Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

persistant trojan in registry- hijack this log enclosed [RESOLVED]


  • This topic is locked This topic is locked

#1
desireejassel

desireejassel

    Member

  • Member
  • PipPip
  • 43 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:21 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ddcYsRHB.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ovotmtab] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ovotmtab.dll"
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Ruben\cftmon.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [jqhcnidg] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\fahsj.drv" WLEntryPoint
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Ruben\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKLM\..\Run: [msvtt] C:\WINDOWS\system32\gavurjjf.exe
O4 - HKLM\..\Run: [DriveSystem] C:\WINDOWS\system32\maxpaynowti1.exe
O4 - HKLM\..\Run: [SystemDrive] C:\WINDOWS\system32\maxpaynow1.exe
O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
O4 - HKLM\..\Run: [msdefender.exe] C:\WINDOWS\system32\msdefender.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [sZoIKae42S] C:\Documents and Settings\All Users\Application Data\tefobujm\twjubqtu.exe
O4 - HKLM\..\Policies\Explorer\Run: [tofedcbi] rundll32.exe "C:\WINDOWS\system32\japojatkrap.dll" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservice...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - http://www.ieservice...om/redirect.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{66333E9F-5D3E-489A-969C-F66A0CA943FB}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{840F6939-5CE0-41B9-97ED-B982838F4EAF}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC4317AA-4621-4129-8631-84FCF2952B24}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{F21549E4-71CF-4F48-AD0D-92B9AACC5BCA}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\..\{66333E9F-5D3E-489A-969C-F66A0CA943FB}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS3\Services\Tcpip\..\{66333E9F-5D3E-489A-969C-F66A0CA943FB}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: ddcysrhb - C:\WINDOWS\SYSTEM32\ddcYsRHB.dll
O20 - Winlogon Notify: pgbitgbilsfal - C:\WINDOWS\SYSTEM32\pgbitgbilsfal.dll
O20 - Winlogon Notify: wlctrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O21 - SSODL: DrvSys - {7021957c-9195-4357-84c1-f696a7614968} - C:\WINDOWS\Installer\{7021957c-9195-4357-84c1-f696a7614968}\DrvSys.dll
O21 - SSODL: PWakHPt - {884362D3-22E9-C879-60AE-B7168DB7B43B} - C:\WINDOWS\system32\qanh.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - C:\WINDOWS\system32\rkvdr.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityShellHWDetection (fastuserswitchingcompatibilityshellhwdetection) - Unknown owner - C:\WINDOWS\system32\advpacku.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: Automatic Updates wuauservAppMgmt (wuauservappmgmt) - Unknown owner - C:\DOCUME~1\Ruben\LOCALS~1\Temp\8.tmp.exe (file missing)

--
End of file - 8888 bytes
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, desireejassel :)

Welcome.

Please print these instructions for reference, as you will have to restart your computer during the fix.

Please download FixWareout from Here or Here.

Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
  • Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
  • You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
  • Once the desktop loads a text file will open (report.txt).
    Please post the C:\fixwareout\report.txt ) into this topic.
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
hi thanks for the help. Am I supposed to install this in safe mode or regular? I cant seem to do anything in regular mode,the minute it starts up i get a system32/rundll32.exe pop up and its all down hill from there. It freezes up and I am not able to click on anything. Im using a separate computer to download this program on usb drive and use that on the infected laptop. Im sorry for any confusion.
  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Everything will be in Normal Mode unless indicated.
  • 0

#5
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Theres no way I can do anything in normal mode. It freezes up on me. task bar is non functional, background is blue, i have multiple bogus antivirus popups and internet is also non functional.

So this is from safe mode


Username "Administrator" - 04/15/2008 19:17:54 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdprx.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.140 85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{66333E9F-5D3E-489A-969C-F66A0CA943FB}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{840F6939-5CE0-41B9-97ED-B982838F4EAF}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BC4317AA-4621-4129-8631-84FCF2952B24}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F21549E4-71CF-4F48-AD0D-92B9AACC5BCA}
"nameserver"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BC4317AA-4621-4129-8631-84FCF2952B24}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F21549E4-71CF-4F48-AD0D-92B9AACC5BCA}
"DhcpNameServer"="85.255.113.140,85.255.112.93" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
C:\WINDOWS\desktop.html Deleted
C:\WINDOWS\xpupdate.exe Deleted
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdprx.ren 81920 08/04/2004


C:\Program Files\BraveSentry < Found
Additional tools are recommended.

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"ISBMgr.exe"="C:\\Program Files\\Sony\\ISB Utility\\ISBMgr.exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ovotmtab"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\ovotmtab.dll\""
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\LocalService\\cftmon.exe"
"BluetoothAuthorizationAgent"="C:\\WINDOWS\\system32\\BluetoothAuthorizationAgent.exe"
"jqhcnidg"="rundll32.exe \"C:\\DOCUME~1\\Ruben\\LOCALS~1\\Temp\\fahsj.drv\" WLEntryPoint"
"jdgf894jrghoiiskd"="C:\\DOCUME~1\\Ruben\\LOCALS~1\\Temp\\winlogan.exe"
"csrss"="C:\\WINDOWS\\system32\\wbem\\csrss.exe"
"msvtt"="C:\\WINDOWS\\system32\\gavurjjf.exe"
"DriveSystem"="C:\\WINDOWS\\system32\\maxpaynowti1.exe"
"SystemDrive"="C:\\WINDOWS\\system32\\maxpaynow1.exe"
"taskmon"="C:\\WINDOWS\\taskmon.exe"
"PromoReg"="C:\\WINDOWS\\system32\\alt.exe.exe"
"msdefender.exe"="C:\\WINDOWS\\system32\\msdefender.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spoolsv"="C:\\WINDOWS\\system32\\spoolvs.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Jnskdfmf9eldfd"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\csrssc.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Edited by desireejassel, 15 April 2008 - 08:52 PM.

  • 0

#6
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
ComboFix 08-04-13.3 - Administrator 2008-04-15 21:36:30.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.364 [GMT -5:00]
Running from: F:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Ruben\Application Data\Anti-Virus-Pro.com
C:\Documents and Settings\Ruben\Start Menu\Programs\Brave-Sentry
C:\Documents and Settings\Ruben\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
C:\Documents and Settings\Ruben\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
C:\Documents and Settings\Ruben\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Ruben\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Ruben\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Ruben\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Ruben\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Ruben\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\AntiVirusPro
C:\Program Files\bravesentry
C:\Program Files\bravesentry\BraveSentry.exe
C:\Program Files\bravesentry\BraveSentry.lic
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry1.bs
C:\Program Files\bravesentry\Uninstall.exe
C:\Program Files\Helper
C:\Program Files\Helper\1208089291.dll
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\NetProject
C:\Program Files\NetProject\ot.ico
C:\Program Files\NetProject\sbmdl.dll
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\NetProject\ts.ico
C:\Program Files\NetProject\waun.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\scurit~1
C:\Program Files\scurit~1\s?curity\
C:\Program Files\scurit~1\svchost.exe
C:\Program Files\SystemDefender
C:\Program Files\VirusHeat 4.3
C:\Program Files\VirusHeat 4.3\blacklist.txt
C:\Program Files\VirusHeat 4.3\ignored.lst
C:\Program Files\VirusHeat 4.3\Lang\English.ini
C:\Program Files\VirusHeat 4.3\msvcp71.dll
C:\Program Files\VirusHeat 4.3\msvcr71.dll
C:\Program Files\VirusHeat 4.3\uninst.exe
C:\Program Files\VirusHeat 4.3\vht.dat
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.url
C:\Program Files\VirusHeat 4.3\vpp.ini
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\whagent.ini
C:\WINDOWS\conf.inf
C:\WINDOWS\Installer\{7021957c-9195-4357-84c1-f696a7614968}
C:\WINDOWS\Installer\{7021957c-9195-4357-84c1-f696a7614968}\DrvSys.dll
C:\WINDOWS\kavir.exe
C:\WINDOWS\ky.sxc
C:\WINDOWS\lfn.exe
C:\WINDOWS\mscon.sio
C:\WINDOWS\nivavir.config
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\sZoIKae42Swp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\12274992141.dll
C:\WINDOWS\system32\215651\215651.dll
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\byXPJCvt.dll
C:\WINDOWS\system32\ddcYsRHB.dll
C:\WINDOWS\system32\drivers\asc3550p.sys
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\Wfn08.sys
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\msdefender.exe
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\rkvdr.dll
C:\WINDOWS\system32\rqRhIYpM.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\tuvVOEwx.dll
C:\WINDOWS\system32\tvCJPXyb.ini
C:\WINDOWS\system32\tvCJPXyb.ini2
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\WGOponpo.ini
C:\WINDOWS\system32\WGOponpo.ini2
C:\WINDOWS\system32\wind32.exe
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\WLCtrl32.dl_
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\t?skmgr.exe
C:\WINDOWS\system32\xkpisxen.dll
C:\WINDOWS\taskmon.exe
C:\WINDOWS\Temp\1396886080.exe
C:\WINDOWS\winself.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P
-------\Legacy_icf
-------\Legacy_wfn08
-------\Service_asc3550p
-------\Service_ICF
-------\Service_Wfn08
-------\Service_wfn08
-------\Legacy_MSSysInterv1
-------\Legacy_Schedule
-------\MSSysInterv1
-------\Schedule


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 19:31 . 2008-04-15 19:31 101,156 --a------ C:\WINDOWS\BM8b7051e1.xml
2008-04-15 19:17 . 2008-04-15 19:29 <DIR> d-------- C:\fixwareout
2008-04-15 18:53 . 2008-04-15 18:53 269,334 --a------ C:\WINDOWS\system32\fepojilsrilgf.bmp
2008-04-15 18:51 . 2008-04-15 18:51 269,334 --a------ C:\WINDOWS\system32\jilsjehojatsb.bmp
2008-04-15 18:44 . 2008-04-15 18:44 269,334 --a------ C:\WINDOWS\system32\kjalgr.bmp
2008-04-14 11:26 . 2008-04-14 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-04-14 07:21 . 2008-04-14 07:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-13 13:33 . 2008-04-13 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 13:16 . 2008-04-13 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-04-13 13:03 . 2008-04-13 13:03 269,334 --a------ C:\WINDOWS\system32\qhkfqdor.bmp
2008-04-13 10:58 . 2008-04-13 10:58 269,334 --a------ C:\WINDOWS\system32\lknadcn.bmp
2008-04-13 08:30 . 2008-04-13 08:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 08:10 . 2008-04-13 08:10 269,334 --a------ C:\WINDOWS\system32\etcfmpon.bmp
2008-04-13 08:04 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-13 08:04 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-13 08:03 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-13 08:03 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-13 08:03 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-13 08:03 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-13 08:03 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-13 08:03 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-13 08:02 . 2008-04-13 08:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-13 08:02 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-13 08:02 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-13 08:02 . 2003-03-18 13:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-13 08:02 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-13 08:02 . 2003-02-20 21:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-13 07:52 . 2008-04-13 07:52 37,888 -r-hs---- C:\WINDOWS\system32\3532924907m.exe
2008-04-13 07:42 . 2008-04-13 07:42 15 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-04-13 07:33 . 2008-04-13 07:33 269,334 --a------ C:\WINDOWS\system32\rmhknid.bmp
2008-04-13 07:32 . 2008-04-13 07:32 66,864 --ahs---- C:\Documents and Settings\LocalService\cftmon.exe
2008-04-13 07:27 . 2008-04-13 07:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 07:27 . 2008-04-13 07:27 22,016 --ahs---- C:\WINDOWS\system32\accesse.dll
2008-04-13 07:26 . 2008-04-13 07:26 47,104 --a------ C:\A0.tmp
2008-04-13 07:26 . 2008-04-13 07:25 37,888 -r-hs---- C:\WINDOWS\system32\advpacku.exe
2008-04-13 07:26 . 2008-04-13 07:26 3,276 --a------ C:\A1.tmp
2008-04-13 07:26 . 2008-04-13 07:26 3,276 --a------ C:\9F.tmp
2008-04-13 07:26 . 2008-04-13 07:27 86 --a-s---- C:\WINDOWS\system32\3532924907.dat
2008-04-13 07:25 . 2008-04-15 19:51 <DIR> d-------- C:\WINDOWS\system32\215651
2008-04-13 07:25 . 2008-04-13 07:25 391,168 --a------ C:\WINDOWS\system32\alt.exe.exe
2008-04-13 07:25 . 2008-04-13 07:25 132,096 --a------ C:\WINDOWS\system32\shift.exe.exe
2008-04-13 07:25 . 2008-04-13 07:25 38,400 --a------ C:\WINDOWS\mrofinu27.exe
2008-04-13 07:25 . 2008-04-13 07:25 37,888 -r-hs---- C:\WINDOWS\system32\admparses.exe
2008-04-13 07:25 . 2008-04-13 07:35 7,168 --a------ C:\WINDOWS\win32ole.dll
2008-04-13 07:24 . 2004-08-04 01:56 113,664 --a------ C:\WINDOWS\system32\ilsbelknidg.sys
2008-04-13 07:24 . 2008-04-13 07:24 40,960 --a------ C:\WINDOWS\system32\vedxga3me2.exe
2008-04-13 07:24 . 2008-04-13 07:24 22,528 --a------ C:\WINDOWS\system32\vedxg4am1et2.exe
2008-04-13 07:24 . 2008-04-13 07:24 20,988 --a------ C:\WINDOWS\system32\vedxga1me4t1.exe
2008-04-13 07:24 . 2008-04-13 07:24 20,988 --a------ C:\WINDOWS\system32\maxpaynow1.exe
2008-04-13 07:24 . 2008-04-13 07:24 19,456 --a------ C:\WINDOWS\system32\vedxg6ame4.exe
2008-04-13 07:23 . 2008-04-13 07:23 1,086,376 --a------ C:\Documents and Settings\Ruben\Application Data\Install.dat
2008-04-13 07:23 . 2008-04-13 07:22 21,874 --a------ C:\WINDOWS\system32\maxpaynowti1.exe
2008-04-13 07:22 . 2008-04-13 07:22 40,310 --a------ C:\WINDOWS\system32\dllgh8jkd1q2.exe
2008-04-13 07:22 . 2008-04-13 07:22 22,078 --a------ C:\WINDOWS\system32\dllgh8jkd1q7.exe
2008-04-13 07:22 . 2008-04-13 07:22 21,874 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe
2008-04-13 07:22 . 2008-04-13 07:22 21,642 --a------ C:\WINDOWS\system32\dllgh8jkd1q6.exe
2008-04-13 07:21 . 2008-04-13 07:19 61,952 --a------ C:\WINDOWS\system32\gavurjjf.exe
2008-04-13 07:20 . 2008-04-13 07:20 20,426 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe
2008-04-13 07:20 . 2008-04-13 07:22 2 --a------ C:\-2008849710
2008-04-13 07:19 . 2008-04-13 07:19 61,952 --a------ C:\gavurjjf.exe
2008-04-13 07:19 . 2008-04-13 07:19 58,880 --a------ C:\lilsesn.exe
2008-04-13 07:19 . 2008-04-13 07:19 55,218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-13 07:19 . 2008-04-13 07:19 13,312 --a------ C:\gjtxc.exe
2008-04-13 07:19 . 2008-04-13 07:19 10,000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-04-13 07:19 . 2008-04-13 07:52 47 --a------ C:\smp.bat
2008-04-13 07:19 . 2008-04-13 07:19 29 --a------ C:\WINDOWS\system32\uqfudaid.tmp
2008-04-13 07:18 . 2008-04-13 07:18 269,334 --a------ C:\WINDOWS\system32\atknqpsnel.bmp
2008-04-13 07:18 . 2008-04-13 10:58 82,008 --ahs---- C:\Documents and Settings\Ruben\cftmon.exe
2008-04-13 07:18 . 2008-04-13 07:18 12,800 --a------ C:\pOXJ.exe
2008-04-13 07:06 . 2008-04-13 07:06 <DIR> d-------- C:\WINDOWS\cuawsppw
2008-04-13 07:06 . 2008-04-13 07:08 <DIR> d-------- C:\Program Files\Bat
2008-04-13 07:06 . 2008-04-13 07:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tefobujm
2008-04-13 07:06 . 2008-04-13 07:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-13 07:06 . 2008-04-13 07:06 196,096 --a------ C:\WINDOWS\klelityl.dll
2008-04-13 07:06 . 2008-04-13 07:06 94,208 --a------ C:\WINDOWS\system32\hspmfqlc.exe
2008-04-13 07:06 . 2008-04-13 07:06 70,144 --a------ C:\WINDOWS\fgvcjmbs.dll
2008-04-13 07:06 . 2008-04-13 07:06 70,144 --a------ C:\Documents and Settings\All Users\Application Data\ovotmtab.dll
2008-04-13 07:05 . 2008-04-13 07:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-13 07:05 . 2008-04-13 07:05 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-04-13 07:05 . 2008-04-13 07:05 6,656 --a------ C:\WINDOWS\s.dll
2008-04-11 14:44 . 2008-04-11 14:44 187,904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 11:44 . 2008-04-13 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:44 . 2008-04-09 11:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-30 08:02 . 2008-03-30 08:02 190,464 --a------ C:\WINDOWS\system32\luapvs.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\MSN6
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-17 23:00 . 2008-03-17 23:01 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\Walgreens
2008-03-17 22:48 . 2008-03-17 22:59 <DIR> d-------- C:\WINDOWS\NKCCDViewerSetting

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 12:18 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-09 02:55 --------- d-----w C:\Documents and Settings\Ruben\Application Data\LimeWire
2008-03-14 00:05 --------- d-----w C:\Program Files\Azureus
2008-03-14 00:05 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Azureus
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-03-03 22:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-03 22:13 --------- d-----w C:\Program Files\Avanquest update
2008-03-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-03 22:08 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-03 22:08 --------- d-----w C:\Documents and Settings\Ruben\Application Data\InstallShield
2008-03-03 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-01 05:38 --------- d-----w C:\Program Files\Apple Software Update
2008-03-01 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-01 05:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Snapfish
2008-02-23 15:58 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Ahead
2008-02-09 22:46 6,144 ----a-w C:\wintogi.exe
2008-02-09 22:46 6,144 ----a-w C:\WINDOWS\ons.dll
.

------- Sigcheck -------

2001-08-18 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-13 07:18 17408 c357a9031d4c637112df2a4a8fa21ac4 C:\WINDOWS\system32\svchost.exe

2001-08-18 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-18 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 506368 b270125e1557a24f8de54857d8199dcf C:\WINDOWS\system32\winlogon.exe

2004-08-04 01:56 1034752 99641a4d634ddf0403ac065c51b365e7 C:\WINDOWS\explorer.exe
2001-08-18 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
2008-04-13 07:19 10000 --a------ C:\WINDOWS\system32\jfiehayd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 14:56 45056]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 14:33 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 14:33 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 14:33 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"jqhcnidg"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\indco.drv WLEntryPoint" [ ]
"jdgf894jrghoiiskd"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\winlogan.exe" [ ]
"msvtt"="C:\WINDOWS\system32\gavurjjf.exe" [2008-04-13 07:19 61952]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 12:37 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fssbmoec"= rundll32.exe "C:\WINDOWS\system32\japojatkrap.dll" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [2008-04-13 07:19 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PWakHPt"= {884362D3-22E9-C879-60AE-B7168DB7B43B} - C:\WINDOWS\system32\qanh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pgbitgbilsfal]
pgbitgbilsfal.dll 2004-08-04 01:56 113664 C:\WINDOWS\system32\pgbitgbilsfal.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 18:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1733:TCP"= 1733:TCP:@xpsp2res.dll,-22005
"39688:TCP"= 39688:TCP:@xpsp2res.dll,-22005
"35799:TCP"= 35799:TCP:@xpsp2res.dll,-22005
"4218:TCP"= 4218:TCP:@xpsp2res.dll,-22005

S1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 12:31]
S1 zeqbqwp;zeqbqwp;C:\WINDOWS\zeqbqwp.sys [2008-04-13 07:19]
S2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S2 fastuserswitchingcompatibilityshellhwdetection;Fast User Switching Compatibility FastUserSwitchingCompatibilityShellHWDetection;C:\WINDOWS\system32\advpacku.exe [2008-04-13 07:25]
S2 wuauservappmgmt;Automatic Updates wuauservAppMgmt;C:\DOCUME~1\Ruben\LOCALS~1\Temp\8.tmp []
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 15:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 15:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 05:38:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 21:38:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wuauservappmgmt]
"ImagePath"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\8.tmp srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ojmpsfal.dll
.
Completion time: 2008-04-15 21:38:42
ComboFix-quarantined-files.txt 2008-04-16 02:38:34

Pre-Run: 72,152,510,464 bytes free
Post-Run: 72,143,077,376 bytes free

-----------------------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++
-----------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:54 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jqhcnidg] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\dsgjeicpr.sys" WLEntryPoint
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Ruben\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [msvtt] C:\WINDOWS\system32\gavurjjf.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [fssbmoec] rundll32.exe "C:\WINDOWS\system32\japojatkrap.dll" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS3\Services\Tcpip\..\{66333E9F-5D3E-489A-969C-F66A0CA943FB}: NameServer = 85.255.113.140,85.255.112.93
O20 - Winlogon Notify: pgbitgbilsfal - C:\WINDOWS\SYSTEM32\pgbitgbilsfal.dll
O21 - SSODL: PWakHPt - {884362D3-22E9-C879-60AE-B7168DB7B43B} - C:\WINDOWS\system32\qanh.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityShellHWDetection (fastuserswitchingcompatibilityshellhwdetection) - Unknown owner - C:\WINDOWS\system32\advpacku.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: Automatic Updates wuauservAppMgmt (wuauservappmgmt) - Unknown owner - C:\DOCUME~1\Ruben\LOCALS~1\Temp\8.tmp.exe (file missing)

--
End of file - 5489 bytes

Edited by desireejassel, 15 April 2008 - 08:49 PM.

  • 0

#7
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, desireejassel :)

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\WINDOWS\BM8b7051e1.xml
C:\WINDOWS\system32\fepojilsrilgf.bmp
C:\WINDOWS\system32\jilsjehojatsb.bmp
C:\WINDOWS\system32\kjalgr.bmp
C:\WINDOWS\system32\qhkfqdor.bmp
C:\WINDOWS\system32\lknadcn.bmp
C:\WINDOWS\system32\etcfmpon.bmp
C:\WINDOWS\system32\3532924907m.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\rmhknid.bmp
C:\Documents and Settings\LocalService\cftmon.exe
C:\WINDOWS\system32\accesse.dll
C:\A0.tmp
C:\WINDOWS\system32\advpacku.exe
C:\A1.tmp
C:\9F.tmp
C:\WINDOWS\system32\3532924907.dat
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\shift.exe.exe
C:\WINDOWS\mrofinu27.exe
C:\WINDOWS\system32\admparses.exe
C:\WINDOWS\win32ole.dll
C:\WINDOWS\system32\ilsbelknidg.sys
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\maxpaynow1.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\Documents and Settings\Ruben\Application Data\Install.dat
C:\WINDOWS\system32\maxpaynowti1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\gavurjjf.exe
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\-2008849710
C:\gavurjjf.exe
C:\lilsesn.exe
C:\WINDOWS\zeqbqwp.sys
C:\gjtxc.exe
C:\WINDOWS\system32\jfiehayd.dll
C:\smp.bat
C:\WINDOWS\system32\uqfudaid.tmp
C:\WINDOWS\system32\atknqpsnel.bmp
C:\Documents and Settings\Ruben\cftmon.exe
C:\pOXJ.exe
C:\WINDOWS\klelityl.dll
C:\WINDOWS\system32\hspmfqlc.exe
C:\WINDOWS\fgvcjmbs.dll
C:\Documents and Settings\All Users\Application Data\ovotmtab.dll
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\s.dll
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\WINDOWS\system32\luapvs.dll
C:\wintogi.exe
C:\WINDOWS\ons.dll
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
C:\Documents and Settings\Ruben\Local Settings\Temp\8.tmp
C:\Documents and Settings\Ruben\Local Settings\Temp\indco.drv
C:\WINDOWS\system32\gavurjjf.exe
C:\Documents and Settings\Ruben\Local Settings\Temp\winlogan.exe
C:\WINDOWS\system32\japojatkrap.dll
C:\WINDOWS\system32\pgbitgbilsfal.dll

Folder::
C:\WINDOWS\system32\215651
C:\WINDOWS\cuawsppw
C:\Program Files\Bat
C:\Documents and Settings\All Users\Application Data\tefobujm
C:\Documents and Settings\All Users\Application Data\Rabio

Driver::
zeqbqwp
fastuserswitchingcompatibilityshellhwdetection
wuauservappmgmt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jqhcnidg"=-
"jdgf894jrghoiiskd"=-
"msvtt"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fssbmoec"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"==
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PWakHPt"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pgbitgbilsfal]


FMOVE::
C:\WINDOWS\ServicePackFiles\i386\svchost.exe|C:\WINDOWS\system32\svchost.exe


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
  • 0

#8
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Edited: Fix appeared as one line, thereby affecting the Screen resolution.

Edited by JSntgRvr, 16 April 2008 - 12:10 PM.

  • 0

#9
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
That didn't work.

Download the enclosed CFScript.txt and save it on your desktop close to Combofix.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
  • 0

#10
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
ComboFix 08-04-13.3 - Administrator 2008-04-16 15:52:29.5 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.381 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\A1.tmp C:\9F.tmp C:\WINDOWS\system32\3532924907.dat
C:\Documents and Settings\LocalService\cftmon.exe
C:\WINDOWS\mrofinu27.exe C:\WINDOWS\system32\admparses.exe
C:\WINDOWS\system32\accesse.dll C:\A0.tmp C:\WINDOWS\system32\advpacku.exe
C:\WINDOWS\system32\alt.exe.exe C:\WINDOWS\system32\shift.exe.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe C:\WINDOWS\system32\rmhknid.bmp
C:\WINDOWS\system32\etcfmpon.bmp C:\WINDOWS\system32\3532924907m.exe
C:\WINDOWS\system32\jilsjehojatsb.bmp C:\WINDOWS\system32\kjalgr.bmp
C:\WINDOWS\system32\qhkfqdor.bmp C:\WINDOWS\system32\lknadcn.bmp
C:\WINDOWS\system32\vedxg6ame4.exe C:\Documents and Settings\Ruben\Application
C:\WINDOWS\system32\vedxga1me4t1.exe C:\WINDOWS\system32\maxpaynow1.exe
C:\WINDOWS\system32\vedxga3me2.exe C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\win32ole.dll C:\WINDOWS\system32\ilsbelknidg.sys
Data\Install.dat C:\WINDOWS\system32\maxpaynowti1.exe
File:: C:\WINDOWS\BM8b7051e1.xml C:\WINDOWS\system32\fepojilsrilgf.bmp
.

((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 19:31 . 2008-04-15 19:31 101,156 --a------ C:\WINDOWS\BM8b7051e1.xml
2008-04-15 19:17 . 2008-04-15 19:29 <DIR> d-------- C:\fixwareout
2008-04-15 18:53 . 2008-04-15 18:53 269,334 --a------ C:\WINDOWS\system32\fepojilsrilgf.bmp
2008-04-15 18:51 . 2008-04-15 18:51 269,334 --a------ C:\WINDOWS\system32\jilsjehojatsb.bmp
2008-04-15 18:44 . 2008-04-15 18:44 269,334 --a------ C:\WINDOWS\system32\kjalgr.bmp
2008-04-14 11:26 . 2008-04-14 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-04-14 07:21 . 2008-04-14 07:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-13 13:33 . 2008-04-13 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 13:16 . 2008-04-13 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-04-13 13:03 . 2008-04-13 13:03 269,334 --a------ C:\WINDOWS\system32\qhkfqdor.bmp
2008-04-13 10:58 . 2008-04-13 10:58 269,334 --a------ C:\WINDOWS\system32\lknadcn.bmp
2008-04-13 08:30 . 2008-04-13 08:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 08:10 . 2008-04-13 08:10 269,334 --a------ C:\WINDOWS\system32\etcfmpon.bmp
2008-04-13 08:04 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-13 08:04 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-13 08:03 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-13 08:03 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-13 08:03 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-13 08:03 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-13 08:03 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-13 08:03 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-13 08:02 . 2008-04-13 08:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-13 08:02 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-13 08:02 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-13 08:02 . 2003-03-18 13:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-13 08:02 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-13 08:02 . 2003-02-20 21:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-13 07:52 . 2008-04-13 07:52 37,888 -r-hs---- C:\WINDOWS\system32\3532924907m.exe
2008-04-13 07:42 . 2008-04-13 07:42 15 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-04-13 07:33 . 2008-04-13 07:33 269,334 --a------ C:\WINDOWS\system32\rmhknid.bmp
2008-04-13 07:27 . 2008-04-13 07:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 07:27 . 2008-04-13 07:27 22,016 --ahs---- C:\WINDOWS\system32\accesse.dll
2008-04-13 07:26 . 2008-04-13 07:26 47,104 --a------ C:\A0.tmp
2008-04-13 07:26 . 2008-04-13 07:25 37,888 -r-hs---- C:\WINDOWS\system32\advpacku.exe
2008-04-13 07:26 . 2008-04-13 07:26 3,276 --a------ C:\A1.tmp
2008-04-13 07:26 . 2008-04-13 07:26 3,276 --a------ C:\9F.tmp
2008-04-13 07:26 . 2008-04-13 07:27 86 --a-s---- C:\WINDOWS\system32\3532924907.dat
2008-04-13 07:25 . 2008-04-15 19:51 <DIR> d-------- C:\WINDOWS\system32\215651
2008-04-13 07:25 . 2008-04-13 07:25 391,168 --a------ C:\WINDOWS\system32\alt.exe.exe
2008-04-13 07:25 . 2008-04-13 07:25 132,096 --a------ C:\WINDOWS\system32\shift.exe.exe
2008-04-13 07:25 . 2008-04-13 07:25 38,400 --a------ C:\WINDOWS\mrofinu27.exe
2008-04-13 07:25 . 2008-04-13 07:25 37,888 -r-hs---- C:\WINDOWS\system32\admparses.exe
2008-04-13 07:25 . 2008-04-13 07:35 7,168 --a------ C:\WINDOWS\win32ole.dll
2008-04-13 07:24 . 2004-08-04 01:56 113,664 --a------ C:\WINDOWS\system32\ilsbelknidg.sys
2008-04-13 07:24 . 2008-04-13 07:24 40,960 --a------ C:\WINDOWS\system32\vedxga3me2.exe
2008-04-13 07:24 . 2008-04-13 07:24 22,528 --a------ C:\WINDOWS\system32\vedxg4am1et2.exe
2008-04-13 07:24 . 2008-04-13 07:24 20,988 --a------ C:\WINDOWS\system32\vedxga1me4t1.exe
2008-04-13 07:24 . 2008-04-13 07:24 20,988 --a------ C:\WINDOWS\system32\maxpaynow1.exe
2008-04-13 07:24 . 2008-04-13 07:24 19,456 --a------ C:\WINDOWS\system32\vedxg6ame4.exe
2008-04-13 07:23 . 2008-04-13 07:23 1,086,376 --a------ C:\Documents and Settings\Ruben\Application Data\Install.dat
2008-04-13 07:23 . 2008-04-13 07:22 21,874 --a------ C:\WINDOWS\system32\maxpaynowti1.exe
2008-04-13 07:22 . 2008-04-13 07:22 40,310 --a------ C:\WINDOWS\system32\dllgh8jkd1q2.exe
2008-04-13 07:22 . 2008-04-13 07:22 22,078 --a------ C:\WINDOWS\system32\dllgh8jkd1q7.exe
2008-04-13 07:22 . 2008-04-13 07:22 21,874 --a------ C:\WINDOWS\system32\dllgh8jkd1q5.exe
2008-04-13 07:22 . 2008-04-13 07:22 21,642 --a------ C:\WINDOWS\system32\dllgh8jkd1q6.exe
2008-04-13 07:21 . 2008-04-13 07:19 61,952 --a------ C:\WINDOWS\system32\gavurjjf.exe
2008-04-13 07:20 . 2008-04-13 07:20 20,426 --a------ C:\WINDOWS\system32\dllgh8jkd1q1.exe
2008-04-13 07:20 . 2008-04-13 07:22 2 --a------ C:\-2008849710
2008-04-13 07:19 . 2008-04-13 07:19 61,952 --a------ C:\gavurjjf.exe
2008-04-13 07:19 . 2008-04-13 07:19 58,880 --a------ C:\lilsesn.exe
2008-04-13 07:19 . 2008-04-13 07:19 55,218 --a------ C:\WINDOWS\zeqbqwp.sys
2008-04-13 07:19 . 2008-04-13 07:19 13,312 --a------ C:\gjtxc.exe
2008-04-13 07:19 . 2008-04-13 07:19 10,000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-04-13 07:19 . 2008-04-13 07:52 47 --a------ C:\smp.bat
2008-04-13 07:19 . 2008-04-13 07:19 29 --a------ C:\WINDOWS\system32\uqfudaid.tmp
2008-04-13 07:18 . 2008-04-13 07:18 269,334 --a------ C:\WINDOWS\system32\atknqpsnel.bmp
2008-04-13 07:18 . 2008-04-13 10:58 82,008 --ahs---- C:\Documents and Settings\Ruben\cftmon.exe
2008-04-13 07:18 . 2008-04-13 07:18 12,800 --a------ C:\pOXJ.exe
2008-04-13 07:06 . 2008-04-13 07:06 <DIR> d-------- C:\WINDOWS\cuawsppw
2008-04-13 07:06 . 2008-04-13 07:08 <DIR> d-------- C:\Program Files\Bat
2008-04-13 07:06 . 2008-04-13 07:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\tefobujm
2008-04-13 07:06 . 2008-04-13 07:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-13 07:06 . 2008-04-13 07:06 196,096 --a------ C:\WINDOWS\klelityl.dll
2008-04-13 07:06 . 2008-04-13 07:06 94,208 --a------ C:\WINDOWS\system32\hspmfqlc.exe
2008-04-13 07:06 . 2008-04-13 07:06 70,144 --a------ C:\WINDOWS\fgvcjmbs.dll
2008-04-13 07:06 . 2008-04-13 07:06 70,144 --a------ C:\Documents and Settings\All Users\Application Data\ovotmtab.dll
2008-04-13 07:05 . 2008-04-13 07:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-13 07:05 . 2008-04-13 07:05 41,724 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
2008-04-13 07:05 . 2008-04-13 07:05 6,656 --a------ C:\WINDOWS\s.dll
2008-04-11 14:44 . 2008-04-11 14:44 187,904 ---hs---- C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 11:44 . 2008-04-13 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:44 . 2008-04-09 11:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-30 08:02 . 2008-03-30 08:02 190,464 --a------ C:\WINDOWS\system32\luapvs.dll
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\MSN6
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-17 23:00 . 2008-03-17 23:01 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\Walgreens
2008-03-17 22:48 . 2008-03-17 22:59 <DIR> d-------- C:\WINDOWS\NKCCDViewerSetting

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 12:18 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-09 02:55 --------- d-----w C:\Documents and Settings\Ruben\Application Data\LimeWire
2008-03-14 00:05 --------- d-----w C:\Program Files\Azureus
2008-03-14 00:05 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Azureus
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-03-03 22:41 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-03-03 22:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-03 22:13 --------- d-----w C:\Program Files\Avanquest update
2008-03-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-03 22:08 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-03 22:08 --------- d-----w C:\Documents and Settings\Ruben\Application Data\InstallShield
2008-03-03 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-01 05:38 --------- d-----w C:\Program Files\Apple Software Update
2008-03-01 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-01 05:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Snapfish
2008-02-23 15:58 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Ahead
2008-02-09 22:46 6,144 ----a-w C:\wintogi.exe
2008-02-09 22:46 6,144 ----a-w C:\WINDOWS\ons.dll
.

------- Sigcheck -------

2001-08-18 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-13 07:18 17408 c357a9031d4c637112df2a4a8fa21ac4 C:\WINDOWS\system32\svchost.exe

2001-08-18 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-18 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 506368 b270125e1557a24f8de54857d8199dcf C:\WINDOWS\system32\winlogon.exe

2004-08-04 01:56 1034752 99641a4d634ddf0403ac065c51b365e7 C:\WINDOWS\explorer.exe
2001-08-18 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_21.38.28.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 01:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-16 20:40:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
2008-04-13 07:19 10000 --a------ C:\WINDOWS\system32\jfiehayd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 14:56 45056]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 14:33 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 14:33 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 14:33 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"jqhcnidg"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\aeisbpsf.drv WLEntryPoint" [ ]
"jdgf894jrghoiiskd"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\winlogan.exe" [ ]
"msvtt"="C:\WINDOWS\system32\gavurjjf.exe" [2008-04-13 07:19 61952]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 12:37 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"fssbmoec"= rundll32.exe "C:\WINDOWS\system32\japojatkrap.dll" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [2008-04-13 07:19 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PWakHPt"= {884362D3-22E9-C879-60AE-B7168DB7B43B} - C:\WINDOWS\system32\qanh.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pgbitgbilsfal]
pgbitgbilsfal.dll 2004-08-04 01:56 113664 C:\WINDOWS\system32\pgbitgbilsfal.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 18:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25302:TCP"= 25302:TCP:@xpsp2res.dll,-22005
"51629:TCP"= 51629:TCP:@xpsp2res.dll,-22005
"4296:TCP"= 4296:TCP:@xpsp2res.dll,-22005
"47839:TCP"= 47839:TCP:@xpsp2res.dll,-22005

S1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 12:31]
S1 zeqbqwp;zeqbqwp;C:\WINDOWS\zeqbqwp.sys [2008-04-13 07:19]
S2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S2 fastuserswitchingcompatibilityshellhwdetection;Fast User Switching Compatibility FastUserSwitchingCompatibilityShellHWDetection;C:\WINDOWS\system32\advpacku.exe [2008-04-13 07:25]
S2 wuauservappmgmt;Automatic Updates wuauservAppMgmt;C:\DOCUME~1\Ruben\LOCALS~1\Temp\8.tmp []
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 15:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 15:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 05:38:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 15:54:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wuauservappmgmt]
"ImagePath"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\8.tmp srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ojmpsfal.dll
.
Completion time: 2008-04-16 15:54:47
ComboFix-quarantined-files.txt 2008-04-16 20:54:38
ComboFix2.txt 2008-04-16 20:23:22
ComboFix3.txt 2008-04-16 16:05:44
ComboFix4.txt 2008-04-16 02:38:43

Pre-Run: 72,251,736,064 bytes free
Post-Run: 72,241,410,048 bytes free





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:39 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jqhcnidg] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\bakkjrsstj.sys" WLEntryPoint
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Ruben\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [msvtt] C:\WINDOWS\system32\gavurjjf.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [fssbmoec] rundll32.exe "C:\WINDOWS\system32\japojatkrap.dll" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS3\Services\Tcpip\..\{66333E9F-5D3E-489A-969C-F66A0CA943FB}: NameServer = 85.255.113.140,85.255.112.93
O20 - Winlogon Notify: pgbitgbilsfal - C:\WINDOWS\SYSTEM32\pgbitgbilsfal.dll
O21 - SSODL: PWakHPt - {884362D3-22E9-C879-60AE-B7168DB7B43B} - C:\WINDOWS\system32\qanh.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fast User Switching Compatibility FastUserSwitchingCompatibilityShellHWDetection (fastuserswitchingcompatibilityshellhwdetection) - Unknown owner - C:\WINDOWS\system32\advpacku.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: Automatic Updates wuauservAppMgmt (wuauservappmgmt) - Unknown owner - C:\DOCUME~1\Ruben\LOCALS~1\Temp\8.tmp.exe (file missing)

--
End of file - 5490 bytes
  • 0

Advertisements


#11
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, desireejassel :)

We are still experiencing the same issue. Somehow the text data is scrambled. Combofix wont accept the Script unless it appears as a list, not a single line. If you click on CFScript.txt, which program opens it?

Open Notepad. Select format from the menu. Remove the checkmark from Word wrap.

Download the enclosed folder. Save and extract its contents to the desktop. It will create a new folder, CFScript. Go to Start->Run, copy and paste the following command and click OK:

"%Userprofile%\Desktop\Combofix.exe" "%Userprofile%\Desktop\CFScript\CFScript.txt"

Post the resulting report.
  • 0

#12
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
when i clicked on above CFScript.txt it opened with this http://www.geekstogo...a...st&id=19968



ComboFix 08-04-13.3 - Administrator 2008-04-17 23:45:47.6 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.386 [GMT -5:00]Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-2008849710
C:\9F.tmp
C:\A0.tmp
C:\A1.tmp
C:\Documents and Settings\All Users\Application Data\ovotmtab.dll
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\Ruben\Application Data\Install.dat
C:\Documents and Settings\Ruben\cftmon.exe
C:\Documents and Settings\Ruben\Local Settings\Temp\8.tmp
C:\Documents and Settings\Ruben\Local Settings\Temp\indco.drv
C:\Documents and Settings\Ruben\Local Settings\Temp\winlogan.exe
C:\gavurjjf.exe
C:\gjtxc.exe
C:\lilsesn.exe
C:\pOXJ.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\smp.bat
C:\WINDOWS\BM8b7051e1.xml
C:\WINDOWS\fgvcjmbs.dll
C:\WINDOWS\klelityl.dll
C:\WINDOWS\mrofinu27.exe
C:\WINDOWS\ons.dll
C:\WINDOWS\s.dll
C:\WINDOWS\system32\3532924907.dat
C:\WINDOWS\system32\3532924907m.exe
C:\WINDOWS\system32\accesse.dll
C:\WINDOWS\system32\admparses.exe
C:\WINDOWS\system32\advpacku.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\atknqpsnel.bmp
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\etcfmpon.bmp
C:\WINDOWS\system32\fepojilsrilgf.bmp
C:\WINDOWS\system32\gavurjjf.exe
C:\WINDOWS\system32\hspmfqlc.exe
C:\WINDOWS\system32\ilsbelknidg.sys
C:\WINDOWS\system32\japojatkrap.dll
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\jilsjehojatsb.bmp
C:\WINDOWS\system32\kjalgr.bmp
C:\WINDOWS\system32\lknadcn.bmp
C:\WINDOWS\system32\luapvs.dll
C:\WINDOWS\system32\maxpaynow1.exe
C:\WINDOWS\system32\maxpaynowti1.exe
C:\WINDOWS\system32\pgbitgbilsfal.dll
C:\WINDOWS\system32\qhkfqdor.bmp
C:\WINDOWS\system32\rmhknid.bmp
C:\WINDOWS\system32\shift.exe.exe
C:\WINDOWS\system32\uqfudaid.tmp
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\win32ole.dll
C:\WINDOWS\zeqbqwp.sys
C:\wintogi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2008849710
C:\9F.tmp
C:\A0.tmp
C:\A1.tmp
C:\Documents and Settings\All Users\Application Data\ovotmtab.dll
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\All Users\Application Data\tefobujm
C:\Documents and Settings\All Users\Application Data\tefobujm\twjubqtu.exe
C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
C:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url
C:\Documents and Settings\Ruben\Application Data\Install.dat
C:\Documents and Settings\Ruben\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti Virus Pro spyware remover.lnk
C:\Documents and Settings\Ruben\cftmon.exe
C:\Documents and Settings\Ruben\Desktop\bravesentry.lnk
C:\Documents and Settings\Ruben\Favorites\Online Security Test.url
C:\Documents and Settings\Ruben\Local Settings\Application Data\n.ini
C:\gavurjjf.exe
C:\gjtxc.exe
C:\lilsesn.exe
C:\pOXJ.exe
C:\Program Files\Bat
C:\Program Files\Bat\Bat.dll
C:\Program Files\Bat\Bat.dll.intermediate.manifest
C:\Program Files\Bat\Bat.exe
C:\Program Files\Bat\Bat.info
C:\Program Files\Bat\Bat.original
C:\Program Files\Bat\Info.dll
C:\Program Files\Bat\un_BatSetup_15041.exe
C:\Program Files\Bat\un_BatSetup_15041.txt
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Bat\X_Bat.log
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\smp.bat
C:\WINDOWS\BM8b7051e1.xml
C:\WINDOWS\cuawsppw
C:\WINDOWS\cuawsppw\1.png
C:\WINDOWS\cuawsppw\2.png
C:\WINDOWS\cuawsppw\3.png
C:\WINDOWS\cuawsppw\4.png
C:\WINDOWS\cuawsppw\5.png
C:\WINDOWS\cuawsppw\6.png
C:\WINDOWS\cuawsppw\7.png
C:\WINDOWS\cuawsppw\8.png
C:\WINDOWS\cuawsppw\9.png
C:\WINDOWS\cuawsppw\bottom-rc.gif
C:\WINDOWS\cuawsppw\config.png
C:\WINDOWS\cuawsppw\content.png
C:\WINDOWS\cuawsppw\download.gif
C:\WINDOWS\cuawsppw\frame-bg.gif
C:\WINDOWS\cuawsppw\frame-bottom-left.gif
C:\WINDOWS\cuawsppw\frame-h1bg.gif
C:\WINDOWS\cuawsppw\head.png
C:\WINDOWS\cuawsppw\icon.png
C:\WINDOWS\cuawsppw\indexwp.html
C:\WINDOWS\cuawsppw\main.css
C:\WINDOWS\cuawsppw\memory-prots.png
C:\WINDOWS\cuawsppw\net.png
C:\WINDOWS\cuawsppw\pc-mag.gif
C:\WINDOWS\cuawsppw\pc.gif
C:\WINDOWS\cuawsppw\poloska1.png
C:\WINDOWS\cuawsppw\poloska2.png
C:\WINDOWS\cuawsppw\poloska3.png
C:\WINDOWS\cuawsppw\promowp1.html
C:\WINDOWS\cuawsppw\promowp2.html
C:\WINDOWS\cuawsppw\promowp3.html
C:\WINDOWS\cuawsppw\promowp4.html
C:\WINDOWS\cuawsppw\promowp5.html
C:\WINDOWS\cuawsppw\reg.png
C:\WINDOWS\cuawsppw\repair.png
C:\WINDOWS\cuawsppw\scr-1.png
C:\WINDOWS\cuawsppw\scr-2.png
C:\WINDOWS\cuawsppw\start.png
C:\WINDOWS\cuawsppw\styles.css
C:\WINDOWS\cuawsppw\Thumbs.db
C:\WINDOWS\cuawsppw\top-rc.gif
C:\WINDOWS\cuawsppw\vline.gif
C:\WINDOWS\cuawsppw\wp.png
C:\WINDOWS\fgvcjmbs.dll
C:\WINDOWS\klelityl.dll
C:\WINDOWS\mrofinu27.exe
C:\WINDOWS\ons.dll
C:\WINDOWS\s.dll
C:\WINDOWS\system32\215651
C:\WINDOWS\system32\3532924907.dat
C:\WINDOWS\system32\3532924907m.exe
C:\WINDOWS\system32\accesse.dll
C:\WINDOWS\system32\admparses.exe
C:\WINDOWS\system32\advpacku.exe
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\atknqpsnel.bmp
C:\WINDOWS\system32\dllgh8jkd1q1.exe
C:\WINDOWS\system32\dllgh8jkd1q2.exe
C:\WINDOWS\system32\dllgh8jkd1q5.exe
C:\WINDOWS\system32\dllgh8jkd1q6.exe
C:\WINDOWS\system32\dllgh8jkd1q7.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
C:\WINDOWS\system32\etcfmpon.bmp
C:\WINDOWS\system32\fepojilsrilgf.bmp
C:\WINDOWS\system32\gavurjjf.exe
C:\WINDOWS\system32\hspmfqlc.exe
C:\WINDOWS\system32\ilsbelknidg.sys
C:\WINDOWS\system32\japojatkrap.dll
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\jilsjehojatsb.bmp
C:\WINDOWS\system32\kjalgr.bmp
C:\WINDOWS\system32\lknadcn.bmp
C:\WINDOWS\system32\luapvs.dll
C:\WINDOWS\system32\maxpaynow1.exe
C:\WINDOWS\system32\maxpaynowti1.exe
C:\WINDOWS\system32\pgbitgbilsfal.dll
C:\WINDOWS\system32\qhkfqdor.bmp
C:\WINDOWS\system32\rmhknid.bmp
C:\WINDOWS\system32\shift.exe.exe
C:\WINDOWS\system32\uqfudaid.tmp
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\win32ole.dll
C:\WINDOWS\zeqbqwp.sys
C:\wintogi.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_fastuserswitchingcompatibilityshellhwdetection
-------\Legacy_wuauservappmgmt
-------\Service_fastuserswitchingcompatibilityshellhwdetection
-------\Service_wuauservappmgmt
-------\Service_zeqbqwp


((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-15 19:17 . 2008-04-15 19:29 <DIR> d-------- C:\fixwareout
2008-04-14 11:26 . 2008-04-14 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-04-14 07:21 . 2008-04-14 07:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-13 13:33 . 2008-04-13 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 13:16 . 2008-04-13 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-04-13 08:30 . 2008-04-13 08:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 08:04 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-13 08:04 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-13 08:03 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-13 08:03 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-13 08:03 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-13 08:03 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-13 08:03 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-13 08:03 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-13 08:02 . 2008-04-13 08:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-13 08:02 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-13 08:02 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-13 08:02 . 2003-03-18 13:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-13 08:02 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-13 08:02 . 2003-02-20 21:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-13 07:27 . 2008-04-13 07:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 07:05 . 2008-04-13 07:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 11:44 . 2008-04-13 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:44 . 2008-04-09 11:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\MSN6
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 02:55 --------- d-----w C:\Documents and Settings\Ruben\Application Data\LimeWire
2008-03-18 04:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Walgreens
2008-03-14 00:05 --------- d-----w C:\Program Files\Azureus
2008-03-14 00:05 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Azureus
2008-03-03 22:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-03 22:13 --------- d-----w C:\Program Files\Avanquest update
2008-03-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-03 22:08 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-03 22:08 --------- d-----w C:\Documents and Settings\Ruben\Application Data\InstallShield
2008-03-03 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-01 05:38 --------- d-----w C:\Program Files\Apple Software Update
2008-03-01 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-01 05:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Snapfish
2008-02-23 15:58 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Ahead
.

------- Sigcheck -------

2001-08-18 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-13 07:18 17408 c357a9031d4c637112df2a4a8fa21ac4 C:\WINDOWS\system32\svchost.exe

2001-08-18 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-18 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 506368 b270125e1557a24f8de54857d8199dcf C:\WINDOWS\system32\winlogon.exe

2004-08-04 01:56 1034752 99641a4d634ddf0403ac065c51b365e7 C:\WINDOWS\explorer.exe
2001-08-18 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_21.38.28.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 01:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 04:51:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-08-04 06:56:50 113,664 ----a-w C:\WINDOWS\system32\gnernqairjp.sys
+ 2008-04-18 04:52:15 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_620.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 14:56 45056]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 14:33 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 14:33 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 14:33 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 12:37 79224]
"rsgrqnp"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\bakkjrsstj.sys WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"tpqaiocm"= rundll32.exe "C:\WINDOWS\system32\gnernqairjp.sys" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 18:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60672:TCP"= 60672:TCP:@xpsp2res.dll,-22005
"34127:TCP"= 34127:TCP:@xpsp2res.dll,-22005
"30626:TCP"= 30626:TCP:@xpsp2res.dll,-22005
"45673:TCP"= 45673:TCP:@xpsp2res.dll,-22005

S1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 12:31]
S2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 15:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 15:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 05:38:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 23:52:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-04-17 23:55:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 04:55:05
ComboFix2.txt 2008-04-16 20:54:47
ComboFix3.txt 2008-04-16 20:23:22
ComboFix4.txt 2008-04-16 16:05:44
ComboFix5.txt 2008-04-16 02:38:43

Pre-Run: 72,250,171,392 bytes free
Post-Run: 72,236,462,080 bytes free




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:19 AM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [rsgrqnp] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\recfl.nls" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [tpqaiocm] rundll32.exe "C:\WINDOWS\system32\gnernqairjp.sys" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ojmpsfal.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CS3\Services\Tcpip\..\{66333E9F-5D3E-489A-969C-F66A0CA943FB}: NameServer = 85.255.113.140,85.255.112.93
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 4597 bytes

Edited by desireejassel, 17 April 2008 - 11:08 PM.

  • 0

#13
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,961 posts
Hi, desireejassel :)

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of ojmpsfal.dll.
  • Select every instance of ojmpsfal.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
Please run Fixwareout once again and post its report.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\WINDOWS\system32\gnernqairjp.sys

Collect::
c:\windows\system32\ojmpsfal.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"=-
"rsgrqnp"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"tpqaiocm"=-


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.
  • 0

#14
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Username "Administrator" - 04/18/2008 15:34:13 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"ISBMgr.exe"="C:\\Program Files\\Sony\\ISB Utility\\ISBMgr.exe"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RTHDCPL"="RTHDCPL.EXE"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"rsgrqnp"="rundll32.exe \"C:\\DOCUME~1\\Ruben\\LOCALS~1\\Temp\\recfl.nls\" WLEntryPoint"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



ComboFix 08-04-13.3 - Administrator 2008-04-18 15:41:52.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.386 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\gnernqairjp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gnernqairjp.sys
c:\windows\system32\ojmpsfal.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-18 15:42 . 2004-08-04 01:56 113,664 --a------ C:\WINDOWS\system32\lrkjod.dll
2008-04-15 19:17 . 2008-04-18 15:39 <DIR> d-------- C:\fixwareout
2008-04-14 11:26 . 2008-04-14 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-04-14 07:21 . 2008-04-14 07:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-13 13:33 . 2008-04-13 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 13:16 . 2008-04-13 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-04-13 08:30 . 2008-04-13 08:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 08:04 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-13 08:04 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-13 08:03 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-13 08:03 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-13 08:03 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-13 08:03 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-13 08:03 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-13 08:03 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-13 08:02 . 2008-04-13 08:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-13 08:02 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-13 08:02 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-13 08:02 . 2003-03-18 13:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-13 08:02 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-13 08:02 . 2003-02-20 21:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-13 07:27 . 2008-04-13 07:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 07:05 . 2008-04-13 07:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 11:44 . 2008-04-13 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:44 . 2008-04-09 11:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\MSN6
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 12:18 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-09 02:55 --------- d-----w C:\Documents and Settings\Ruben\Application Data\LimeWire
2008-03-18 04:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Walgreens
2008-03-14 00:05 --------- d-----w C:\Program Files\Azureus
2008-03-14 00:05 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Azureus
2008-03-03 22:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-03 22:13 --------- d-----w C:\Program Files\Avanquest update
2008-03-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-03 22:08 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-03 22:08 --------- d-----w C:\Documents and Settings\Ruben\Application Data\InstallShield
2008-03-03 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-01 05:38 --------- d-----w C:\Program Files\Apple Software Update
2008-03-01 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-01 05:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Snapfish
2008-02-23 15:58 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Ahead
.

------- Sigcheck -------

2001-08-18 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-13 07:18 17408 c357a9031d4c637112df2a4a8fa21ac4 C:\WINDOWS\system32\svchost.exe

2001-08-18 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-18 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 506368 b270125e1557a24f8de54857d8199dcf C:\WINDOWS\system32\winlogon.exe

2004-08-04 01:56 1034752 99641a4d634ddf0403ac065c51b365e7 C:\WINDOWS\explorer.exe
2001-08-18 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_21.38.28.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 01:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 20:37:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 14:56 45056]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 14:33 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 14:33 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 14:33 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 12:37 79224]
"eernn"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\recfl.nls WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"qjkcletm"= rundll32.exe "C:\WINDOWS\system32\tesrssn.nls" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 18:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49533:TCP"= 49533:TCP:@xpsp2res.dll,-22005
"22224:TCP"= 22224:TCP:@xpsp2res.dll,-22005
"50007:TCP"= 50007:TCP:@xpsp2res.dll,-22005
"37906:TCP"= 37906:TCP:@xpsp2res.dll,-22005

S1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 12:31]
S2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 15:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 15:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 05:38:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 15:44:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-18 15:45:21
ComboFix-quarantined-files.txt 2008-04-18 20:44:53
ComboFix2.txt 2008-04-18 04:55:12
ComboFix3.txt 2008-04-16 20:54:47
ComboFix4.txt 2008-04-16 20:23:22
ComboFix5.txt 2008-04-16 16:05:44

Pre-Run: 72,243,830,784 bytes free
Post-Run: 72,233,811,968 bytes free





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:16 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eernn] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\kshplklnekg.drv" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [qjkcletm] rundll32.exe "C:\WINDOWS\system32\tesrssn.nls" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 4243 bytes
  • 0

#15
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Malware Submission was sent.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP