Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

all kinds of problems choose the program you want to use to open


  • This topic is locked This topic is locked

#1
CharlieSal7

CharlieSal7

    Member

  • Member
  • PipPip
  • 11 posts
all kinds of problems: "choose the program you w.nt to use to open this file," pop ups, many simple .exe files will not open. I tried running a number of virus scanners but I could not because once downloaded they would not open. almost any program I try to open says "choose the program you w.nt to use to open this file," Also, I cant open any of the icons in controll panel- it says " C:\Windows\System32\Rundll32.exe Application not found".Here is the results of my last virus scan with Stop Sign. Notice that it could not cure some of the viruses.

Trojan.Click.18576: Virus
c:\windows\resources\unknowndrive.dll is Deleted.
Trojan.DownLoader.59098: Virus
c:\windows\system32\drivers\spools.exe is Deleted.
Trojan.Starter.384: Virus
c:\windows\explorer.exe is Infected.
c:\windows\system32\spoolsv.exe is Infected.
c:\windows\system32\services.exe is Infected.
c:\windows\system32\svchost.exe is Infected.
c:\windows\system32\lsass.exe is Infected

Here is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:11 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\winself.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\eAcceleration\Station\station.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = I
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ˆ
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = úp’w
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {45383823-0C19-4C5D-B9C2-C44C53D97B4C} - C:\WINDOWS\system32\xxyyaWQg.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\opnnlLff.dll (file missing)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {9cac3cda-d467-85c1-15e7-a38f00227ce0} - C:\WINDOWS\system32\tpl.dll (file missing)
O2 - BHO: e404 helper - {c03fd59d-9104-44b7-929a-9eaa0ba05211} - C:\Program Files\Helper\1208809123.dll (file missing)
O2 - BHO: (no name) - {c613ce22-151c-4331-94ff-f113a153f66d} - error (file missing)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: DVA Storm - {f87141ce-278d-49a0-ae0a-c33ebb863537} - C:\WINDOWS\qnmargolxpg.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: dpevflbg - {859D10F7-0E0F-43A8-8DF7-EC0466A40301} - C:\WINDOWS\dpevflbg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\onaccess.exe" -erk
O4 - HKLM\..\Run: [xepglwpg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xepglwpg.dll"
O4 - HKLM\..\Run: [WebAplApi] C:\Documents and Settings\All Users\Application Data\Common\vgdidazs.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Erin and Charlie\cftmon.exe
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [e8b12e5b] rundll32.exe "C:\WINDOWS\system32\mrflbeqk.dll",b
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\system32\icasServ.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [asaqelbj] C:\WINDOWS\system32\uvozgdqf.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\TSKS~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Tvnmm] C:\WINDOWS\system32\M?crosoft\e?plorer.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Erin and Charlie\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Ozrf1i6d5f] C:\Documents and Settings\All Users\Application Data\wvabuvqr\wbcfwruh.exe
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209071492.exe work (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://intranet.ntc.edu/qp2.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_9.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CF24C0E-F912-4C83-8146-10F044CE0722}: NameServer = 85.255.115.69,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BBC421E-2FFD-4134-8D03-F5145890075F}: NameServer = 85.255.115.69,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F76A79F-3FDD-4230-8A51-D4EC3C03BB48}: NameServer = 85.255.115.69,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{B257D7E8-71E8-4B7D-AE43-6906EB0F28AC}: NameServer = 85.255.115.69,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.69 85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.69 85.255.112.7
O20 - Winlogon Notify: opnnllff - opnnlLff.dll (file missing)
O21 - SSODL: UnknownDrive - {984ee551-8974-4ea3-86bc-972c67babd16} - C:\WINDOWS\Resources\UnknownDrive.dll (file missing)
O21 - SSODL: zip - {3ef620f1-86e8-4a4f-843c-58a6ae807ffc} - C:\WINDOWS\Installer\{3ef620f1-86e8-4a4f-843c-58a6ae807ffc}\zip.dll (file missing)
O21 - SSODL: vadokmxt - {F2ADEE91-D092-44B0-8721-A378BDD0C6B2} - C:\WINDOWS\vadokmxt.dll
O21 - SSODL: wdpoefan - {DE15E7FD-4181-4A2F-9FD6-A4CFC705F9B8} - C:\WINDOWS\wdpoefan.dll
O21 - SSODL: kRnvR - {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DHCP Client DhcpADVService (dhcpadvservice) - Unknown owner - C:\WINDOWS\system32\aaaamonf.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Wireless Zero Configuration WZCSVCRasAuto (wzcsvcrasauto) - Unknown owner - C:\WINDOWS\system32\6C8C8E3348v.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 16670 bytes


here is the uninstall txt

ABBYY FineReader 5.0 Sprint Plus
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Reader 7.0
Adobe Setup
Adobe Shockwave Player
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
ALPS Touch Pad Driver
Amazon Unbox Video
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOLIcon
Banctec Service Agreement
Broadcom Management Programs 2
BUM
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CDex extraction audio
Cliprex DS DVD Player
CoffeeCup Flash Website Font
Conexant D110 MDC V.9x Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell Support Center
DellSupport
Digital Line Detect
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
eAcceleration - StopSign Popup Blocker
EarthLink setup files
Entriq MediaSphere 3.6.0.15
ffdshow (remove only)
FileZilla Client 3.0.5.2
FreeRIP v2.96
FriendBlasterPro
Google Toolbar for Internet Explorer
HijackThis 2.0.0
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
Internal Network Card Power Management
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8 Dell Edition
Jasc Paint Shop Pro Studio, Dell Editon
Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3
Java™ 6 Update 5
LaSofStuf InVerse (remove only)
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.14.10
Macromedia Flash Player
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Mozilla (1.7.13)
MP3 Converter Simple
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
mToolkit
Musicmatch® Jukebox
mWlsSafe
mXML
mZConfig
Netflix Movie Viewer
NetWaiting
OpenCASE Media Agent
OverDrive Media Console
PageBreeze Free HTML Editor
Panda ActiveScan 2.0
PANTECH PC Card Software
PDF Settings
Pdf995
PdfEdit995
Picasa 2
PowerDVD 5.5
QuickBooks Simple Start Special Edition
QuickLink Mobile
QuickTime
RealPlayer
Registry Mechanic 5.0
SC Audio DJ Mixer 2.3.0.0
Scripture Memory System
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sonic Audio module
Sonic DLA
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
StopSign by eAcceleration
SysSnap
TaxCut Basic 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Verizon High Speed Internet
Verizon Online DSL
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebVideo Support
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB893086
WinRAR archiver
WordPerfect Office 12
Xvid 1.1.2 final uninstall
Yahoo! extras
Yahoo! Install Manager


Thanks!
  • 0

Advertisements


#2
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

I am reviewing your log, and will post your first set of instructions shortly.
  • 0

#3
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi CharlieSal7,

You have a lot of nasty stuff going on here… lets see what we can do.


FixWareout
Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

===============================================

SDFix


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

===============================================

ComboFix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

===============================================

Needed in you next reply:

FixWareout (report.txt)
SDFix Report.txt
ComboFix.txt"
new HijackThis log

Also let me know if things are running better :)
  • 0

#4
CharlieSal7

CharlieSal7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Wow, thanks for the help. Things have been running much better so far. Here are the reports. Thanks again, Charlie


Username "Erin and Charlie" - 04/27/2008 21:46:55 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.69 85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2CF24C0E-F912-4C83-8146-10F044CE0722}
"nameserver"="85.255.115.69,85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4BBC421E-2FFD-4134-8D03-F5145890075F}
"nameserver"="85.255.115.69,85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6F76A79F-3FDD-4230-8A51-D4EC3C03BB48}
"nameserver"="85.255.115.69,85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B257D7E8-71E8-4B7D-AE43-6906EB0F28AC}
"nameserver"="85.255.115.69,85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2810EB22-763D-4D0C-9450-64BBD1758685}
"DhcpNameServer"="85.255.115.69,85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{2CF24C0E-F912-4C83-8146-10F044CE0722}
"DhcpNameServer"="85.255.115.69,85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4BBC421E-2FFD-4134-8D03-F5145890075F}
"DhcpNameServer"="85.255.115.69,85.255.112.7" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6F76A79F-3FDD-4230-8A51-D4EC3C03BB48}
"DhcpNameServer"="85.255.115.69,85.255.112.7" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Dell Photo AIO Printer 922"="\"C:\\Program Files\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"DLBTCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLBTtime.dll,[email protected]"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"dscactivate"="\"C:\\Program Files\\Dell Support Center\\gs_agent\\custom\\dsca.exe\""
"RegistryMechanic"=""
"SoftwareStation"="\"C:\\Program Files\\eAcceleration\\Station\\station.exe\" /b Startup"
"StopSignSsTsMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\Anti-Virus\\sstsmon.dll\",VerifyStatus"
"StopSignSsSsMon"="Rundll32.exe \"C:\\Program Files\\Acceleration Software\\Anti-Virus\\ssssmon.dll\",VerifyStatus"
"webscan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"
"StopSignSsFwMon"="Rundll32.exe \"C:\\Program Files\\eAcceleration\\Firewall\\ssfwmon.dll\",VerifyStatus"
"OnAccess"="\"C:\\Program Files\\eAcceleration\\OnAccess\\onaccess.exe\" -erk"
"xepglwpg"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\xepglwpg.dll\""
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Erin and Charlie\\cftmon.exe"
"e8b12e5b"="rundll32.exe \"C:\\WINDOWS\\system32\\mrflbeqk.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"Sen"="\"C:\\WINDOWS\\TSKS~1\\cmd.exe\" -vt yazb"
"Tvnmm"="C:\\WINDOWS\\system32\\M?crosoft\\e?plorer.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Erin and Charlie\\cftmon.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~






SDFix: Version 1.176
Run by Erin and Charlie on Sun 04/27/2008 at 10:21 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
fkjdfje

Path :
\??\C:\WINDOWS\fkjdfje.sys

fkjdfje - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\-39104~1 - Deleted
C:\WINDOWS\mgwwgmke\1.png - Deleted
C:\WINDOWS\mgwwgmke\2.png - Deleted
C:\WINDOWS\mgwwgmke\3.png - Deleted
C:\WINDOWS\mgwwgmke\4.png - Deleted
C:\WINDOWS\mgwwgmke\5.png - Deleted
C:\WINDOWS\mgwwgmke\6.png - Deleted
C:\WINDOWS\mgwwgmke\7.png - Deleted
C:\WINDOWS\mgwwgmke\8.png - Deleted
C:\WINDOWS\mgwwgmke\9.png - Deleted
C:\WINDOWS\mgwwgmke\bottom-rc.gif - Deleted
C:\WINDOWS\mgwwgmke\config.png - Deleted
C:\WINDOWS\mgwwgmke\content.png - Deleted
C:\WINDOWS\mgwwgmke\download.gif - Deleted
C:\WINDOWS\mgwwgmke\frame-bg.gif - Deleted
C:\WINDOWS\mgwwgmke\frame-bottom-left.gif - Deleted
C:\WINDOWS\mgwwgmke\frame-h1bg.gif - Deleted
C:\WINDOWS\mgwwgmke\head.png - Deleted
C:\WINDOWS\mgwwgmke\icon.png - Deleted
C:\WINDOWS\mgwwgmke\indexwp.html - Deleted
C:\WINDOWS\mgwwgmke\main.css - Deleted
C:\WINDOWS\mgwwgmke\memory-prots.png - Deleted
C:\WINDOWS\mgwwgmke\net.png - Deleted
C:\WINDOWS\mgwwgmke\pc.gif - Deleted
C:\WINDOWS\mgwwgmke\pc-mag.gif - Deleted
C:\WINDOWS\mgwwgmke\poloska1.png - Deleted
C:\WINDOWS\mgwwgmke\poloska2.png - Deleted
C:\WINDOWS\mgwwgmke\poloska3.png - Deleted
C:\WINDOWS\mgwwgmke\promowp1.html - Deleted
C:\WINDOWS\mgwwgmke\promowp2.html - Deleted
C:\WINDOWS\mgwwgmke\promowp3.html - Deleted
C:\WINDOWS\mgwwgmke\promowp4.html - Deleted
C:\WINDOWS\mgwwgmke\promowp5.html - Deleted
C:\WINDOWS\mgwwgmke\reg.png - Deleted
C:\WINDOWS\mgwwgmke\repair.png - Deleted
C:\WINDOWS\mgwwgmke\scr-1.png - Deleted
C:\WINDOWS\mgwwgmke\scr-2.png - Deleted
C:\WINDOWS\mgwwgmke\start.png - Deleted
C:\WINDOWS\mgwwgmke\styles.css - Deleted
C:\WINDOWS\mgwwgmke\top-rc.gif - Deleted
C:\WINDOWS\mgwwgmke\vline.gif - Deleted
C:\WINDOWS\mgwwgmke\wp.png - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\sys.log - Deleted
C:\WINDOWS\Temp\SALM.EXE - Deleted
C:\WINDOWS\Web\def.htm - Deleted
C:\WINDOWS\fkjdfje.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 22:36:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="7"
"subid"="0"
"prov"="10010"
"paneladserver"="http://update.micros...adsensegen.php"
"googleadserver"="pagead2.googlesyndication.com"
"server"="72.232.212.29"
"flagged"=dword:00000001

scanning hidden files ...

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 28160 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 41023 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 11


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\FriendBlasterPro\\FriendBlasterPro.exe"="C:\\Program Files\\FriendBlasterPro\\FriendBlasterPro.exe:*:Enabled:FriendBlasterPro"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Conference\\Conference.dll"="C:\\Program Files\\Conference\\Conference.dll:*:Enabled:Audio/Video Conference"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Thu 18 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 21 Apr 2008 23,040 A.SH. --- "C:\WINDOWS\system32\1025u.dll"
Sun 16 Jul 2006 56 ..SHR --- "C:\WINDOWS\system32\6C8C8E3348.sys"
Mon 21 Apr 2008 37,888 A.SHR --- "C:\WINDOWS\system32\aaaamonf.exe"
Sun 16 Jul 2006 1,890 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 4 Aug 2004 1,028,096 ...H. --- "C:\WINDOWS\system32\mfc42.dll"
Wed 4 Aug 2004 54,784 ...H. --- "C:\WINDOWS\system32\msvcirt.dll"
Wed 4 Aug 2004 565,760 ...H. --- "C:\WINDOWS\system32\msvcp50.dll"
Wed 4 Aug 2004 413,696 ...H. --- "C:\WINDOWS\system32\msvcp60.dll"
Wed 4 Aug 2004 343,040 ...H. --- "C:\WINDOWS\system32\msvcrt.dll"
Wed 4 Aug 2004 253,952 ...H. --- "C:\WINDOWS\system32\msvcrt20.dll"
Wed 4 Aug 2004 61,440 ...H. --- "C:\WINDOWS\system32\msvcrt40.dll"
Sun 20 Apr 2008 89,088 ..SHR --- "C:\WINDOWS\T?sks\cmd.exe"
Mon 28 Jan 2008 13 ...H. --- "C:\Documents and Settings\All Users\Application Data\ys.sys"
Mon 6 Aug 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 14 Nov 2007 25,600 ...H. --- "C:\Documents and Settings\cs\My Documents\~WRL4097.tmp"
Tue 6 Jun 2006 75,776 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL0056.tmp"
Tue 6 Jun 2006 77,312 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL0109.tmp"
Tue 6 Jun 2006 75,776 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL0816.tmp"
Wed 7 Jun 2006 539,136 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL0906.tmp"
Tue 6 Jun 2006 76,288 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL0988.tmp"
Fri 2 Feb 2007 24,576 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1040.tmp"
Tue 6 Jun 2006 71,168 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1123.tmp"
Tue 6 Jun 2006 72,704 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1326.tmp"
Tue 6 Jun 2006 71,680 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1411.tmp"
Tue 6 Jun 2006 71,168 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1755.tmp"
Tue 6 Jun 2006 55,808 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1828.tmp"
Tue 6 Jun 2006 71,168 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1856.tmp"
Tue 6 Jun 2006 64,512 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL1883.tmp"
Tue 6 Jun 2006 76,288 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2040.tmp"
Tue 6 Jun 2006 74,240 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2047.tmp"
Tue 6 Jun 2006 77,824 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2197.tmp"
Wed 7 Jun 2006 235,008 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2234.tmp"
Wed 7 Jun 2006 542,720 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2344.tmp"
Tue 6 Jun 2006 71,680 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2352.tmp"
Tue 6 Jun 2006 77,312 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2936.tmp"
Tue 6 Jun 2006 77,312 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL2969.tmp"
Mon 26 Jun 2006 39,424 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL3254.tmp"
Tue 6 Jun 2006 75,776 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL3467.tmp"
Tue 6 Jun 2006 71,168 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL3613.tmp"
Tue 6 Jun 2006 63,488 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL3665.tmp"
Tue 6 Jun 2006 62,976 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL3796.tmp"
Wed 7 Jun 2006 323,072 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\~WRL3962.tmp"
Sun 6 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0043965.dll"
Mon 7 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0044204.dll"
Tue 8 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0044237.dll"
Tue 8 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP399\A0044276.dll"
Tue 8 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400\A0044738.dll"
Tue 8 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP402\A0044916.dll"
Tue 8 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP402\A0044939.dll"
Wed 9 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403\A0045026.dll"
Wed 9 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403\A0045049.dll"
Wed 9 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP409\A0045331.dll"
Wed 9 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP409\A0045367.dll"
Tue 15 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP410\A0045553.dll"
Tue 15 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411\A0045630.dll"
Wed 16 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411\A0045639.dll"
Wed 16 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411\A0046642.dll"
Wed 16 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411\A0046657.dll"
Wed 16 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411\A0047657.dll"
Wed 16 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411\A0048656.dll"
Wed 16 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP415\A0048761.dll"
Mon 21 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP415\A0048800.dll"
Mon 21 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0048823.dll"
Mon 21 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0049823.dll"
Tue 22 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0050822.dll"
Tue 22 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0051838.dll"
Wed 23 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0051854.dll"
Wed 23 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0051866.dll"
Wed 23 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0052883.dll"
Wed 23 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0052907.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0052952.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0052972.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0052982.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053019.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053091.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053107.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053131.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053165.dll"
Thu 24 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053199.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053209.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053218.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053245.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053256.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053271.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053298.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053308.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0053405.dll"
Fri 25 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0053423.dll"
Sat 26 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0053556.dll"
Sat 26 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0053585.dll"
Sat 26 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0054597.dll"
Sat 26 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0054618.dll"
Sat 26 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0054637.dll"
Sat 26 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0054656.dll"
Sun 27 Apr 2008 66,560 A.SH. --- "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0054682.dll"
Fri 11 Apr 2008 230,400 ..SHR --- "C:\WINDOWS\system32\M?crosoft\e?plorer.exe"
Mon 17 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 12 Nov 2006 41,984 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0001.tmp"
Wed 13 Sep 2006 39,424 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0003.tmp"
Wed 13 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0108.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0190.tmp"
Wed 13 Sep 2006 342,528 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0453.tmp"
Mon 25 Sep 2006 38,912 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0539.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0581.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0873.tmp"
Mon 25 Sep 2006 38,912 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL0951.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL1784.tmp"
Wed 13 Sep 2006 73,728 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL1894.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL1952.tmp"
Wed 13 Sep 2006 76,288 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL2289.tmp"
Mon 7 Aug 2006 28,160 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL2990.tmp"
Wed 13 Sep 2006 99,328 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3052.tmp"
Mon 18 Sep 2006 37,888 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3076.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3199.tmp"
Mon 25 Sep 2006 38,400 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3216.tmp"
Mon 25 Sep 2006 38,912 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3323.tmp"
Wed 13 Sep 2006 131,072 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3387.tmp"
Wed 13 Sep 2006 30,720 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3608.tmp"
Wed 13 Sep 2006 111,616 ...H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Erin job search\~WRL3848.tmp"
Mon 12 Jun 2006 41,472 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Sem Stuff\~WRL2146.tmp"
Mon 12 Jun 2006 43,520 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Sem Stuff\~WRL3727.tmp"
Mon 12 Jun 2006 36,864 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Sem Stuff\~WRL3817.tmp"
Tue 13 Jun 2006 46,080 A..H. --- "C:\Documents and Settings\Erin and Charlie\My Documents\Sem Stuff\~WRL3958.tmp"
Sun 27 Apr 2008 66,560 A.SH. --- "C:\Documents and Settings\All Users\Application Data\ExtendMedia\Media Agent\ac.dll"
Fri 15 Sep 2006 604,672 ...H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Microsoft\Word\~WRL1884.tmp"
Wed 13 Sep 2006 354,304 ...H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Microsoft\Word\~WRL2248.tmp"
Sat 3 Feb 2007 61,952 ...H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Microsoft\Word\~WRL2806.tmp"
Sat 16 Sep 2006 809,472 ...H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Microsoft\Word\~WRL3337.tmp"
Tue 23 Oct 2007 3,350,528 A..H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\U3\temp\Launchpad Removal.exe"
Mon 10 Sep 2007 8 A..H. --- "C:\Documents and Settings\cs\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 10 Sep 2007 8 A..H. --- "C:\Documents and Settings\cs\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 10 Sep 2007 8 A..H. --- "C:\Documents and Settings\cs\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 10 Sep 2007 8 A..H. --- "C:\Documents and Settings\cs\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 18 Apr 2007 8 A..H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 18 Apr 2007 8 A..H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sat 18 Aug 2007 8 A..H. --- "C:\Documents and Settings\Erin and Charlie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!






ComboFix 08-04-26.5 - Erin and Charlie 2008-04-27 23:05:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.108 [GMT -5:00]
Running from: C:\Documents and Settings\Erin and Charlie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\mcroso~1
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\gQWayyxx.ini
C:\WINDOWS\system32\gQWayyxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1\e?plorer.exe
C:\WINDOWS\tsks~1
C:\WINDOWS\tsks~1\cmd.exe
C:\WINDOWS\tsks~1\T?sks\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_icf


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 22:16 . 2008-04-27 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 22:13 . 2008-04-27 22:44 <DIR> d-------- C:\SDFix
2008-04-27 22:03 . 2008-04-27 22:57 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-27 21:46 . 2008-04-27 21:51 <DIR> d-------- C:\fixwareout
2008-04-26 22:17 . 2008-04-26 22:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 22:17 . 2008-04-26 22:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-26 09:12 . 2008-04-26 09:12 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\Malwarebytes
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Panda Security
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\sal\Application Data\TmpRecentIcons
2008-04-25 21:32 . 2008-04-25 21:32 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Talkback
2008-04-25 20:29 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-04-25 08:03 . 2008-04-26 09:54 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-24 14:45 . 2008-04-24 14:45 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-24 09:29 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Symantec
2008-04-24 09:29 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Jasc Software Inc
2008-04-24 09:29 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Intel
2008-04-24 09:29 . 2008-04-24 11:28 <DIR> d-------- C:\Documents and Settings\sal
2008-04-24 09:29 . 2008-04-27 23:14 1,024 --ah----- C:\Documents and Settings\sal\ntuser.dat.LOG
2008-04-23 13:19 . 2008-04-23 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pfxiegft
2008-04-22 09:32 . 2008-04-22 09:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eAcceleration
2008-04-21 16:46 . 2008-04-21 16:46 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\TmpRecentIcons
2008-04-21 16:15 . 2008-04-21 16:15 54,784 --a------ C:\WINDOWS\system32\lght.ln
2008-04-21 16:15 . 2008-04-21 16:15 32,768 --a------ C:\WINDOWS\system32\pryx.ln
2008-04-21 16:15 . 2008-04-21 16:15 28,672 --a------ C:\WINDOWS\system32\sbmf.ln
2008-04-21 16:15 . 2008-04-21 16:15 28,672 --a------ C:\WINDOWS\system32\msnf.ln
2008-04-21 16:15 . 2008-04-21 16:15 28,672 --a------ C:\WINDOWS\system32\cc.ln
2008-04-21 15:19 . 2008-04-21 15:19 48,585 --a------ C:\WINDOWS\system32\acluij.sys
2008-04-21 15:19 . 2008-04-21 15:19 23,040 --ahs---- C:\WINDOWS\system32\1025u.dll
2008-04-21 15:18 . 2008-04-21 15:17 37,888 -rahs---- C:\WINDOWS\system32\aaaamonf.exe
2008-04-21 15:18 . 2008-04-24 07:36 32 --a-s---- C:\WINDOWS\system32\1362599455.dat
2008-04-21 15:17 . 2008-04-21 15:17 577,536 --a------ C:\WINDOWS\system32\user32.dll
2008-04-21 12:23 . 2008-04-26 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-20 16:14 . 2008-04-26 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wvabuvqr
2008-04-20 16:13 . 2008-04-27 22:31 <DIR> d-------- C:\WINDOWS\mgwwgmke
2008-04-20 16:13 . 2008-04-20 16:13 192,512 --a------ C:\WINDOWS\ufmfapcd.dll
2008-04-20 16:12 . 2008-04-25 14:22 194 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-20 16:12 . 2008-04-25 14:22 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-20 16:12 . 2008-04-25 20:08 8 -r-hs---- C:\WINDOWS\megavid.cdt
2008-04-20 16:10 . 2008-04-20 16:10 6,656 --a------ C:\WINDOWS\strictions.dll
2008-04-16 13:02 . 2008-03-10 20:14 100,696 --a------ C:\WINDOWS\system32\drivers\fwcore.sys
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\Acceleration Software
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\eAcceleration
2008-04-16 12:52 . 2008-04-16 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eAcceleration
2008-04-16 12:51 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\eAcceleration
2008-04-16 12:51 . 2008-04-16 14:20 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2008-04-09 21:07 . 2008-03-01 08:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 21:07 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 21:07 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 21:07 . 2008-03-01 08:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 21:07 . 2008-03-01 08:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 21:07 . 2008-03-01 08:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 21:07 . 2008-03-01 08:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 21:07 . 2008-03-01 08:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 21:07 . 2008-02-22 05:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-08 19:26 . 2008-04-21 08:45 <DIR> d-------- C:\Documents and Settings\cs\Application Data\eAcceleration
2008-04-08 18:37 . 2008-04-08 18:37 <DIR> d-------- C:\Registry Mechanic 5
2008-04-08 18:35 . 2008-04-08 18:37 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\U3
2008-04-08 09:28 . 2008-04-08 09:28 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\SUPERAntiSpyware.com
2008-04-07 20:36 . 2008-04-07 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d-------- C:\Documents and Settings\cs\Application Data\SUPERAntiSpyware.com
2008-04-07 20:19 . 2008-04-07 20:19 <DIR> d-------- C:\Documents and Settings\cs\Application Data\Grisoft
2008-04-07 18:12 . 2008-04-07 18:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 18:09 . 2008-04-07 18:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-07 18:06 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 18:06 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-07 18:06 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-07 18:06 . 2008-04-25 12:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-07 18:06 . 2008-04-07 20:08 786,432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.rmbak
2008-04-07 18:06 . 2008-04-27 23:05 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-07 17:27 . 2008-04-07 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 18:56 . 2008-04-08 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-05 17:06 . 2008-04-05 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 17:00 . 2008-04-05 17:18 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\.housecall6.6
2008-04-05 10:58 . 2008-04-08 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 10:32 . 2008-04-05 10:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 10:32 . 2008-04-05 10:33 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\AVG7
2008-04-05 10:31 . 2008-04-26 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-05 09:51 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 15:46 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-18 23:21 --------- d-----w C:\Program Files\FriendBlasterPro
2008-04-16 04:27 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\AdobeUM
2008-04-16 03:38 --------- d-----w C:\Program Files\Java
2008-04-08 21:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:00 --------- d-----w C:\Program Files\Dell
2008-04-08 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-08 14:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 14:19 --------- d-----w C:\Program Files\Bonjour
2008-04-08 14:10 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:28 --------- d-----w C:\Documents and Settings\cs\Application Data\Symantec
2008-03-20 21:20 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\LimeWire
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 02:47 --------- d-----w C:\Program Files\Netflix
2008-03-13 19:33 --------- d-----w C:\Program Files\Dl_cats
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 09:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-29 04:06 13 ---h--w C:\Documents and Settings\All Users\Application Data\ys.sys
2006-04-14 04:13 8 ----a-w C:\Documents and Settings\Erin and Charlie\Application Data\usb.dat.bin
2006-07-17 03:52 56 --sh--r C:\WINDOWS\system32\6C8C8E3348.sys
2006-07-17 03:52 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\dllcache\user32.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45383823-0C19-4C5D-B9C2-C44C53D97B4C}]
C:\WINDOWS\system32\xxyyaWQg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cac3cda-d467-85c1-15e7-a38f00227ce0}]
C:\WINDOWS\system32\tpl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 19:39 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Sen"="C:\WINDOWS\TSKS~1\cmd.exe" [ ]
"Tvnmm"="C:\WINDOWS\system32\M?crosoft\e?plorer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-23 16:05 180269]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"RegistryMechanic"="" []
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [2008-03-24 18:10 173392]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-12-10 21:13 152976]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [2007-12-19 21:20 771504]
"Sto
  • 0

#5
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Please re-post just the combofix log, and the fresh Hijackthis log, They got cut off :)
  • 0

#6
CharlieSal7

CharlieSal7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks again. Here it is. My computer is running fine, but my Stop Sign scanner says I am still infected with the following:

Trojan.Starter.384: Virus
c:\windows\explorer.exe is Infected.
c:\windows\system32\spoolsv.exe is Infected.
c:\windows\system32\lsass.exe is Infected.
c:\windows\system32\svchost.exe is Infected.
c:\windows\system32\services.exe is Infected.



ComboFix 08-04-26.5 - Erin and Charlie 2008-04-27 23:05:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.108 [GMT -5:00]
Running from: C:\Documents and Settings\Erin and Charlie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\mcroso~1
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\gQWayyxx.ini
C:\WINDOWS\system32\gQWayyxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1\e?plorer.exe
C:\WINDOWS\tsks~1
C:\WINDOWS\tsks~1\cmd.exe
C:\WINDOWS\tsks~1\T?sks\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_icf


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 22:16 . 2008-04-27 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 22:13 . 2008-04-27 22:44 <DIR> d-------- C:\SDFix
2008-04-27 22:03 . 2008-04-27 22:57 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-27 21:46 . 2008-04-27 21:51 <DIR> d-------- C:\fixwareout
2008-04-26 22:17 . 2008-04-26 22:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 22:17 . 2008-04-26 22:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-26 09:12 . 2008-04-26 09:12 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\Malwarebytes
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Panda Security
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\sal\Application Data\TmpRecentIcons
2008-04-25 21:32 . 2008-04-25 21:32 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Talkback
2008-04-25 20:29 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-04-25 08:03 . 2008-04-26 09:54 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-24 14:45 . 2008-04-24 14:45 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-24 09:29 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Symantec
2008-04-24 09:29 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Jasc Software Inc
2008-04-24 09:29 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Intel
2008-04-24 09:29 . 2008-04-24 11:28 <DIR> d-------- C:\Documents and Settings\sal
2008-04-24 09:29 . 2008-04-27 23:14 1,024 --ah----- C:\Documents and Settings\sal\ntuser.dat.LOG
2008-04-23 13:19 . 2008-04-23 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pfxiegft
2008-04-22 09:32 . 2008-04-22 09:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eAcceleration
2008-04-21 16:46 . 2008-04-21 16:46 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\TmpRecentIcons
2008-04-21 16:15 . 2008-04-21 16:15 54,784 --a------ C:\WINDOWS\system32\lght.ln
2008-04-21 16:15 . 2008-04-21 16:15 32,768 --a------ C:\WINDOWS\system32\pryx.ln
2008-04-21 16:15 . 2008-04-21 16:15 28,672 --a------ C:\WINDOWS\system32\sbmf.ln
2008-04-21 16:15 . 2008-04-21 16:15 28,672 --a------ C:\WINDOWS\system32\msnf.ln
2008-04-21 16:15 . 2008-04-21 16:15 28,672 --a------ C:\WINDOWS\system32\cc.ln
2008-04-21 15:19 . 2008-04-21 15:19 48,585 --a------ C:\WINDOWS\system32\acluij.sys
2008-04-21 15:19 . 2008-04-21 15:19 23,040 --ahs---- C:\WINDOWS\system32\1025u.dll
2008-04-21 15:18 . 2008-04-21 15:17 37,888 -rahs---- C:\WINDOWS\system32\aaaamonf.exe
2008-04-21 15:18 . 2008-04-24 07:36 32 --a-s---- C:\WINDOWS\system32\1362599455.dat
2008-04-21 15:17 . 2008-04-21 15:17 577,536 --a------ C:\WINDOWS\system32\user32.dll
2008-04-21 12:23 . 2008-04-26 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-20 16:14 . 2008-04-26 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\wvabuvqr
2008-04-20 16:13 . 2008-04-27 22:31 <DIR> d-------- C:\WINDOWS\mgwwgmke
2008-04-20 16:13 . 2008-04-20 16:13 192,512 --a------ C:\WINDOWS\ufmfapcd.dll
2008-04-20 16:12 . 2008-04-25 14:22 194 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-20 16:12 . 2008-04-25 14:22 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-20 16:12 . 2008-04-25 20:08 8 -r-hs---- C:\WINDOWS\megavid.cdt
2008-04-20 16:10 . 2008-04-20 16:10 6,656 --a------ C:\WINDOWS\strictions.dll
2008-04-16 13:02 . 2008-03-10 20:14 100,696 --a------ C:\WINDOWS\system32\drivers\fwcore.sys
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\Acceleration Software
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\eAcceleration
2008-04-16 12:52 . 2008-04-16 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eAcceleration
2008-04-16 12:51 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\eAcceleration
2008-04-16 12:51 . 2008-04-16 14:20 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2008-04-09 21:07 . 2008-03-01 08:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 21:07 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 21:07 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 21:07 . 2008-03-01 08:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 21:07 . 2008-03-01 08:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 21:07 . 2008-03-01 08:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 21:07 . 2008-03-01 08:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 21:07 . 2008-03-01 08:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 21:07 . 2008-02-22 05:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-08 19:26 . 2008-04-21 08:45 <DIR> d-------- C:\Documents and Settings\cs\Application Data\eAcceleration
2008-04-08 18:37 . 2008-04-08 18:37 <DIR> d-------- C:\Registry Mechanic 5
2008-04-08 18:35 . 2008-04-08 18:37 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\U3
2008-04-08 09:28 . 2008-04-08 09:28 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\SUPERAntiSpyware.com
2008-04-07 20:36 . 2008-04-07 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d-------- C:\Documents and Settings\cs\Application Data\SUPERAntiSpyware.com
2008-04-07 20:19 . 2008-04-07 20:19 <DIR> d-------- C:\Documents and Settings\cs\Application Data\Grisoft
2008-04-07 18:12 . 2008-04-07 18:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 18:09 . 2008-04-07 18:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-07 18:06 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 18:06 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-07 18:06 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-07 18:06 . 2008-04-25 12:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-07 18:06 . 2008-04-07 20:08 786,432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.rmbak
2008-04-07 18:06 . 2008-04-27 23:05 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-07 17:27 . 2008-04-07 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 18:56 . 2008-04-08 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-05 17:06 . 2008-04-05 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 17:00 . 2008-04-05 17:18 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\.housecall6.6
2008-04-05 10:58 . 2008-04-08 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 10:32 . 2008-04-05 10:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 10:32 . 2008-04-05 10:33 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\AVG7
2008-04-05 10:31 . 2008-04-26 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-05 09:51 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 15:46 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-18 23:21 --------- d-----w C:\Program Files\FriendBlasterPro
2008-04-16 04:27 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\AdobeUM
2008-04-16 03:38 --------- d-----w C:\Program Files\Java
2008-04-08 21:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:00 --------- d-----w C:\Program Files\Dell
2008-04-08 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-08 14:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 14:19 --------- d-----w C:\Program Files\Bonjour
2008-04-08 14:10 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:28 --------- d-----w C:\Documents and Settings\cs\Application Data\Symantec
2008-03-20 21:20 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\LimeWire
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 02:47 --------- d-----w C:\Program Files\Netflix
2008-03-13 19:33 --------- d-----w C:\Program Files\Dl_cats
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 09:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-29 04:06 13 ---h--w C:\Documents and Settings\All Users\Application Data\ys.sys
2006-04-14 04:13 8 ----a-w C:\Documents and Settings\Erin and Charlie\Application Data\usb.dat.bin
2006-07-17 03:52 56 --sh--r C:\WINDOWS\system32\6C8C8E3348.sys
2006-07-17 03:52 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\dllcache\user32.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45383823-0C19-4C5D-B9C2-C44C53D97B4C}]
C:\WINDOWS\system32\xxyyaWQg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cac3cda-d467-85c1-15e7-a38f00227ce0}]
C:\WINDOWS\system32\tpl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 19:39 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Sen"="C:\WINDOWS\TSKS~1\cmd.exe" [ ]
"Tvnmm"="C:\WINDOWS\system32\M?crosoft\e?plorer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-23 16:05 180269]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"RegistryMechanic"="" []
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [2008-03-24 18:10 173392]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-12-10 21:13 152976]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [2007-12-19 21:20 771504]
"StopSignSsFwMon"="C:\Program Files\eAcceleration\Firewall\ssfwmon.dll" [2008-03-05 15:41 222544]
"e8b12e5b"="C:\WINDOWS\system32\mrflbeqk.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]
"InetChk"="C:\WINDOWS\TEMP\ms1209350972.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-06 04:08:57 156784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UnknownDrive"= {984ee551-8974-4ea3-86bc-972c67babd16} - C:\WINDOWS\Resources\UnknownDrive.dll [ ]
"kRnvR"= {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll [2007-04-16 10:52 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnllff]
opnnlLff.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FriendBlasterPro\\FriendBlasterPro.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8925:TCP"= 8925:TCP:BitComet 8925 TCP
"8925:UDP"= 8925:UDP:BitComet 8925 UDP

R0 fwcore;Fwcore Filter;C:\WINDOWS\system32\drivers\fwcore.sys [2008-03-10 20:14]
R2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" [2008-03-24 18:46]
R2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" [2008-03-24 18:46]
R2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe [2008-03-10 20:14]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-11-06 18:04]
S2 dhcpadvservice;DHCP Client DhcpADVService;C:\WINDOWS\system32\aaaamonf.exe [2008-04-21 15:17]
S2 wzcsvcrasauto;Wireless Zero Configuration WZCSVCRasAuto;C:\WINDOWS\system32\6C8C8E3348v.exe []
S3 EraserUtilDrv10501;EraserUtilDrv10501;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10501.sys []
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-01-11 03:30]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-01-11 03:30]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-01-11 03:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 04:21:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 23:16:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 28160 bytes executable
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 41023 bytes executable

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
.
**************************************************************************
.
Completion time: 2008-04-27 23:24:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 04:24:09

Pre-Run: 32,518,225,920 bytes free
Post-Run: 32,805,326,848 bytes free

299 --- E O F --- 2008-04-16 03:22:17




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:24 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = I
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ˆ
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = úp’w
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {45383823-0C19-4C5D-B9C2-C44C53D97B4C} - C:\WINDOWS\system32\xxyyaWQg.dll (file missing)
O2 - BHO: (no name) - {9cac3cda-d467-85c1-15e7-a38f00227ce0} - C:\WINDOWS\system32\tpl.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [e8b12e5b] rundll32.exe "C:\WINDOWS\system32\mrflbeqk.dll",b
O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\TSKS~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Tvnmm] C:\WINDOWS\system32\M?crosoft\e?plorer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209350972.exe work (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://intranet.ntc.edu/qp2.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_9.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O20 - Winlogon Notify: opnnllff - opnnlLff.dll (file missing)
O21 - SSODL: UnknownDrive - {984ee551-8974-4ea3-86bc-972c67babd16} - C:\WINDOWS\Resources\UnknownDrive.dll (file missing)
O21 - SSODL: kRnvR - {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DHCP Client DhcpADVService (dhcpadvservice) - Unknown owner - C:\WINDOWS\system32\aaaamonf.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Wireless Zero Configuration WZCSVCRasAuto (wzcsvcrasauto) - Unknown owner - C:\WINDOWS\system32\6C8C8E3348v.exe (file missing)
O23 - Service: Network Provisioning Service xmlprovose (xmlprovose) - Unknown owner - C:\WINDOWS\system32\actskn43p.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 13420 bytes
  • 0

#7
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi CharlieSal7 ,

Looking better but we still got a bit to do….


Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file, Temporary folders, desktop, etc.. because the backups will most likely be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

  • Please go to Start > My Computer > C:\
  • right-click and select New > Folder then name the folder 'HJT'.
  • Copy and paste HijackThis.exe to the new folder.

===============================================


Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\system32\lght.ln
C:\WINDOWS\system32\pryx.ln
C:\WINDOWS\system32\sbmf.ln
C:\WINDOWS\system32\msnf.ln
C:\WINDOWS\system32\cc.ln
C:\WINDOWS\system32\acluij.sys
C:\WINDOWS\system32\1025u.dll
C:\WINDOWS\system32\aaaamonf.exe
C:\WINDOWS\system32\1362599455.dat
C:\WINDOWS\ufmfapcd.dll
C:\WINDOWS\mainms.vpi
C:\WINDOWS\muotr.so
C:\WINDOWS\megavid.cdt
C:\WINDOWS\strictions.dll
C:\WINDOWS\system32\xxyyaWQg.dll
C:\WINDOWS\system32\tpl.dll
Folder::
C:\WINDOWS\mgwwgmke
C:\Documents and Settings\All Users\Application Data\pfxiegft
C:\Documents and Settings\All Users\Application Data\wvabuvqr
C:\Documents and Settings\All Users\Application Data\SecTaskMan
Rootkit::
C:\WINDOWS\system32\drivers\clbdriver.sys
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnllff]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45383823-0C19-4C5D-B9C2-C44C53D97B4C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cac3cda-d467-85c1-15e7-a38f00227ce0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sen"=- 
"Tvnmm"=- 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e8b12e5b"=- 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"InetChk"=- 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"UnknownDrive"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================


Needed in you next reply:

"C:\ComboFix.txt"
Malwarebytes results
new HijackThis log

Also let me know how things are running :)
  • 0

#8
CharlieSal7

CharlieSal7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK, This is kind of fun for some reason. The scan came back clean, The Stop Sign program still shows the same 5 virus's that it can't cure. Heres what I got:

ComboFix 08-04-26.5 - Erin and Charlie 2008-04-28 13:36:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.101 [GMT -5:00]
Running from: C:\Documents and Settings\Erin and Charlie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Erin and Charlie\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\strictions.dll
C:\WINDOWS\system32\1025u.dll
C:\WINDOWS\system32\1362599455.dat
C:\WINDOWS\system32\aaaamonf.exe
C:\WINDOWS\system32\acluij.sys
C:\WINDOWS\system32\cc.ln
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\lght.ln
C:\WINDOWS\system32\msnf.ln
C:\WINDOWS\system32\pryx.ln
C:\WINDOWS\system32\sbmf.ln
C:\WINDOWS\system32\tpl.dll
C:\WINDOWS\system32\xxyyaWQg.dll
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\ufmfapcd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\pfxiegft
C:\Documents and Settings\All Users\Application Data\pfxiegft\urilwlob.exe
C:\Documents and Settings\All Users\Application Data\SecTaskMan
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_entreelist.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_00F73955B96A9404D8A3C1779247B2F6
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_00F73955B96A9404D8A3C1779247B2F6.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0296961D4979CBB4A803A78867D35E2A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0296961D4979CBB4A803A78867D35E2A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_038648152B7E812498867BF7F04F578B
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_038648152B7E812498867BF7F04F578B.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_06E9C39A6B92ad94AB127FA06CAAED02
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_06E9C39A6B92ad94AB127FA06CAAED02.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0BE7C4FEB17D3A3459250835EDB44010
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0BE7C4FEB17D3A3459250835EDB44010.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0CAE291463B632742B610D8EE67775CA
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0CAE291463B632742B610D8EE67775CA.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0E23E40C6140D434FA9B96967D309AFE.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0EA0DB261BE4BBB4F8346B04C0F8BEC2
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0EA0DB261BE4BBB4F8346B04C0F8BEC2.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12341
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12345
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_13353B9B4E7BC5E4FBC4B78C876521D4
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_13353B9B4E7BC5E4FBC4B78C876521D4.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_14367109B8A0CCC47AD88F2622A8B659
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_14367109B8A0CCC47AD88F2622A8B659.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_14B0B2E080E7F9F42BF1144C31F3347B
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_14B0B2E080E7F9F42BF1144C31F3347B.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_164AFE3E38BEB3C4C974C2D1850A5155
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_164AFE3E38BEB3C4C974C2D1850A5155.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_18796D2C293F81145A7A7C9E3CD8FB2C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_18796D2C293F81145A7A7C9E3CD8FB2C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_192F91FAF22F89746926253550EAE984
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_192F91FAF22F89746926253550EAE984.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_193EC481E0E736C499537D1AE0FD3D6C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_193EC481E0E736C499537D1AE0FD3D6C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1A8728277BB04E54CAE5197D0CDFE1ED
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1A8728277BB04E54CAE5197D0CDFE1ED.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1A9AF58E142C896498B3DD9905B9D80B
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1A9AF58E142C896498B3DD9905B9D80B.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1AA3974510054F24BA6B3C4616C70687
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1AA3974510054F24BA6B3C4616C70687.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1AB829B8CEDE72242AADDD3820C6635F
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1AB829B8CEDE72242AADDD3820C6635F.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1F3B805BA42A0C233B0158879691FE82.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1FFEDB53016A65940AD05154C3113659
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_1FFEDB53016A65940AD05154C3113659.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_20943A18B0D902942AC5C4CDD5413B82
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_20943A18B0D902942AC5C4CDD5413B82.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_20B58AD20C31D6E4A967226E3BDDC02B
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_20B58AD20C31D6E4A967226E3BDDC02B.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_222D0B0912C853B42926350B241FA89F
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_222D0B0912C853B42926350B241FA89F.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2894BB3325CD68840AB34F5C8CB0EE98
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2894BB3325CD68840AB34F5C8CB0EE98.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_298B8B65E713EDF4E9D4441B9848A872
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_298B8B65E713EDF4E9D4441B9848A872.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_29FE602138E29584CABC02843CBCD76A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_29FE602138E29584CABC02843CBCD76A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2DF2B9F338C1104499763C3666839E85
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2DF2B9F338C1104499763C3666839E85.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2E8086E8D316DCF4182AC6F88A0E3321
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2E8086E8D316DCF4182AC6F88A0E3321.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_30E490804EFA3584D913D67034FD3582
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_30E490804EFA3584D913D67034FD3582.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_324F0FDFF18F7AE4BA1DAABC6BF06344
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_324F0FDFF18F7AE4BA1DAABC6BF06344.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_3F156ACFADB5ADD4E9A4D5786D19C44C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_3F156ACFADB5ADD4E9A4D5786D19C44C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_41858184422Aa74418AD17DB0285E0B1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_41858184422Aa74418AD17DB0285E0B1.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_41F77A4680E079A48A959EC3FF247865
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_41F77A4680E079A48A959EC3FF247865.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_45E1A0ACF0EC66340BC98AB716CD6533
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_45E1A0ACF0EC66340BC98AB716CD6533.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_467F8159D45C2B74E93751B4127EF92D
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_467F8159D45C2B74E93751B4127EF92D.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4CC3B7AED6636FC43805DFA7074311E6
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4CC3B7AED6636FC43805DFA7074311E6.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4DE556595AC7FD6409F7174478A7235E
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4DE556595AC7FD6409F7174478A7235E.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4EAC60FA431C1B446B9941BFBD36DB73
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4EAC60FA431C1B446B9941BFBD36DB73.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4EB41ED640F65394A8DB0A1AF92E5EA5
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4EB41ED640F65394A8DB0A1AF92E5EA5.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F56621B39E44BA47BCF7350B3256492
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F56621B39E44BA47BCF7350B3256492.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_530AA3052E1485843BF1E194CA663C90
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_530AA3052E1485843BF1E194CA663C90.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_535D51ADD1E567045B02581743D62683
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_535D51ADD1E567045B02581743D62683.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_544ADF5B4CAC6AB48ABF7A12B24D93ED
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_544ADF5B4CAC6AB48ABF7A12B24D93ED.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_55716C7B84BD300449F8D343BDE8FA96
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_55716C7B84BD300449F8D343BDE8FA96.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_55EEFB3E2E930EB49B6698EF8583221C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_55EEFB3E2E930EB49B6698EF8583221C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_568774731F3A2774DA34AACFB6FC9FF9
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_568774731F3A2774DA34AACFB6FC9FF9.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5738F3BC006BF9B4389C32E81D5E38DF
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5738F3BC006BF9B4389C32E81D5E38DF.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_579682ED1FCA8B54E97F431E262B8C71
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_579682ED1FCA8B54E97F431E262B8C71.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5A60346F23C4bb141B3535895672AF4B
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5A60346F23C4bb141B3535895672AF4B.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5C3BD7DD3AF63AF4A8172C2F49E00B92
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5C3BD7DD3AF63AF4A8172C2F49E00B92.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5E786D944876B1340A2AF2328BCCA5B1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5E786D944876B1340A2AF2328BCCA5B1.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5F374570A648B844CB3B01A41A672050
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_5F374570A648B844CB3B01A41A672050.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_609461C2F86EA264090107DD202232FE
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_609461C2F86EA264090107DD202232FE.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6350C2CFC3850c6448A426ECAC0EF122
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6350C2CFC3850c6448A426ECAC0EF122.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_63F69A0E645DA2A4DBAAA2A275B8C2D0
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_63F69A0E645DA2A4DBAAA2A275B8C2D0.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_65598CC98753DD844880406EE6EB4F10
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_65598CC98753DD844880406EE6EB4F10.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_687A92B33085e9e4B98503415A4B5E91
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_687A92B33085e9e4B98503415A4B5E91.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA000000000000068247A7ED10
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA000000000000068247A7ED10.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7440A0000000010
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7440A0000000010.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_71A0906F7690A8A43B3C24A2B115D494
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_71A0906F7690A8A43B3C24A2B115D494.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7208564961F99054BB7D5AF95EC70332
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7208564961F99054BB7D5AF95EC70332.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_721000CCD5E5C1A409BCEEAACAE1A30C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_721000CCD5E5C1A409BCEEAACAE1A30C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_74AB54E6C383E1C4E80DD084542C397D
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_74AB54E6C383E1C4E80DD084542C397D.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_798EA96EB0E9C584582587144FD8248D
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_798EA96EB0E9C584582587144FD8248D.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_79AE5E9247F575A48B2B4D1F96111738
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_79AE5E9247F575A48B2B4D1F96111738.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7B9D5BE0C6E8E9A47BF4617BEE986AB7
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7B9D5BE0C6E8E9A47BF4617BEE986AB7.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7D449D87B79A4004BAA05BDA60389904
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7D449D87B79A4004BAA05BDA60389904.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7dbe654076f56ba458e23687e1f383c9
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7dbe654076f56ba458e23687e1f383c9.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_87627777F71810443910DED1108AAD65
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_87627777F71810443910DED1108AAD65.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_88B9552DD9CC84B418BB4F29AB9A4CC8
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_88B9552DD9CC84B418BB4F29AB9A4CC8.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410203
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F841731866D117AB7000B0D410203.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610003
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D610003.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A24973FB12BA5C41A2D6B67FB55AE0E
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A24973FB12BA5C41A2D6B67FB55AE0E.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8CDF1771648D77B499A68CD0DA240CF3
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8CDF1771648D77B499A68CD0DA240CF3.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8E54F9B4EC3E4B044936089A3B84D1FE
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8E54F9B4EC3E4B044936089A3B84D1FE.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_91823B80FEE67504EAADA56B183AA632
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_91823B80FEE67504EAADA56B183AA632.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_91C0B5CA158D4F24DB0A14E0FCF7075A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_91C0B5CA158D4F24DB0A14E0FCF7075A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9399EE5EF9522ED40832C5941EA6F434
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9399EE5EF9522ED40832C5941EA6F434.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9866FB3BD18A8D04A968A44CCA9DCFC1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9866FB3BD18A8D04A968A44CCA9DCFC1.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9A177208658A14A4CA7F41055E329C32
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9A177208658A14A4CA7F41055E329C32.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9B694C87B6A52964C8E2FAFF3CE49416
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9B694C87B6A52964C8E2FAFF3CE49416.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9CFA723DAAB7A3743891E67B0A4D1083
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9CFA723DAAB7A3743891E67B0A4D1083.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9D4289C9000937346A5A0D5E4D383149
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9D4289C9000937346A5A0D5E4D383149.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9E9B2E211B50d7040BDF5B3F05351552
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9E9B2E211B50d7040BDF5B3F05351552.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A21B345F5F31E78439417F2DE5B1EBE3
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A21B345F5F31E78439417F2DE5B1EBE3.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A29FFD0DE29404C48B267AA471C3525C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A29FFD0DE29404C48B267AA471C3525C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A3689B9BDF233314DA7B6442E47D6749
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A3689B9BDF233314DA7B6442E47D6749.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A695D9E34D169324DB91D29B482D1AF6
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A695D9E34D169324DB91D29B482D1AF6.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A78580CF10F4881418F95F8508209271
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A78580CF10F4881418F95F8508209271.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A7D67D1CBB3FAE747A64B5E1F2CFD12F
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A7D67D1CBB3FAE747A64B5E1F2CFD12F.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A7DD5FF682EF93448BFCE1A94FAEA016
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A7DD5FF682EF93448BFCE1A94FAEA016.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A8B7DDAD0BCB5F4469A7CE6B4B2FCE9D
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_A8B7DDAD0BCB5F4469A7CE6B4B2FCE9D.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_ACDF24ADA5C7FE34A950CC1E84DA9F91
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_ACDF24ADA5C7FE34A950CC1E84DA9F91.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B4386F8D7E5D154468180B15BA8D65D1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B4386F8D7E5D154468180B15BA8D65D1.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B9349D61D3FD1D347A72B43335000DA7
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B9349D61D3FD1D347A72B43335000DA7.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B9C807BA8C799CA498B9BD2F62CA3928
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B9C807BA8C799CA498B9BD2F62CA3928.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BC5F2953425BAA34292F3277621899CC
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BC5F2953425BAA34292F3277621899CC.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BDAAB9AC262C50E42B2EEC8EEC8990CE
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BDAAB9AC262C50E42B2EEC8EEC8990CE.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C2667F47BD1BE9848ACA700AB64279B8
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C2667F47BD1BE9848ACA700AB64279B8.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C6B56403F35B1A94E9AB3A1F78DA05E2
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C6B56403F35B1A94E9AB3A1F78DA05E2.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CD5DA6254CFCa2f448248CC49CD1C6F7
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CD5DA6254CFCa2f448248CC49CD1C6F7.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D24F5095F5F36194DA6A493A46A6EE67
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D24F5095F5F36194DA6A493A46A6EE67.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D2F65FEBDE656714FB27B7864D3A9BD8
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D2F65FEBDE656714FB27B7864D3A9BD8.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D36577651BC0f584E9815C203560BBF3
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D36577651BC0f584E9815C203560BBF3.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D702FA4077A9A564B86799F1A66B2654
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_D702FA4077A9A564B86799F1A66B2654.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DB242B2AD8FF0484D9AA1907AEEB5CC9
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DB242B2AD8FF0484D9AA1907AEEB5CC9.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DEA27ECB2333368459765CCD9B50C22A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DEA27ECB2333368459765CCD9B50C22A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DFA8EB602E8A36B4AB7E8207611DA6BC
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DFA8EB602E8A36B4AB7E8207611DA6BC.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E47EFFF6DBF3E2E4799FE5A9A2706762
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E47EFFF6DBF3E2E4799FE5A9A2706762.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E9384A458F781DB469283A949E49F3A0
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E9384A458F781DB469283A949E49F3A0.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E9A3F9443099d0a42A908030D0549A53
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E9A3F9443099d0a42A908030D0549A53.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_EEB0EBA6275D8EF44B43E9272A9834B1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_EEB0EBA6275D8EF44B43E9272A9834B1.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F6E5AFE77F47BFA4A8AEAA97B03D7AD6
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F6E5AFE77F47BFA4A8AEAA97B03D7AD6.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F863BF329931CAE418C7B438CEEBD338
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F863BF329931CAE418C7B438CEEBD338.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FC6B5F6CC906E82478F6AC3871C620B1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FC6B5F6CC906E82478F6AC3871C620B1.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FE7CFB0F8FC9EE44190B518848DC785C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FE7CFB0F8FC9EE44190B518848DC785C.dll
C:\Documents and Settings\All Users\Application Data\wvabuvqr
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\mgwwgmke
C:\WINDOWS\mgwwgmke\Thumbs.db
C:\WINDOWS\muotr.so
C:\WINDOWS\strictions.dll
C:\WINDOWS\system32\1025u.dll
C:\WINDOWS\system32\aaaamonf.exe
C:\WINDOWS\system32\acluij.sys
C:\WINDOWS\system32\cc.ln
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\lght.ln
C:\WINDOWS\system32\msnf.ln
C:\WINDOWS\system32\pryx.ln
C:\WINDOWS\system32\sbmf.ln
C:\WINDOWS\system32\ZoneAlarmIconUS.ico
C:\WINDOWS\ufmfapcd.dll
C:\WINDOWS\system32\1362599455.dat . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dhcpadvservice
-------\Service_dhcpadvservice


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 13:45 . 2008-04-28 13:45 32 --a------ C:\WINDOWS\system32\1362599455.dat
2008-04-28 13:31 . 2008-04-28 13:33 <DIR> d-------- C:\HJT
2008-04-28 08:25 . 2008-04-28 08:24 37,888 -r-hs---- C:\WINDOWS\system32\actskn43p.exe
2008-04-27 22:16 . 2008-04-27 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 22:13 . 2008-04-27 22:44 <DIR> d-------- C:\SDFix
2008-04-27 22:03 . 2008-04-27 22:57 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-27 21:46 . 2008-04-27 21:51 <DIR> d-------- C:\fixwareout
2008-04-26 22:17 . 2008-04-26 22:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 22:17 . 2008-04-26 22:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-26 09:12 . 2008-04-26 09:12 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\Malwarebytes
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Panda Security
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\sal\Application Data\TmpRecentIcons
2008-04-25 21:32 . 2008-04-25 21:32 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Talkback
2008-04-25 20:29 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-04-24 14:45 . 2008-04-24 14:45 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-24 09:29 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Symantec
2008-04-24 09:29 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Jasc Software Inc
2008-04-24 09:29 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Intel
2008-04-24 09:29 . 2008-04-24 11:28 <DIR> d-------- C:\Documents and Settings\sal
2008-04-24 09:29 . 2008-04-28 13:44 1,024 --ah----- C:\Documents and Settings\sal\ntuser.dat.LOG
2008-04-22 09:32 . 2008-04-22 09:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eAcceleration
2008-04-21 16:46 . 2008-04-21 16:46 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\TmpRecentIcons
2008-04-21 15:17 . 2008-04-21 15:17 577,536 --a------ C:\WINDOWS\system32\user32.dll
2008-04-21 12:23 . 2008-04-26 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-16 13:02 . 2008-03-10 20:14 100,696 --a------ C:\WINDOWS\system32\drivers\fwcore.sys
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\Acceleration Software
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\eAcceleration
2008-04-16 12:52 . 2008-04-16 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eAcceleration
2008-04-16 12:51 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\eAcceleration
2008-04-16 12:51 . 2008-04-16 14:20 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2008-04-09 21:07 . 2008-03-01 08:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 21:07 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 21:07 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 21:07 . 2008-03-01 08:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 21:07 . 2008-03-01 08:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 21:07 . 2008-03-01 08:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 21:07 . 2008-03-01 08:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 21:07 . 2008-03-01 08:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 21:07 . 2008-02-22 05:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-08 19:26 . 2008-04-21 08:45 <DIR> d-------- C:\Documents and Settings\cs\Application Data\eAcceleration
2008-04-08 18:37 . 2008-04-08 18:37 <DIR> d-------- C:\Registry Mechanic 5
2008-04-08 18:35 . 2008-04-08 18:37 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\U3
2008-04-08 09:28 . 2008-04-08 09:28 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\SUPERAntiSpyware.com
2008-04-07 20:36 . 2008-04-07 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d-------- C:\Documents and Settings\cs\Application Data\SUPERAntiSpyware.com
2008-04-07 20:19 . 2008-04-07 20:19 <DIR> d-------- C:\Documents and Settings\cs\Application Data\Grisoft
2008-04-07 18:12 . 2008-04-07 18:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 18:09 . 2008-04-07 18:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-07 18:06 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 18:06 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-07 18:06 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-07 18:06 . 2008-04-25 12:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-07 18:06 . 2008-04-07 20:08 786,432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.rmbak
2008-04-07 18:06 . 2008-04-27 23:05 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-07 17:27 . 2008-04-07 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 17:06 . 2008-04-05 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 17:00 . 2008-04-05 17:18 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\.housecall6.6
2008-04-05 10:58 . 2008-04-08 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 10:32 . 2008-04-05 10:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 10:32 . 2008-04-05 10:33 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\AVG7
2008-04-05 10:31 . 2008-04-26 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-05 10:06 . 2008-04-28 08:43 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-05 09:51 . 2008-04-28 08:43 29,184 --a------ C:\WINDOWS\system32\clbdll.dll
2008-04-05 09:51 . 2008-04-27 21:49 28,160 --a------ C:\WINDOWS\system32\clbdll.old
2008-04-05 09:51 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 15:09 --------- d-----w C:\Program Files\FriendBlasterPro
2008-04-16 04:27 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\AdobeUM
2008-04-16 03:38 --------- d-----w C:\Program Files\Java
2008-04-08 21:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:00 --------- d-----w C:\Program Files\Dell
2008-04-08 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-08 14:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 14:19 --------- d-----w C:\Program Files\Bonjour
2008-04-08 14:10 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:28 --------- d-----w C:\Documents and Settings\cs\Application Data\Symantec
2008-03-20 21:20 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\LimeWire
2008-03-16 02:47 --------- d-----w C:\Program Files\Netflix
2008-03-13 19:33 --------- d-----w C:\Program Files\Dl_cats
2008-01-29 04:06 13 ---h--w C:\Documents and Settings\All Users\Application Data\ys.sys
2006-04-14 04:13 8 ----a-w C:\Documents and Settings\Erin and Charlie\Application Data\usb.dat.bin
2006-07-17 03:52 56 --sh--r C:\WINDOWS\system32\6C8C8E3348.sys
2006-07-17 03:52 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\dllcache\user32.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_23.23.19.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2004-08-04 10:00:00 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 10:00:00 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
- 2008-04-28 04:14:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 18:44:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-08-04 10:00:00 10,752 ----a-w C:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2008-04-28 04:14:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-28 13:41:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 04:14:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-28 13:41:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 04:14:16 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 13:41:30 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 19:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-23 16:05 180269]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"RegistryMechanic"="" []
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [2008-03-24 18:10 173392]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-12-10 21:13 152976]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [2007-12-19 21:20 771504]
"StopSignSsFwMon"="C:\Program Files\eAcceleration\Firewall\ssfwmon.dll" [2008-03-05 15:41 222544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-06 04:08:57 156784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"kRnvR"= {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll [2007-04-16 10:52 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FriendBlasterPro\\FriendBlasterPro.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8925:TCP"= 8925:TCP:BitComet 8925 TCP
"8925:UDP"= 8925:UDP:BitComet 8925 UDP

R0 fwcore;Fwcore Filter;C:\WINDOWS\system32\drivers\fwcore.sys [2008-03-10 20:14]
R2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" [2008-03-24 18:46]
R2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" [2008-03-24 18:46]
R2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe [2008-03-10 20:14]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-11-06 18:04]
S2 wzcsvcrasauto;Wireless Zero Configuration WZCSVCRasAuto;C:\WINDOWS\system32\6C8C8E3348v.exe []
S2 xmlprovose;Network Provisioning Service xmlprovose;C:\WINDOWS\system32\actskn43p.exe [2008-04-28 08:24]
S3 EraserUtilDrv10501;EraserUtilDrv10501;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10501.sys []
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-01-11 03:30]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-01-11 03:30]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-01-11 03:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 18:51:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 13:46:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
.
**************************************************************************
.
Completion time: 2008-04-28 13:53:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 18:52:55
ComboFix2.txt 2008-04-28 04:24:27

Pre-Run: 37,049,413,632 bytes free
Post-Run: 37,075,787,776 bytes free

559 --- E O F --- 2008-04-16 03:22:17



Malwarebytes' Anti-Malware 1.11
Database version: 684

Scan type: Quick Scan
Objects scanned: 37176
Time elapsed: 12 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:30 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.
  • 0

#9
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
I’m sorry I should have mentioned it might take more then one post; the HijackThis log got cut off. Please repost the HijackThis log :)
  • 0

#10
CharlieSal7

CharlieSal7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I should have noticed. here it is again. Charlie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:30 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = I
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ˆ
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = úp’w
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://intranet.ntc.edu/qp2.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_9.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O21 - SSODL: kRnvR - {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Wireless Zero Configuration WZCSVCRasAuto (wzcsvcrasauto) - Unknown owner - C:\WINDOWS\system32\6C8C8E3348v.exe (file missing)
O23 - Service: Network Provisioning Service xmlprovose (xmlprovose) - Unknown owner - C:\WINDOWS\system32\actskn43p.exe

--
End of file - 12380 bytes
  • 0

Advertisements


#11
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi CharlieSal7,

Now where getting somewhere…. I’m not sure why your AV is picking up these as infected :

c:\windows\system32\spoolsv.exe
c:\windows\system32\services.exe
c:\windows\system32\svchost.exe
c:\windows\system32\lsass.exe

These are legit as long as they are located at c:\windows\system32 and c:\windows\explorer.exe is also legit.


Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\clbcfg.dat
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================


Jotti File Submission:

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\actskn43p.exe
  • Click on the submit button
  • Please post the results in your next reply.

===============================================



Needed in you next reply:

"C:\ComboFix.txt"
Jotti File Submission results
new HijackThis log

Also let me know how every thing is running :)
  • 0

#12
CharlieSal7

CharlieSal7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is what I have from Jotti:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


ComboFix 08-04-26.5 - Erin and Charlie 2008-04-28 16:58:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.124 [GMT -5:00]
Running from: C:\Documents and Settings\Erin and Charlie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Erin and Charlie\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\clbdll.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 16:56 . 2008-04-28 16:56 0 --a------ C:\Documents and Settings\Erin and Charlie\.exe
2008-04-28 13:45 . 2008-04-28 13:45 32 --a------ C:\WINDOWS\system32\1362599455.dat
2008-04-28 13:31 . 2008-04-28 14:15 <DIR> d-------- C:\HJT
2008-04-28 08:25 . 2008-04-28 08:24 37,888 -r-hs---- C:\WINDOWS\system32\actskn43p.exe
2008-04-27 22:16 . 2008-04-27 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 22:13 . 2008-04-27 22:44 <DIR> d-------- C:\SDFix
2008-04-27 22:03 . 2008-04-27 22:57 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-27 21:46 . 2008-04-27 21:51 <DIR> d-------- C:\fixwareout
2008-04-26 22:17 . 2008-04-26 22:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 22:17 . 2008-04-26 22:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-26 09:12 . 2008-04-26 09:12 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\Malwarebytes
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Panda Security
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\sal\Application Data\TmpRecentIcons
2008-04-25 21:32 . 2008-04-25 21:32 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Talkback
2008-04-25 20:29 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-04-24 14:45 . 2008-04-24 14:45 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-24 09:29 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Symantec
2008-04-24 09:29 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Jasc Software Inc
2008-04-24 09:29 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Intel
2008-04-24 09:29 . 2008-04-24 11:28 <DIR> d-------- C:\Documents and Settings\sal
2008-04-24 09:29 . 2008-04-28 13:44 1,024 --ah----- C:\Documents and Settings\sal\ntuser.dat.LOG
2008-04-22 09:32 . 2008-04-22 09:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eAcceleration
2008-04-21 16:46 . 2008-04-21 16:46 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\TmpRecentIcons
2008-04-21 15:17 . 2008-04-21 15:17 577,536 --a------ C:\WINDOWS\system32\user32.dll
2008-04-21 12:23 . 2008-04-26 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-16 13:02 . 2008-03-10 20:14 100,696 --a------ C:\WINDOWS\system32\drivers\fwcore.sys
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\Acceleration Software
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\eAcceleration
2008-04-16 12:52 . 2008-04-16 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eAcceleration
2008-04-16 12:51 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\eAcceleration
2008-04-16 12:51 . 2008-04-16 14:20 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2008-04-09 21:07 . 2008-03-01 08:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 21:07 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 21:07 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 21:07 . 2008-03-01 08:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 21:07 . 2008-03-01 08:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 21:07 . 2008-03-01 08:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 21:07 . 2008-03-01 08:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 21:07 . 2008-03-01 08:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 21:07 . 2008-02-22 05:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-08 19:26 . 2008-04-21 08:45 <DIR> d-------- C:\Documents and Settings\cs\Application Data\eAcceleration
2008-04-08 18:37 . 2008-04-08 18:37 <DIR> d-------- C:\Registry Mechanic 5
2008-04-08 18:35 . 2008-04-08 18:37 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\U3
2008-04-08 09:28 . 2008-04-08 09:28 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\SUPERAntiSpyware.com
2008-04-07 20:36 . 2008-04-07 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d-------- C:\Documents and Settings\cs\Application Data\SUPERAntiSpyware.com
2008-04-07 20:19 . 2008-04-07 20:19 <DIR> d-------- C:\Documents and Settings\cs\Application Data\Grisoft
2008-04-07 18:12 . 2008-04-07 18:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 18:09 . 2008-04-07 18:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-07 18:06 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 18:06 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-07 18:06 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-07 18:06 . 2008-04-25 12:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-07 18:06 . 2008-04-07 20:08 786,432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.rmbak
2008-04-07 18:06 . 2008-04-27 23:05 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-07 17:27 . 2008-04-07 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 17:06 . 2008-04-05 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 17:00 . 2008-04-05 17:18 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\.housecall6.6
2008-04-05 10:58 . 2008-04-08 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 10:32 . 2008-04-05 10:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 10:32 . 2008-04-05 10:33 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\AVG7
2008-04-05 10:31 . 2008-04-26 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-05 10:06 . 2008-04-28 08:43 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-05 09:51 . 2008-04-27 21:49 28,160 --a------ C:\WINDOWS\system32\clbdll.old
2008-04-05 09:51 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 15:09 --------- d-----w C:\Program Files\FriendBlasterPro
2008-04-26 15:46 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-21 20:17 577,536 ----a-w C:\WINDOWS\system32\dllcache\user32.dll
2008-04-16 04:27 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\AdobeUM
2008-04-16 03:38 --------- d-----w C:\Program Files\Java
2008-04-08 21:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:00 --------- d-----w C:\Program Files\Dell
2008-04-08 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-08 14:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 14:19 --------- d-----w C:\Program Files\Bonjour
2008-04-08 14:10 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:28 --------- d-----w C:\Documents and Settings\cs\Application Data\Symantec
2008-03-20 21:20 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\LimeWire
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-16 02:47 --------- d-----w C:\Program Files\Netflix
2008-03-13 19:33 --------- d-----w C:\Program Files\Dl_cats
2008-03-01 23:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 09:32 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-02-16 09:32 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2008-02-16 09:32 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-02-16 09:32 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2008-02-16 09:32 1,024,000 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-01 09:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2008-01-29 04:06 13 ---h--w C:\Documents and Settings\All Users\Application Data\ys.sys
2006-04-14 04:13 8 ----a-w C:\Documents and Settings\Erin and Charlie\Application Data\usb.dat.bin
2006-07-17 03:52 56 --sh--r C:\WINDOWS\system32\6C8C8E3348.sys
2006-07-17 03:52 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\dllcache\user32.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-04 05:00 506368 20f8e68d0b7689804b92ce746277f57f C:\WINDOWS\system32\winlogon.exe

2007-06-13 05:23 1035776 b59f5f910bab2cbd69527f11c6997a1a C:\WINDOWS\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((( [email protected]_23.23.19.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2004-08-04 10:00:00 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 10:00:00 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
- 2008-04-28 04:14:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 18:44:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-08-04 10:00:00 10,752 ----a-w C:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2008-04-28 04:14:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-28 13:41:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 04:14:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-28 13:41:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 04:14:16 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 13:41:30 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 19:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-23 16:05 180269]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"RegistryMechanic"="" []
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [2008-03-24 18:10 173392]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-12-10 21:13 152976]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [2007-12-19 21:20 771504]
"StopSignSsFwMon"="C:\Program Files\eAcceleration\Firewall\ssfwmon.dll" [2008-03-05 15:41 222544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-06 04:08:57 156784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"kRnvR"= {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll [2007-04-16 10:52 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FriendBlasterPro\\FriendBlasterPro.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8925:TCP"= 8925:TCP:BitComet 8925 TCP
"8925:UDP"= 8925:UDP:BitComet 8925 UDP

R0 fwcore;Fwcore Filter;C:\WINDOWS\system32\drivers\fwcore.sys [2008-03-10 20:14]
R2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" [2008-03-24 18:46]
R2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" [2008-03-24 18:46]
R2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe [2008-03-10 20:14]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-11-06 18:04]
S2 wzcsvcrasauto;Wireless Zero Configuration WZCSVCRasAuto;C:\WINDOWS\system32\6C8C8E3348v.exe []
S2 xmlprovose;Network Provisioning Service xmlprovose;C:\WINDOWS\system32\actskn43p.exe [2008-04-28 08:24]
S3 EraserUtilDrv10501;EraserUtilDrv10501;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10501.sys []
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-01-11 03:30]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-01-11 03:30]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-01-11 03:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 22:01:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 17:02:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 17:05:40
ComboFix-quarantined-files.txt 2008-04-28 22:05:26
ComboFix2.txt 2008-04-28 18:53:24
ComboFix3.txt 2008-04-28 04:24:27

Pre-Run: 37,023,358,976 bytes free
Post-Run: 37,042,180,096 bytes free

266 --- E O F --- 2008-04-16 03:22:17


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:41 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = I
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ˆ
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = úp’w
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\RunOnce: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://intranet.ntc.edu/qp2.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_9.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O21 - SSODL: kRnvR - {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Wireless Zero Configuration WZCSVCRasAuto (wzcsvcrasauto) - Unknown owner - C:\WINDOWS\system32\6C8C8E3348v.exe (file missing)
O23 - Service: Network Provisioning Service xmlprovose (xmlprovose) - Unknown owner - C:\WINDOWS\system32\actskn43p.exe

--
End of file - 12433 bytes
  • 0

#13
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi CharlieSal7,

How are things running now, are you having any problems?


Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = I
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ˆ
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = úp’w
O23 - Service: Network Provisioning Service xmlprovose (xmlprovose) - Unknown owner - C:\WINDOWS\system32\actskn43p.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


===============================================


Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Erin and Charlie\.exe
C:\WINDOWS\system32\1362599455.dat
C:\WINDOWS\system32\actskn43p.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Kaspersky WebScanner
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
===============================================

Needed in you next reply:

"C:\ComboFix.txt"
Kaspersky WebScanner results
new HijackThis log

Also let me know how every thing is running :)


*Note* you may have to post the results in more then one post.
  • 0

#14
CharlieSal7

CharlieSal7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here are the reports. Sorry, the format of the Kaspersky file is weird because I forgot to save it as a txt file and accidently saved it as an IE file. I hope it will do. Thanks again

ComboFix 08-04-26.5 - Erin and Charlie 2008-04-29 12:14:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -5:00]
Running from: C:\Documents and Settings\Erin and Charlie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Erin and Charlie\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Erin and Charlie\.exe
C:\WINDOWS\system32\1362599455.dat
C:\WINDOWS\system32\actskn43p.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Erin and Charlie\.exe
C:\WINDOWS\system32\1362599455.dat
C:\WINDOWS\system32\actskn43p.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_xmlprovose
-------\Service_xmlprovose


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 13:31 . 2008-04-29 12:08 <DIR> d-------- C:\HJT
2008-04-27 22:16 . 2008-04-27 22:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-27 22:13 . 2008-04-27 22:44 <DIR> d-------- C:\SDFix
2008-04-27 22:03 . 2008-04-27 22:57 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-04-27 21:46 . 2008-04-27 21:51 <DIR> d-------- C:\fixwareout
2008-04-26 22:17 . 2008-04-26 22:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-26 22:17 . 2008-04-26 22:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-26 09:12 . 2008-04-26 09:12 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\Malwarebytes
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 09:11 . 2008-04-26 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Panda Security
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 22:04 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\sal\Application Data\TmpRecentIcons
2008-04-25 21:32 . 2008-04-25 21:32 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Talkback
2008-04-25 20:29 . 2008-04-25 22:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-04-24 14:45 . 2008-04-24 14:45 10 --a------ C:\WINDOWS\wintst32.tmp
2008-04-24 09:29 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Symantec
2008-04-24 09:29 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Jasc Software Inc
2008-04-24 09:29 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\sal\Application Data\Intel
2008-04-24 09:29 . 2008-04-24 11:28 <DIR> d-------- C:\Documents and Settings\sal
2008-04-24 09:29 . 2008-04-29 12:20 1,024 --ah----- C:\Documents and Settings\sal\ntuser.dat.LOG
2008-04-22 09:32 . 2008-04-22 09:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eAcceleration
2008-04-21 16:46 . 2008-04-21 16:46 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\TmpRecentIcons
2008-04-21 15:17 . 2008-04-21 15:17 577,536 --a------ C:\WINDOWS\system32\user32.dll
2008-04-21 12:23 . 2008-04-26 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-16 13:02 . 2008-03-10 20:14 100,696 --a------ C:\WINDOWS\system32\drivers\fwcore.sys
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\Acceleration Software
2008-04-16 13:01 . 2008-04-16 13:02 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\eAcceleration
2008-04-16 12:52 . 2008-04-16 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\eAcceleration
2008-04-16 12:51 . 2008-04-16 13:02 <DIR> d-------- C:\Program Files\eAcceleration
2008-04-16 12:51 . 2008-04-16 14:20 <DIR> d-------- C:\Program Files\Common Files\eAcceleration
2008-04-09 21:07 . 2008-03-01 08:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-09 21:07 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-09 21:07 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-09 21:07 . 2008-03-01 08:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-09 21:07 . 2008-03-01 08:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-09 21:07 . 2008-03-01 08:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-09 21:07 . 2008-03-01 08:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-09 21:07 . 2008-03-01 08:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-09 21:07 . 2008-02-22 05:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-08 19:26 . 2008-04-21 08:45 <DIR> d-------- C:\Documents and Settings\cs\Application Data\eAcceleration
2008-04-08 18:37 . 2008-04-08 18:37 <DIR> d-------- C:\Registry Mechanic 5
2008-04-08 18:35 . 2008-04-08 18:37 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\U3
2008-04-08 09:28 . 2008-04-08 09:28 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\SUPERAntiSpyware.com
2008-04-07 20:36 . 2008-04-07 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 20:33 . 2008-04-07 20:33 <DIR> d-------- C:\Documents and Settings\cs\Application Data\SUPERAntiSpyware.com
2008-04-07 20:19 . 2008-04-07 20:19 <DIR> d-------- C:\Documents and Settings\cs\Application Data\Grisoft
2008-04-07 18:12 . 2008-04-07 18:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 18:09 . 2008-04-07 18:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-07 18:06 . 2005-08-06 04:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 18:06 . 2005-08-06 04:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-04-07 18:06 . 2005-08-06 03:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-07 18:06 . 2008-04-25 12:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-07 18:06 . 2008-04-07 20:08 786,432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.rmbak
2008-04-07 18:06 . 2008-04-27 23:05 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-07 17:27 . 2008-04-07 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 17:06 . 2008-04-05 17:05 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-05 17:00 . 2008-04-05 17:18 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\.housecall6.6
2008-04-05 10:58 . 2008-04-08 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 10:32 . 2008-04-05 10:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 10:32 . 2008-04-05 10:33 <DIR> d-------- C:\Documents and Settings\Erin and Charlie\Application Data\AVG7
2008-04-05 10:31 . 2008-04-26 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-05 10:06 . 2008-04-28 08:43 1,695 --a------ C:\WINDOWS\system32\clbcfg.dat
2008-04-05 09:51 . 2008-04-27 21:49 28,160 --a------ C:\WINDOWS\system32\clbdll.old
2008-04-05 09:51 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 15:09 --------- d-----w C:\Program Files\FriendBlasterPro
2008-04-16 04:27 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\AdobeUM
2008-04-16 03:38 --------- d-----w C:\Program Files\Java
2008-04-08 21:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:00 --------- d-----w C:\Program Files\Dell
2008-04-08 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-08 14:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 14:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 14:19 --------- d-----w C:\Program Files\Bonjour
2008-04-08 14:10 --------- d-----w C:\Program Files\MySpace
2008-04-02 20:28 --------- d-----w C:\Documents and Settings\cs\Application Data\Symantec
2008-03-20 21:20 --------- d-----w C:\Documents and Settings\Erin and Charlie\Application Data\LimeWire
2008-03-16 02:47 --------- d-----w C:\Program Files\Netflix
2008-03-13 19:33 --------- d-----w C:\Program Files\Dl_cats
2008-01-29 04:06 13 ---h--w C:\Documents and Settings\All Users\Application Data\ys.sys
2006-04-14 04:13 8 ----a-w C:\Documents and Settings\Erin and Charlie\Application Data\usb.dat.bin
2006-07-17 03:52 56 --sh--r C:\WINDOWS\system32\6C8C8E3348.sys
2006-07-17 03:52 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2004-08-04 10:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\user32.dll
577,536 2008-04-21 20:17:39 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\user32.dll
2008-04-21 15:17 577536 187ae140e35e248524b9a80ce90cbee0 C:\WINDOWS\system32\dllcache\user32.dll

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 05:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 12:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_23.23.19.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2004-08-04 10:00:00 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-04 10:00:00 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
- 2008-04-28 04:14:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 17:20:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-08-04 10:00:00 10,752 ----a-w C:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll
- 2008-04-28 04:14:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-28 13:41:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 04:14:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-28 13:41:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 04:14:16 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-28 13:41:30 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 19:39 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36 290816]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 16:41 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-23 16:05 180269]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"RegistryMechanic"="" []
"SoftwareStation"="C:\Program Files\eAcceleration\Station\station.exe" [2008-03-24 18:10 173392]
"StopSignSsTsMon"="C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll" [2007-12-10 21:13 152976]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]
"webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" [2007-12-19 21:20 771504]
"StopSignSsFwMon"="C:\Program Files\eAcceleration\Firewall\ssfwmon.dll" [2008-03-05 15:41 222544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"StopSignSsSsMon"="C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll" [2007-12-19 14:50 140696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]
"InetChk"="C:\WINDOWS\TEMP\ms1209433846.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-08-06 04:08:57 156784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"kRnvR"= {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll [2007-04-16 10:52 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FriendBlasterPro\\FriendBlasterPro.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8925:TCP"= 8925:TCP:BitComet 8925 TCP
"8925:UDP"= 8925:UDP:BitComet 8925 UDP

R0 fwcore;Fwcore Filter;C:\WINDOWS\system32\drivers\fwcore.sys [2008-03-10 20:14]
R2 eac_notifysvc;eAcceleration Notification Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe" [2008-03-24 18:46]
R2 eac_productsvc;eAcceleration Product Manager Service;"C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe" [2008-03-24 18:46]
R2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe [2008-03-10 20:14]
R2 OpenCASE Media Agent;OpenCASE Media Agent;"C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe" [2007-11-06 18:04]
S2 wzcsvcrasauto;Wireless Zero Configuration WZCSVCRasAuto;C:\WINDOWS\system32\6C8C8E3348v.exe []
S3 EraserUtilDrv10501;EraserUtilDrv10501;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10501.sys []
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-01-11 03:30]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-01-11 03:30]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-01-11 03:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 17:31:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 12:30:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-04-29 12:36:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 17:35:54
ComboFix2.txt 2008-04-28 22:05:41
ComboFix3.txt 2008-04-28 18:53:24
ComboFix4.txt 2008-04-28 04:24:27

Pre-Run: 36,922,634,240 bytes free
Post-Run: 37,003,046,912 bytes free

274 --- E O F --- 2008-04-16 03:22:17



Tuesday, April 29, 2008 7:43:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 731399


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 106859
Number of viruses found 24
Number of infected objects 45
Number of suspicious objects 0
Duration of the scan process 03:12:42

Infected Object Name Virus Name Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

C:\Documents and Settings\All Users\Application Data\eAcceleration\Notifications\notify.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92485/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.92485 NSIS: infected - 1 skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\cert8.db Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\history.dat Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\key3.db Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Application Data\Mozilla\Profiles\default\jrkusymc.slt\parent.lock Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Erin and Charlie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Erin and Charlie\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Erin and Charlie\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\eAcceleration\Firewall\filter.bdb Object is locked skipped

C:\Program Files\eAcceleration\Firewall\filter.log Object is locked skipped

C:\Program Files\OpenCASE\OpenCASE Media Agent\logs\csm.log Object is locked skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\pfxiegft\urilwlob.exe.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\cc.ln.vir Infected: Trojan-Spy.Win32.Agent.cad skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\clbdll.dll.vir Infected: Trojan-Downloader.Win32.Small.uzg skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\lght.ln.vir Infected: Trojan-Spy.Win32.Agent.cad skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\msnf.ln.vir Infected: Trojan-Spy.Win32.Agent.cad skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\pryx.ln.vir Infected: Trojan-Spy.Win32.Agent.cad skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\sbmf.ln.vir Infected: Trojan-Spy.Win32.Agent.cad skipped

C:\QooBox\Quarantine\C\WINDOWS\TSKS~1\cmd.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped

C:\QooBox\Quarantine\C\WINDOWS\ufmfapcd.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped

C:\QooBox\Quarantine\catchme2008-04-28_134207.10.zip/clbdriver.sys Infected: Rootkit.Win32.Agent.ahe skipped

C:\QooBox\Quarantine\catchme2008-04-28_134207.10.zip/aaaamonf.exe Infected: Backdoor.Win32.IRCBot.cqq skipped

C:\QooBox\Quarantine\catchme2008-04-28_134207.10.zip ZIP: infected - 2 skipped

C:\SDFix\backups\backups.zip/backups/def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped

C:\SDFix\backups\backups.zip/backups/default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped

C:\SDFix\backups\backups.zip ZIP: infected - 2 skipped

C:\SDFix\backups\catchme.zip/fkjdfje.sys Infected: Rootkit.Win32.Agent.aje skipped

C:\SDFix\backups\catchme.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP410\A0045539.old Infected: Trojan-Downloader.Win32.Small.ujm skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP415\A0048754.exe Infected: Trojan-Downloader.Win32.Small.uww skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP415\A0048786.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP415\A0048791.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP415\A0048792.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP415\A0048793.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0052938.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qom skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053147.exe Infected: Trojan.Win32.Agent.epf skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053149.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.zr skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053182.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053182.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP416\A0053185.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0053397.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0053424.exe Infected: Trojan-Clicker.Win32.Small.pe skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0053430.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP417\A0054669.old Infected: Trojan-Downloader.Win32.Small.ulq skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP418\A0054731.exe Infected: Trojan-Downloader.Win32.Agent.kwg skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP418\A0054870.exe Infected: Rootkit.Win32.Agent.aje skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP419\A0054939.exe Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP419\A0055068.dll Infected: Trojan.Win32.Obfuscated.gx skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP420\A0055143.dll Infected: Trojan-Downloader.Win32.Small.uzg skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP421\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB926239$\apphelp.sdb Object is locked skipped

C:\WINDOWS\$NtUninstallKB926239$\apph_sp.sdb Object is locked skipped

C:\WINDOWS\$NtUninstallKB926239$\sysmain.sdb Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\audiodev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\blackbox.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\cewmdm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\drmv2clt.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\laprxy.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\logagent.exe Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\mp43dmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\mp4sdmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\mpg4dmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\msnetobj.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\mspmsnsv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\mspmsp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\msscp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\mswmdm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\qasf.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\uwdf.exe Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wdfapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wdfmgr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmadmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmadmoe.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmasf.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmdmlog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmdmps.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmdrmdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmdrmnet.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmidx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmnetmgr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmsdmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmsdmoe2.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmsetsdk.exe Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmspdmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmspdmoe.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmvadvd.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmvadve.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmvcore.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmvdmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wmvdmoe2.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wpdconns.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wpdmtp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wpdmtp.inf Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wpdmtpus.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wpdsp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wpdusb.sys Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wpd_ci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallWMFDist11$\wvc1dmod.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\asferror.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\l3codecp.acm Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\mpvis.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\setup_wm.exe Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\unregmp2.exe Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmerror.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmlaunch.exe Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmpasf.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmpband.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmpdxm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmpenc.exe Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmpencen.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmplayer.adm Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmplayer.exe Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmploc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmpshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallwmp11$\wmpsrcwp.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\clbdll.old Infected: Trojan-Downloader.Win32.Agent.nua skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8L1YT9VJ\update[1].upd Infected: Trojan-Downloader.Win32.Small.uzg skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SHU70PYZ\update[1].upd Infected: Trojan-Downloader.Win32.Small.ulq skipped

C:\WINDOWS\system32\dllcache\user32.dll Infected: Trojan.Win32.Patched.bb skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\user32.dll Infected: Trojan.Win32.Patched.bb skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Amazon Digital Video\Servicelog.adv Object is locked skipped

C:\WINDOWS\Temp\~DFFACC.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#15
CharlieSal7

CharlieSal7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
here is the Hijack this. The computer has been working perfect by the way. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:13 PM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\explorer.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\TEMP\ms1209516709.exe
C:\WINDOWS\TEMP\svchost.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
O4 - HKLM\..\Run: [StopSignSsSsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll",VerifyStatus
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1209516709.exe work (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://intranet.ntc.edu/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_9.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.1.6.cab
O21 - SSODL: kRnvR - {E8B12EF5-421B-845F-A444-6EFABDEE9A4C} - C:\WINDOWS\system32\vk.dll
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FWService - eAcceleration Corp - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Wireless Zero Configuration WZCSVCRasAuto (wzcsvcrasauto) - Unknown owner - C:\WINDOWS\system32\6C8C8E3348v.exe (file missing)

--
End of file - 12112 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP