Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware removal help please...


  • This topic is locked This topic is locked

#1
Mr. Adamant

Mr. Adamant

    New Member

  • Member
  • Pip
  • 3 posts
--------------------------------------------------------------------------------

I was hit with a pretty bad one.... I got hit with an outerinfo, though I have removed most of it, it still might be lingering. Also, I had one take over my task manager and registry editor... I solved both those issues, but it is still putting adds on my screen and causing my computer to slow down... Also it is playing adds and weird music through my speakers every once in a while... Thank you in advance for any help.

Here is my hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:33 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2140 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Mr. Adamant

Welcome to G2Go. :)
=====================
The first thing I will need you to do is to Download this anti-virus program and install it.
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
So no need for anything else.
=================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Mr. Adamant

Mr. Adamant

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks buddy... I installed and updated AVG and ran the dss program and this is what it came up with....

Deckard's System Scanner v20071014.68
Run by Aaron on 2008-05-03 13:54:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
25: 2008-05-03 19:55:04 UTC - RP78 - Deckard's System Scanner Restore Point
24: 2008-05-03 19:40:27 UTC - RP77 - Installed AVG Free 8.0
23: 2008-05-03 16:55:58 UTC - RP76 - System Checkpoint
22: 2008-05-02 03:32:36 UTC - RP75 - Removed Google Toolbar for Internet Explorer
21: 2008-05-02 03:25:37 UTC - RP74 - Removed Microsoft SQL Server Desktop Engine


-- First Restore Point --
1: 2008-04-21 22:48:17 UTC - RP54 - Installed DirectX


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Aaron.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:06 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Aaron\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Aaron.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {c5af49a2-94f3-42bd-f434-2604812c897d} - (no file)
O2 - BHO: {b8789d93-91bf-8a68-cc44-94f614bdb9ad} - {da9bdb41-6f49-44cc-86a8-fb1939d9878b} - C:\WINDOWS\system32\glnwatti.dll
O2 - BHO: (no name) - {eec73ea5-1367-49d1-93f4-ca1d8c22e9f9} - C:\WINDOWS\system32\awtUKCVO.dll (file missing)
O2 - BHO: (no name) - {f9a273c1-161e-4cc3-941d-11ce5fdf49fa} - C:\WINDOWS\system32\ljJYRHaY.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\xxqtlagr.dll",s
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: awtUKCVO - awtUKCVO.dll (file missing)
O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll (file missing)
O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe (file missing)
O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3330 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080501-183442-479 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080501-183442-914 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
backup-20080501-183500-143 O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
backup-20080501-183500-560 O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
backup-20080501-183500-615 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
backup-20080501-183500-792 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
backup-20080501-183500-805 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\arvojqst.dll",s
backup-20080501-183500-812 O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
backup-20080501-183500-944 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
backup-20080501-183500-978 O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
backup-20080501-183525-128 O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Aaron\LOCALS~1\Temp\winlogan.exe
backup-20080501-183525-135 O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
backup-20080501-183525-221 O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
backup-20080501-183525-252 O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
backup-20080501-183525-279 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
backup-20080501-183525-284 O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Aaron\Application Data\WinTouch\WinTouch.exe
backup-20080501-183525-318 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080501-183525-322 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\arvojqst.dll",s
backup-20080501-183525-346 O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Aaron\Application Data\Microsoft\Windows\sbkqyvh.exe
backup-20080501-183525-442 O4 - Startup: PowerReg Scheduler V3.exe
backup-20080501-183525-521 O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
backup-20080501-183525-549 O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Aaron\LOCALS~1\Temp\csrssc.exe
backup-20080501-183525-564 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080501-183525-567 O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
backup-20080501-183525-630 O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
backup-20080501-183525-681 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD325762E901F0
9DDF7618419154310B87659CA5E04E4F70C46E0F2CBC10E6C1863C477ACE
backup-20080501-183525-745 O4 - HKLM\..\Run: [msvtt] C:\WINDOWS\system32\flciijjq.exe
backup-20080501-183525-762 O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Aaron\LOCALS~1\Temp\winlogan.exe
backup-20080501-183525-824 O4 - HKLM\..\Run: [4c7f0c9d] rundll32.exe "C:\WINDOWS\system32\mhtrbbgd.dll",b
backup-20080501-183525-865 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080501-183525-926 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20080501-183525-998 O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
backup-20080501-183526-432 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080501-183526-737 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080501-183527-194 O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
backup-20080501-183527-215 O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
backup-20080501-183527-226 O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
backup-20080501-183527-821 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
backup-20080501-183527-840 O15 - Trusted Zone: http://click.getmirar.com (HKLM)
backup-20080501-183529-826 O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
backup-20080501-183530-385 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
backup-20080501-183556-144 O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
backup-20080501-183556-478 O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll
backup-20080501-183556-618 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
backup-20080501-183556-894 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\arvojqst.dll",s
backup-20080501-183556-914 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080501-183557-318 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080501-183557-611 O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
backup-20080501-183557-631 O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
backup-20080501-183557-775 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
backup-20080501-183557-882 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080501-183557-936 O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
backup-20080501-183557-937 O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20080501-183615-322 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\arvojqst.dll",s
backup-20080501-183615-368 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080501-183615-950 O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll
backup-20080501-183616-159 O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
backup-20080501-183616-218 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080501-183616-621 O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
backup-20080501-183616-635 O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20080501-183616-880 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080501-183616-903 O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
backup-20080501-183628-149 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\arvojqst.dll",s
backup-20080501-183628-211 O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll
backup-20080501-183628-579 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080501-183629-111 O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
backup-20080501-183629-389 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080501-183629-686 O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
backup-20080501-183629-750 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080501-183629-829 O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
backup-20080501-183629-895 O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20080501-190052-180 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080501-190100-580 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080501-190109-477 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080501-190121-320 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\arvojqst.dll",s
backup-20080501-190128-143 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080501-190128-965 O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
backup-20080501-202344-699 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
backup-20080501-202410-435 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
backup-20080501-212736-618 O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll
backup-20080501-212736-675 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\arvojqst.dll",s
backup-20080501-212737-363 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080501-212738-288 O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
backup-20080501-212738-441 O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
backup-20080501-212738-704 O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20080501-212738-822 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
backup-20080501-212738-950 O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
backup-20080501-212738-957 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
backup-20080501-212738-999 O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
backup-20080503-114151-357 O4 - HKLM\..\Run: [4c7f0c9d] rundll32.exe "C:\WINDOWS\system32\hmushqct.dll",b
backup-20080503-114151-828 O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll
backup-20080503-114151-832 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\xxqtlagr.dll",s
backup-20080503-114151-884 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080503-114152-417 O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
backup-20080503-114152-545 O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
backup-20080503-114152-663 O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20080503-114152-677 O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
backup-20080503-114152-876 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
backup-20080503-114240-121 O21 - SSODL: zip - {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
backup-20080503-114240-337 O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
backup-20080503-114240-472 O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll
backup-20080503-114240-611 O4 - HKLM\..\Run: [BM4f4c3f01] Rundll32.exe "C:\WINDOWS\system32\xxqtlagr.dll",s
backup-20080503-114240-634 O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
backup-20080503-114240-761 O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\QWFyb24gQW5kZXJzb24\command.exe
backup-20080503-114240-840 O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20080503-114240-969 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 gtndis5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 WINIO - f:\winio.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" (file missing)
S2 cmdservice (Command Service) - c:\windows\qwfyb24gqw5kzxjzb24\command.exe (file missing)
S2 network monitor - c:\program files\network monitor\netmon.exe service (file missing)
S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01321028&REV_01\3&267A616A&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01321028&REV_01\3&267A616A&0&EF
Service:


-- Files created between 2008-04-03 and 2008-05-03 -----------------------------

2008-05-03 13:47:38 0 d--h----- C:\$AVG8.VAULT$
2008-05-03 13:40:55 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-03 13:40:55 0 d-------- C:\Documents and Settings\Aaron\Application Data\AVGTOOLBAR
2008-05-03 13:40:32 0 d-------- C:\Program Files\AVG
2008-05-03 13:40:31 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 19:45:17 0 d-------- C:\Program Files\Screenshot Utility
2008-05-02 18:46:31 105536 --a------ C:\WINDOWS\system32\glnwatti.dll
2008-05-02 18:46:20 105536 --a------ C:\WINDOWS\system32\xxqtlagr.dll
2008-05-01 18:34:38 96320 --a------ C:\WINDOWS\system32\mhtrbbgd.dll
2008-05-01 18:33:41 107072 --a------ C:\WINDOWS\system32\uhgaedtd.dll
2008-05-01 18:33:25 107072 --a------ C:\WINDOWS\system32\arvojqst.dll
2008-04-29 16:32:33 107072 --a------ C:\WINDOWS\system32\vmqwiynu.dll
2008-04-29 16:29:43 104512 --a------ C:\WINDOWS\system32\khiqxgat.dll
2008-04-28 19:20:48 0 d-------- C:\Program Files\Panda Security
2008-04-28 15:35:36 0 d-------- C:\Program Files\Trend Micro
2008-04-28 15:33:23 108608 --a------ C:\WINDOWS\system32\fesbcomj.dll
2008-04-28 15:28:37 104000 --a------ C:\WINDOWS\system32\tkwljrkt.dll
2008-04-28 11:49:34 37376 -ra------ C:\WINDOWS\mrofinu1535.exe
2008-04-27 14:59:10 107072 --a------ C:\WINDOWS\system32\jnnppjmh.dll
2008-04-27 14:57:16 105024 --a------ C:\WINDOWS\system32\hjkhmrxa.dll
2008-04-26 18:50:09 107072 --a------ C:\WINDOWS\system32\fratsmpb.dll
2008-04-26 18:44:09 106048 --a------ C:\WINDOWS\system32\komcltou.dll
2008-04-25 18:48:29 107072 --a------ C:\WINDOWS\system32\qunmlcor.dll
2008-04-25 18:43:53 105536 --a------ C:\WINDOWS\system32\iiajjmfl.dll
2008-04-24 18:36:14 0 d-------- C:\WINDOWS\048298C9A4D3490B9FF9AB023A9238F3.TMP
2008-04-24 18:27:26 96320 --a------ C:\WINDOWS\system32\nklhgsor.dll
2008-04-24 15:44:20 73728 --a------ C:\WINDOWS\b156.exe
2008-04-23 15:48:21 93248 --a------ C:\WINDOWS\system32\ufurkcax.dll
2008-04-23 15:48:09 95808 --a------ C:\WINDOWS\system32\wfgfywcm.dll
2008-04-22 15:03:22 96832 --a------ C:\WINDOWS\system32\wovvbwrc.dll
2008-04-22 15:03:13 97856 --a------ C:\WINDOWS\system32\ynsnyduj.dll
2008-04-22 12:02:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-04-22 12:02:05 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-22 10:59:56 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-22 04:56:33 96832 --a------ C:\WINDOWS\system32\arqberhj.dll
2008-04-22 04:50:32 97856 --a------ C:\WINDOWS\system32\uwwpdxbf.dll
2008-04-21 20:44:30 127578 --a------ C:\WINDOWS\system32\tsuninst.exe
2008-04-21 20:44:30 0 d-------- C:\Program Files\Common Files\quwf
2008-04-21 17:29:36 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-21 17:29:19 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-04-21 17:29:13 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-04-21 17:29:13 0 d--hs---- C:\WINDOWS\QWFyb24gQW5kZXJzb24
2008-04-21 17:18:46 0 d-------- C:\Documents and Settings\Aaron\Application Data\WinTouch
2008-04-21 16:48:07 1790 --ahs---- C:\WINDOWS\system32\YaHRYJjl.ini2
2008-04-20 20:17:27 61952 --a------ C:\WINDOWS\system32\flciijjq.exe
2008-04-20 20:16:03 38400 --a------ C:\WINDOWS\system32\iifcATjG.dll
2008-04-20 20:16:01 184320 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-20 20:16:01 94208 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-20 20:16:00 212992 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-20 20:16:00 212992 --a------ C:\WINDOWS\qnmargolbve.dll
2008-04-20 20:15:59 81920 --a------ C:\WINDOWS\wxvgsdbq.exe
2008-04-20 20:15:59 155648 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-20 20:15:56 16464 -r-hs---- C:\Program Files\tmp3.exe
2008-04-20 20:15:50 16464 -r-hs---- C:\Program Files\tmp2.exe
2008-04-20 20:15:45 16464 -r-hs---- C:\Program Files\tmp1.exe
2008-04-20 20:15:42 37376 --a------ C:\WINDOWS\system32\geBUkjhE.dll
2008-04-20 20:15:37 16464 -r-hs---- C:\Program Files\tmp0.exe
2008-04-20 20:15:34 10000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-04-20 20:15:32 75696 --a------ C:\WINDOWS\njqzpir.sys
2008-04-20 13:22:11 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-20 07:54:10 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-04-20 07:51:31 0 d-------- C:\Program Files\MAXON
2008-04-20 07:34:27 0 d-------- C:\Cinema 4d
2008-04-19 15:58:25 428 --a------ C:\Documents and Settings\Aaron\scriptsOrganizer.dat
2008-04-19 15:45:22 0 d-------- C:\Documents and Settings\Aaron\.assistant
2008-04-19 15:20:02 0 d-------- C:\Documents and Settings\Aaron\scenes
2008-04-19 15:18:57 0 d-------- C:\Program Files\Next Limit
2008-04-17 22:06:24 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-04-17 22:05:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-17 21:55:13 0 d-------- C:\Program Files\7-Zip
2008-04-17 12:49:38 273408 --a------ C:\WINDOWS\b148.exe
2008-04-14 12:08:18 46592 --a------ C:\WINDOWS\b157.exe
2008-04-12 12:01:05 0 d-------- C:\Program Files\Steam
2008-04-11 08:48:26 11264 --a------ C:\WINDOWS\b138.exe
2008-04-10 22:10:13 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-10 22:10:12 60273 --a------ C:\WINDOWS\system32\pthreadGC2.dll <Not Verified; Open Source Software community project; >
2008-04-10 22:10:11 0 d-------- C:\Program Files\ffdshow
2008-04-10 01:30:54 0 d-------- C:\WINDOWS\Sun
2008-04-10 01:30:54 0 d-------- C:\Documents and Settings\Aaron\Application Data\Sun
2008-04-08 19:10:51 1 --a------ C:\WINDOWS\system32\rc.dat
2008-04-08 19:10:51 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-04-08 19:10:51 1 --a------ C:\WINDOWS\system32\cs.dat
2008-04-08 18:59:49 53760 --a------ C:\WINDOWS\system32\msindc.dll
2008-04-08 17:33:56 68096 --a------ C:\WINDOWS\b155.exe
2008-04-08 17:23:30 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2008-04-03 19:06:44 0 d--hs---- C:\Program Files\outlook
2008-04-03 19:02:30 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-01 21:32:55 0 d-------- C:\Program Files\Google
2008-05-01 21:20:55 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-01 20:22:38 0 d-------- C:\Program Files\microsoft frontpage
2008-04-24 21:29:31 0 d-------- C:\Documents and Settings\Aaron\Application Data\MSN6
2008-04-24 19:36:38 0 d-------- C:\Program Files\HyCam2
2008-04-24 19:24:29 0 d-------- C:\Program Files\Common Files
2008-04-22 04:01:39 0 d-------- C:\Program Files\Vstplugins
2008-04-21 18:00:35 0 d-------- C:\Documents and Settings\Aaron\Application Data\LimeWire
2008-04-16 18:28:25 0 d-------- C:\Documents and Settings\Aaron\Application Data\Adobe
2008-04-14 16:08:47 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-08 20:04:51 0 d--hs---- C:\Program Files\winupdates
2008-04-08 17:18:48 2 --ahs---- C:\WINDOWS\system32\tracert.com
2008-04-08 17:18:48 2 --ahs---- C:\WINDOWS\system32\tasklist.com
2008-04-08 17:18:48 2 --ahs---- C:\WINDOWS\system32\taskkill.com
2008-04-08 17:18:48 2 --ahs---- C:\WINDOWS\system32\regedit.com
2008-04-08 17:18:48 2 --ahs---- C:\WINDOWS\system32\ping.com
2008-04-08 17:18:48 2 --ahs---- C:\WINDOWS\system32\cmd.com
2008-04-08 17:18:47 2 --ahs---- C:\WINDOWS\system32\netstat.com
2008-04-02 16:52:11 0 d-------- C:\Documents and Settings\Aaron\Application Data\Macromedia
2008-03-31 17:41:25 0 d-------- C:\Documents and Settings\Aaron\Application Data\Publish Providers
2008-03-31 17:41:25 0 d-------- C:\Documents and Settings\Aaron\Application Data\NetMedia Providers
2008-03-31 17:41:21 0 d-------- C:\Documents and Settings\Aaron\Application Data\Sony
2008-03-31 17:01:18 0 d-------- C:\Program Files\Sony Setup
2008-03-31 16:31:04 90112 --a------ C:\WINDOWS\system32\service.exe <Not Verified; M i r a r; M i r a r ErrorDnsTest>
2008-03-30 17:59:21 0 d-------- C:\Documents and Settings\Aaron\Application Data\Synthesia
2008-03-22 09:43:33 62464 --a------ C:\WINDOWS\system32\bszip.dll <Not Verified; BigSpeedSoft; BigSpeed Zip DLL>
2008-03-21 13:19:39 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-21 12:12:42 0 d-------- C:\Documents and Settings\Aaron\Application Data\Google
2008-03-21 11:19:53 0 d-------- C:\Program Files\Java
2008-03-21 11:16:45 0 d-------- C:\Program Files\Common Files\Java
2008-03-20 20:52:13 0 d-------- C:\Program Files\Common Files\Macromedia Shared
2008-03-20 20:50:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 13:32:27 105984 --a------ C:\WINDOWS\b152.exe
2008-02-14 17:50:57 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-02-14 17:50:57 126976 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-02-09 18:13:06 4024 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-03 17:33:28 0 -rahs---- C:\MSDOS.SYS
2008-02-03 17:33:28 0 -rahs---- C:\IO.SYS
2008-02-03 17:33:28 0 --a------ C:\CONFIG.SYS
2008-02-03 17:33:28 0 --a------ C:\AUTOEXEC.BAT
2008-02-03 17:30:39 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-03 10:16:21 62 --ahs---- C:\Documents and Settings\Aaron\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
05/03/2008 01:40 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da9bdb41-6f49-44cc-86a8-fb1939d9878b}]
05/02/2008 06:46 PM 105536 --a------ C:\WINDOWS\system32\glnwatti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eec73ea5-1367-49d1-93f4-ca1d8c22e9f9}]
C:\WINDOWS\system32\awtUKCVO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f9a273c1-161e-4cc3-941d-11ce5fdf49fa}]
C:\WINDOWS\system32\ljJYRHaY.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [12/20/2007 06:14 PM 385024]

[-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/03/2008 01:40 PM]
"BM4f4c3f01"="C:\WINDOWS\system32\xxqtlagr.dll" [05/02/2008 06:46 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9}"= C:\WINDOWS\system32\awtUKCVO.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AlrtDrive"= {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll [ ]
"zip"= {18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8} - C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtUKCVO]
awtUKCVO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljJYRHaY

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-05-03 14:04:35 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 766.8 MiB / 456.93 MiB
Pagefile Memory (total/avail): 1492.16 MiB / 1274.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.21 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 15 GiB free.
D: is Fixed (FAT32) - 15.6 GiB total, 6.67 GiB free.
E: is Fixed (FAT32) - 21.63 GiB total, 10.74 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - IC35L040AVVA07-0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD400JB-00ENA0 - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 15.63 GiB - D:
\PARTITION1 - Extended w/Extended Int 13 - 21.64 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\\LimeWire\\LimeWire.exe"="E:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"H:\\x-win32\\xwin32.exe"="H:\\x-win32\\xwin32.exe:*:Enabled:X-Win32 Flash PC X Server"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Aaron\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AARON-Q57E21EXZ
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Aaron
LOGONSERVER=\\AARON-Q57E21EXZ
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Next Limit\RealFlow4\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
RF4PATH=C:\Program Files\Next Limit\RealFlow4\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
TMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
USERDOMAIN=AARON-Q57E21EXZ
USERNAME=Aaron
USERPROFILE=C:\Documents and Settings\Aaron
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

admin (admin)
Aaron (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\c3c7fe8b09d497ab2b3fd91c9353390\Setup.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 2.1 --> MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop Elements 5.0 --> msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CINEMA 4D Release 10 --> C:\WINDOWS\unvise32.exe C:\Program Files\MAXON\CINEMA 4D R10\uninstal_C4D.log
Command --> wscript "C:\WINDOWS\QWFyb24gQW5kZXJzb24\kqIVvZb0kqc4trLWvZb.vbs"
ffdshow [rev 1928] [2008-04-10] --> "C:\Program Files\ffdshow\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HyperCam 2 --> "C:\Program Files\HyCam2\UnHyCam2.exe"
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LCP 5.04 --> MsiExec.exe /I{1EFAF492-9A3B-48C3-9349-234B146FDA46}
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mirar --> mshta.exe http://remove.getmirar.com/
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
RealFlow --> MsiExec.exe /I{A1BBC33D-F769-426E-9F83-0F63AD07BB58}
Screenshot Utility version 1.0 --> "C:\Program Files\Screenshot Utility\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synthesia (remove only) --> "C:\Program Files\Synthesia\uninstall.exe"
WinTouch --> C:\Documents and Settings\Aaron\Application Data\WinTouch\WTUninstaller.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1219 / Success
Event Submitted/Written: 05/03/2008 01:45:38 PM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type1214 / Success
Event Submitted/Written: 05/03/2008 11:39:38 AM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type1211 / Success
Event Submitted/Written: 05/03/2008 10:40:56 AM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type1208 / Success
Event Submitted/Written: 05/02/2008 08:18:51 PM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type1206 / Success
Event Submitted/Written: 05/02/2008 06:44:45 PM
Event ID/Source: 2570 / Adobe Active File Monitor 5.0
Event Description:
Adobe Active File Monitor Service has Started.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8382 / Error
Event Submitted/Written: 05/03/2008 01:47:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The network monitor service failed to start due to the following error:
%%2

Event Record #/Type8381 / Error
Event Submitted/Written: 05/03/2008 01:47:08 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service failed to start due to the following error:
%%3

Event Record #/Type8380 / Warning
Event Submitted/Written: 05/03/2008 01:45:19 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0016B69C948F. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type8366 / Warning
Event Submitted/Written: 05/03/2008 01:34:12 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type8349 / Error
Event Submitted/Written: 05/03/2008 11:40:02 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The network monitor service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-03 14:04:35 ------------
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
Mr. Adamant

Mr. Adamant

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thank you again for your help.... This is the combofix log, followed by my hijackthis log...

ComboFix 08-05-01.3 - Aaron 2008-05-03 19:00:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.537 [GMT -6:00]
Running from: C:\Documents and Settings\Aaron\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Aaron\Application Data\WinTouch
C:\Documents and Settings\Aaron\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Aaron\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Aaron\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Aaron\My Documents\DOBE~1
C:\Documents and Settings\Aaron\My Documents\STEM32~1
C:\Documents and Settings\Aaron\My Documents\WNSXS~1
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\Program Files\outlook\v.tmp
C:\Program Files\winupdates
C:\Program Files\winupdates\a.tmp
C:\Program Files\winupdates\a.zip
C:\WINDOWS\cookies.ini
C:\WINDOWS\Installer\{18c8f9f4-eba6-41e2-88cf-ecdb3dada7f8}\zip.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\QWFyb24gQW5kZXJzb24\
C:\WINDOWS\QWFyb24gQW5kZXJzb24\\kqIVvZb0kqc4trLWvZb.vbs
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\arqberhj.dll
C:\WINDOWS\system32\arvojqst.dll
C:\WINDOWS\system32\bicsuhdt.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\cmds.txt
C:\WINDOWS\system32\cs.dat
C:\WINDOWS\system32\dgbbrthm.ini
C:\WINDOWS\system32\duis.txt
C:\WINDOWS\system32\edabpwkp.ini
C:\WINDOWS\system32\eveqvigu.ini
C:\WINDOWS\system32\fesbcomj.dll
C:\WINDOWS\system32\fratsmpb.dll
C:\WINDOWS\system32\geBUkjhE.dll
C:\WINDOWS\system32\glnwatti.dll
C:\WINDOWS\system32\hjkhmrxa.dll
C:\WINDOWS\system32\iiajjmfl.dll
C:\WINDOWS\system32\iifcATjG.dll
C:\WINDOWS\system32\javvkdvp.ini
C:\WINDOWS\system32\jnnppjmh.dll
C:\WINDOWS\system32\khiqxgat.dll
C:\WINDOWS\system32\komcltou.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhtrbbgd.dll
C:\WINDOWS\system32\msindc.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\nklhgsor.dll
C:\WINDOWS\system32\oxhrfnkw.ini
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\ps1.dat
C:\WINDOWS\system32\qtgymvxm.ini
C:\WINDOWS\system32\qunmlcor.dll
C:\WINDOWS\system32\rc.dat
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\rkygawro.ini
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tcqhsumh.ini
C:\WINDOWS\system32\tkwljrkt.dll
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\ufurkcax.dll
C:\WINDOWS\system32\uhgaedtd.dll
C:\WINDOWS\system32\uwwpdxbf.dll
C:\WINDOWS\system32\vmqwiynu.dll
C:\WINDOWS\system32\vviippom.ini
C:\WINDOWS\system32\wfgfywcm.dll
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wovvbwrc.dll
C:\WINDOWS\system32\xoqxbhkk.ini
C:\WINDOWS\system32\xxqtlagr.dll
C:\WINDOWS\system32\YaHRYJjl.ini
C:\WINDOWS\system32\YaHRYJjl.ini2
C:\WINDOWS\system32\ynsnyduj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_cmdservice
-------\Legacy_network_monitor
-------\Service_cmdservice
-------\Service_network monitor


((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-03 13:53 . 2008-05-03 13:53 <DIR> d-------- C:\Deckard
2008-05-03 13:47 . 2008-05-03 13:47 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-03 13:41 . 2008-05-03 13:41 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-03 13:41 . 2008-05-03 13:41 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-03 13:41 . 2008-05-03 13:41 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-03 13:40 . 2008-05-03 13:52 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-03 13:40 . 2008-05-03 13:40 <DIR> d-------- C:\Program Files\AVG
2008-05-03 13:40 . 2008-05-03 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-03 13:40 . 2008-05-03 14:21 <DIR> d-------- C:\Documents and Settings\Aaron\Application Data\AVGTOOLBAR
2008-05-02 19:45 . 2008-05-02 19:45 <DIR> d-------- C:\Program Files\Screenshot Utility
2008-04-28 19:20 . 2008-04-28 19:21 <DIR> d-------- C:\Program Files\Panda Security
2008-04-28 15:35 . 2008-04-28 15:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 11:49 . 2008-04-28 11:49 37,376 -ra------ C:\WINDOWS\mrofinu1535.exe
2008-04-24 18:36 . 2008-04-24 18:36 <DIR> d-------- C:\WINDOWS\048298C9A4D3490B9FF9AB023A9238F3.TMP
2008-04-24 15:44 . 2008-04-24 12:44 73,728 --a------ C:\WINDOWS\b156.exe
2008-04-22 04:50 . 2008-05-03 18:46 109,738 --a------ C:\WINDOWS\BM4f4c3f01.xml
2008-04-21 22:29 . 2008-04-23 22:16 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-04-21 20:44 . 2008-04-24 18:29 <DIR> d-------- C:\Program Files\Common Files\quwf
2008-04-21 17:29 . 2008-04-21 17:29 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-04-21 17:29 . 2008-04-21 17:29 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-21 17:29 . 2006-01-03 17:45 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2008-04-20 20:17 . 2008-04-20 20:15 61,952 --a------ C:\WINDOWS\system32\flciijjq.exe
2008-04-20 20:16 . 2008-04-20 14:53 212,992 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-20 20:16 . 2008-04-20 14:53 212,992 --a------ C:\WINDOWS\qnmargolbve.dll
2008-04-20 20:16 . 2008-04-20 14:53 184,320 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-20 20:16 . 2008-04-20 14:53 94,208 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-20 20:15 . 2008-04-20 14:53 155,648 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-20 20:15 . 2008-04-20 14:53 81,920 --a------ C:\WINDOWS\wxvgsdbq.exe
2008-04-20 20:15 . 2008-04-20 20:15 75,696 --a------ C:\WINDOWS\njqzpir.sys
2008-04-20 20:15 . 2008-04-20 20:15 16,464 -r-hs---- C:\Program Files\tmp3.exe
2008-04-20 20:15 . 2008-04-20 20:15 16,464 -r-hs---- C:\Program Files\tmp2.exe
2008-04-20 20:15 . 2008-04-20 20:15 16,464 -r-hs---- C:\Program Files\tmp1.exe
2008-04-20 20:15 . 2008-04-20 20:15 16,464 -r-hs---- C:\Program Files\tmp0.exe
2008-04-20 20:15 . 2008-04-20 20:15 10,000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-04-20 13:22 . 2008-04-24 18:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-20 07:54 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-04-20 07:51 . 2008-04-20 07:51 <DIR> d-------- C:\Program Files\MAXON
2008-04-20 07:34 . 2008-04-20 07:37 <DIR> d-------- C:\Cinema 4d
2008-04-19 15:58 . 2008-04-19 15:58 428 --a------ C:\Documents and Settings\Aaron\scriptsOrganizer.dat
2008-04-19 15:45 . 2008-04-20 09:25 <DIR> d-------- C:\Documents and Settings\Aaron\.assistant
2008-04-19 15:20 . 2008-04-20 14:09 <DIR> d-------- C:\Documents and Settings\Aaron\scenes
2008-04-19 15:18 . 2008-04-19 15:18 <DIR> d-------- C:\Program Files\Next Limit
2008-04-17 22:06 . 2008-04-17 22:08 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-17 21:55 . 2008-04-17 21:55 <DIR> d-------- C:\Program Files\7-Zip
2008-04-17 12:49 . 2008-04-17 09:49 273,408 --a------ C:\WINDOWS\b148.exe
2008-04-14 12:08 . 2008-04-14 09:08 46,592 --a------ C:\WINDOWS\b157.exe
2008-04-12 12:01 . 2008-05-01 18:32 <DIR> d-------- C:\Program Files\Steam
2008-04-12 03:50 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-04-12 03:50 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-12 03:50 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-04-12 03:50 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-04-12 03:50 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-04-12 03:50 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-12 03:50 . 2006-12-08 12:02 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2008-04-12 03:50 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-04-12 03:50 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-04-12 03:50 . 2007-03-05 12:42 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-04-12 03:49 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-04-12 03:49 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-04-12 03:49 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2008-04-12 03:48 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-11 08:48 . 2008-04-11 05:48 11,264 --a------ C:\WINDOWS\b138.exe
2008-04-10 22:10 . 2008-04-10 22:10 <DIR> d-------- C:\Program Files\ffdshow
2008-04-10 22:10 . 2008-01-01 01:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-10 22:10 . 2008-01-01 01:00 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-04-10 22:10 . 2008-04-10 17:50 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-10 22:10 . 2008-04-10 17:50 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2008-04-10 22:10 . 2008-01-01 01:00 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-10 01:30 . 2008-04-10 01:30 <DIR> d-------- C:\WINDOWS\Sun
2008-04-08 20:04 . 2008-04-08 20:04 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-08 17:33 . 2008-04-08 14:33 68,096 --a------ C:\WINDOWS\b155.exe
2008-04-08 17:23 . 2008-04-08 17:23 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 03:32 --------- d-----w C:\Program Files\Google
2008-05-02 03:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 02:22 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-25 03:29 --------- d-----w C:\Documents and Settings\Aaron\Application Data\MSN6
2008-04-25 01:36 --------- d-----w C:\Program Files\HyCam2
2008-04-22 10:01 --------- d-----w C:\Program Files\Vstplugins
2008-04-22 00:00 --------- d-----w C:\Documents and Settings\Aaron\Application Data\LimeWire
2008-04-14 22:08 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-03-31 23:41 --------- d-----w C:\Documents and Settings\Aaron\Application Data\Sony
2008-03-31 23:41 --------- d-----w C:\Documents and Settings\Aaron\Application Data\Publish Providers
2008-03-31 23:41 --------- d-----w C:\Documents and Settings\Aaron\Application Data\NetMedia Providers
2008-03-31 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-03-31 23:01 --------- d-----w C:\Program Files\Sony Setup
2008-03-30 23:59 --------- d-----w C:\Documents and Settings\Aaron\Application Data\Synthesia
2008-03-24 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\espionServerData
2008-03-24 01:15 20,640 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-03-24 01:15 109,568 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-03-24 01:15 108,544 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-03-21 19:19 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-21 17:19 --------- d-----w C:\Program Files\Java
2008-03-21 17:16 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 17:15 382,352 ----a-w C:\jre-6u5-windows-i586-p-iftw.exe
2008-03-21 02:52 --------- d-----w C:\Program Files\Common Files\Macromedia Shared
2008-03-21 02:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-21 02:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 22:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 22:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 22:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 21:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 21:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-04 19:32 105,984 ----a-w C:\WINDOWS\b152.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-14 23:50 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-14 23:50 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-06 05:07 462,864 ----a-w C:\WINDOWS\system32\d3dx10_37.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
2008-05-03 13:40 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f9a273c1-161e-4cc3-941d-11ce5fdf49fa}]
C:\WINDOWS\system32\ljJYRHaY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-03 13:40 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-03 13:40 2050816]

[HKEY_CLASSES_ROOT\clsid\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-03 13:40 1177368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AlrtDrive"= {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtUKCVO]
awtUKCVO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.avis"= ff_acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 avgldx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-03 13:41]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-03 13:40]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-03 13:40]
R2 avgtdix;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-03 13:41]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 19:06:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-03 19:14:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 01:14:02

Pre-Run: 16,029,171,712 bytes free
Post-Run: 15,976,669,184 bytes free

276 --- E O F --- 2008-04-13 01:02:55










-----------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:39 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {f9a273c1-161e-4cc3-941d-11ce5fdf49fa} - C:\WINDOWS\system32\ljJYRHaY.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: awtUKCVO - awtUKCVO.dll (file missing)
O21 - SSODL: AlrtDrive - {740b2fe3-9c90-485a-9b20-5d7f4147b599} - C:\WINDOWS\Resources\AlrtDrive.dll (file missing)
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2883 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose no, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP