008-02-25 04:30:52
ComboFix-quarantined-files.txt 2008-04-16 03:44:40
ComboFix3.txt 2008-04-14 05:26:36
ComboFix2.txt 2008-04-15 03:16:06

Pre-Run: 83,325,550,592 bytes free
Post-Run: 83,376,046,080 bytes free
.
2008-04-14 07:41:17 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:33 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.EXE" -quiet
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 4970 bytes
  • 0

#12
kahdah
Posted 16 April 2008 - 02:26 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0

#13
Jaereloaded
Posted 16 April 2008 - 07:45 PM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 16, 2008 8:42:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/04/2008
Kaspersky Anti-Virus database records: 710612
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 57830
Number of viruses found: 12
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 01:33:58

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\motuxeol.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\fimeejep.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nve skipped
C:\WINDOWS\system32\qlaquelt.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\plvcmbhr.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\iqkgfsmv.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\fohvkjcs.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\default.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gsy.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqNGyvW.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkmlfqno.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.nvf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ccyavuny.dll.vir Infected: Trojan.Win32.KillAV.rf skipped
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jamael\Application Data\SSTEM~1\wυauclt.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jamael\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\Temporary Internet Files\Content.IE5\U1Q6AK9D\ Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\Temporary Internet Files\Content.IE5\U1Q6AK9D\ Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jamael\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jamael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jamael\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP769\A0190838.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP769\A0190839.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP769\A0190845.exe Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP769\A0190847.exe Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP769\A0195907.exe Infected: Trojan-Downloader.Win32.Homles.bf skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196130.exe Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196131.exe Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196132.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196133.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196133.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196133.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mhf skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP772\A0196143.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP777\A0198592.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{257993A2-B5CD-4F21-9E03-EACF1A4AED40}\RP777\change.log Object is locked skipped

Scan process completed.
  • 0

#14
kahdah
Posted 17 April 2008 - 02:59 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo.com/forum/desprately-need-assistance-t194723.html#entry1215974

Collect::
C:\WINDOWS\system32\motuxeol.dll
C:\WINDOWS\system32\fimeejep.dll 
C:\WINDOWS\system32\qlaquelt.dll
C:\WINDOWS\system32\plvcmbhr.dll
C:\WINDOWS\system32\iqkgfsmv.dll
C:\WINDOWS\system32\fohvkjcs.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

  • 0

#15
Jaereloaded
Posted 17 April 2008 - 09:01 AM

Jaereloaded

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ComboFix 08-04-13.2 - Jamael 2008-04-17 9:38:30.6 - FAT32x86
Running from: C:\Documents and Settings\Jamael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jamael\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\fimeejep.dll
C:\WINDOWS\system32\fohvkjcs.dll
C:\WINDOWS\system32\iqkgfsmv.dll
C:\WINDOWS\system32\motuxeol.dll
C:\WINDOWS\system32\plvcmbhr.dll
C:\WINDOWS\system32\qlaquelt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NEW_DRV


((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-16 11:15 . 2008-04-16 11:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 03:51 . 2008-04-16 21:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-14 03:51 . 2008-04-14 03:51 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 13:47 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-04-17 13:47 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-17 13:47 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-17 13:47 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-04 15:27 2,560 ----a-w C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-26 15:37 91,700 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-02-26 15:37 85,860 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-02-26 15:36 --------- d-----w C:\Program Files\Kaspersky Lab
2008-02-26 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-25 20:40 --------- d-----w C:\Program Files\Panda Security
2008-02-25 18:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-25 15:16 --------- d-----w C:\Documents and Settings\Jamael\Application Data\Malwarebytes
2008-02-25 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-20 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-20 03:04 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-17 03:21 2,856 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-08 22:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2006-05-12 16:29 59,504 ----a-w C:\Documents and Settings\Jamael\Application Data\GDIPFONTCACHEV1.DAT
2005-05-22 13:36 271 --sh--w C:\Program Files\desktop.ini
2005-05-22 13:36 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot_2008-04-14_23.14.18.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.exe" [2007-12-17 17:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-26 13:59 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 mchInjDrv;madCodeHook DLL injection driver;C:\WINDOWS\system32\Drivers\mchInjDrv.sys [2008-03-04 11:27]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-09-13 15:33]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 15:13:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 09:50:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-17 9:54:02 - machine was rebooted
ComboFix5.txt 2008-02-25 04:30:52
ComboFix-quarantined-files.txt 2008-04-17 13:53:46
ComboFix4.txt 2008-04-14 05:26:36
ComboFix3.txt 2008-04-15 03:16:06
ComboFix2.txt 2008-04-16 03:45:00

Pre-Run: 82,865,913,856 bytes free
Post-Run: 83,049,775,104 bytes free
.
2008-04-14 07:41:17 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:20 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~2.EXE" -quiet
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5115 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP