Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

supermwindows and google/yahoo blocking [RESOLVED]


  • This topic is locked This topic is locked

#1
Bob Boden

Bob Boden

    Member

  • Member
  • PipPip
  • 12 posts
Have trojan on system? SuperMWindows present. Yahoo will not open. Other web sites open fine. Google will not search. Always "waiting for..."system bombs when trying to copy files to lite on dvd drive. Using latest firmware version. Any ideas?
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello Bob Boden, my name is fenzodahl512 and welcome to Geekstogo..

Please have a read at this topic and do all the preliminary steps given.

If you are using Windows Vista, or if you are using XP and already have Service Pack 1a or later, please ignore Step Three: Windows Updates and continue with Step Four: Reboot - Test

It should handle about 70% of your malware problem.. Should the problem still exist, please post a fresh HijackThis log here as shown in the Step Five: Posting a Hijack This Log.. Thank you :)

Regards
fenzodahl512
  • 0

#3
Bob Boden

Bob Boden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you for your help. I ran up through step 4 and the computer seems to work properly now. Panda scan removed some of the spyware and a trojan virus but would not remove other unless I bought the program. Here is what was found during the malware scan. Thanks again. Appreciate the help.

Bob

Malwarebytes' Anti-Malware 1.14
Database version: 818

4:07:13 PM 6/3/2008
mbam-log-6-3-2008 (16-07-13).txt

Scan type: Quick Scan
Objects scanned: 41754
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iifcaXOh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayxywUn.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b76cf1f4-ecdc-4ca1-89f8-32403496528e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b76cf1f4-ecdc-4ca1-89f8-32403496528e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifcaxoh (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c941ae9e-ed6e-4a82-b475-d119e09da550} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c941ae9e-ed6e-4a82-b475-d119e09da550} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b76cf1f4-ecdc-4ca1-89f8-32403496528e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc08f8be (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMdf3bcb22 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayxywun -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iifcaXOh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtSiJBR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejvknick.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tjqqdrre.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\yayxywUn.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Bob Boden\results.txt (Malware.Trace) -> Quarantined and deleted successfully.
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
If you are using Vista, you need to right-click at dss.exe icon and choose Run as Administrator
  • 0

#5
Bob Boden

Bob Boden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for the reply. I have run the application. Appended are the notepad reports

Bob

Deckard's System Scanner v20071014.68
Run by Bob Boden on 2008-06-05 13:03:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
90: 2008-06-05 20:03:42 UTC - RP477 - Deckard's System Scanner Restore Point
89: 2008-06-05 00:15:20 UTC - RP476 - System Checkpoint
88: 2008-06-03 23:12:23 UTC - RP475 - Installed SUPERAntiSpyware Free Edition
87: 2008-06-03 22:55:44 UTC - RP474 - Virus tx 6-3
86: 2008-06-03 03:57:07 UTC - RP473 - System Checkpoint


-- First Restore Point --
1: 2008-05-28 04:29:25 UTC - RP388 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-05 13:08:03
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
C:\Program Files\VoipCheapCom\VoipCheapCom.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Bob Boden\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5E64C040-83F0-401D-BE0A-F00E529DE4AC} - C:\WINDOWS\system32\tuvVLDwT.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {768DE0FC-ACFC-47E7-906E-92AC826141AD} - C:\WINDOWS\system32\xxywVpPi.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {c76b6b22-b340-f708-36e4-b270720e9a6e} - {e6a9e027-072b-4e63-807f-043b22b6b67c} - C:\WINDOWS\system32\dlvcwraa.dll
O2 - BHO: (no name) - {FC3F9072-FD77-44AA-A6F0-6C726007DFE3} - C:\WINDOWS\system32\mlJDWppN.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T\wlan111t.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} () - http://download.micr...78f/wvc1dmo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1172958902843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172969176000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: hblogon - C:\WINDOWS\system32\hblogon.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 10567 bytes

-- File Associations -----------------------------------------------------------

.hlp - hlpfile - shell\open\command - WINHELP.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe"

S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_16EC&DEV_2F00&SUBSYS_010B16EC&REV_01\4&23C0B1C&0&50F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_16EC&DEV_2F00&SUBSYS_010B16EC&REV_01\4&23C0B1C&0&50F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-04 16:58:30 564 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bob Boden.job
2008-05-24 22:53:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-20 23:12:02 308 --ah----- C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job
2008-01-20 23:12:02 298 --ah----- C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job


-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-04 14:09:12 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipCheapCom
2008-06-04 14:07:37 0 d-------- C:\Program Files\VoipCheapCom
2008-06-04 14:00:38 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipBuster
2008-06-04 13:57:57 0 d-------- C:\Program Files\VoipBuster.com
2008-06-03 18:25:03 0 d-------- C:\Program Files\Panda Security
2008-06-03 16:12:39 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 16:12:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-03 16:12:24 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\SUPERAntiSpyware.com
2008-06-03 15:58:06 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\Malwarebytes
2008-06-03 15:57:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 15:57:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:57:01 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-02 20:09:15 114688 --a------ C:\WINDOWS\system32\dlvcwraa.dll
2008-06-02 20:03:15 89088 -----n--- C:\WINDOWS\system32\ejvknick.dll
2008-06-02 20:00:56 103424 -----n--- C:\WINDOWS\system32\tjqqdrre.dll
2008-06-02 20:00:14 738851 --ahs---- C:\WINDOWS\system32\nUwyxyay.ini2
2008-06-02 20:00:12 277504 -----n--- C:\WINDOWS\system32\yayxywUn.dll
2008-05-31 17:35:38 347 --ahs---- C:\WINDOWS\system32\KRXENXbc.ini2
2008-05-31 15:07:25 17599 --ahs---- C:\WINDOWS\system32\iPpVwyxx.ini2
2008-05-30 17:03:14 104448 --a------ C:\WINDOWS\system32\ndudyeej.dll
2008-05-30 16:57:14 109568 --a------ C:\WINDOWS\system32\vwcdvbgg.dll
2008-05-29 16:57:35 111616 --a------ C:\WINDOWS\system32\bkkeiioc.dll
2008-05-29 16:55:17 106496 --a------ C:\WINDOWS\system32\mlnmuasx.dll
2008-05-29 16:18:01 111616 --a------ C:\WINDOWS\system32\gpprsesy.dll
2008-05-29 16:09:43 106496 --a------ C:\WINDOWS\system32\plhvuouo.dll
2008-05-29 14:49:43 111616 --a------ C:\WINDOWS\system32\srmgigeo.dll
2008-05-29 14:49:36 106496 --a------ C:\WINDOWS\system32\ownquxns.dll
2008-05-29 14:48:53 800713 --ahs---- C:\WINDOWS\system32\NppWDJlm.ini2
2008-05-29 13:10:04 0 d-------- C:\WINDOWS\CSC
2008-05-29 12:57:48 111616 --a------ C:\WINDOWS\system32\splptudp.dll
2008-05-29 12:52:30 106496 --a------ C:\WINDOWS\system32\ecgcbblt.dll
2008-05-29 12:51:48 789934 --ahs---- C:\WINDOWS\system32\TDKQqtwa.ini2
2008-05-28 17:08:15 112640 --a------ C:\WINDOWS\system32\xutwfnyo.dll
2008-05-28 17:05:15 102400 --a------ C:\WINDOWS\system32\agjhrqtl.dll
2008-05-28 16:56:16 109568 --a------ C:\WINDOWS\system32\fsqybdvo.dll
2008-05-27 21:29:15 834735 --ahs---- C:\WINDOWS\system32\TwDLVvut.ini2
2008-05-27 21:24:08 28160 -----n--- C:\WINDOWS\system32\iifcaXOh.dll
2008-05-27 10:48:15 0 d-------- C:\WINDOWS\system32\NtmsData
2008-05-25 16:47:49 0 d-------- C:\Documents and Settings\Ty Boden\Application Data\Real
2008-05-16 22:43:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-14 19:55:41 0 d-------- C:\Program Files\Windows Sidebar
2008-05-14 19:55:40 0 d-------- C:\Program Files\Norton AntiVirus
2008-05-14 18:00:40 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files


-- Find3M Report ---------------------------------------------------------------

2008-06-05 13:00:44 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-03 16:11:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 15:57:01 0 d-------- C:\Program Files\Common Files
2008-06-02 20:10:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-31 14:58:05 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 14:56:02 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\Real
2008-05-29 11:49:03 0 d-------- C:\Program Files\QuickTime
2008-05-26 11:36:34 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\LimeWire
2008-05-16 22:43:20 0 d-------- C:\Program Files\Google
2008-05-14 19:56:19 0 d-------- C:\Program Files\Symantec
2008-05-04 19:24:25 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\Download Manager
2008-04-16 21:34:11 0 d-------- C:\Program Files\netbeans-5.5.1
2008-04-14 15:39:15 7168 --ahs---- C:\Program Files\Thumbs.db
2008-04-06 20:18:21 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\Image Zone Express
2008-03-13 13:22:31 4064 --a------ C:\WINDOWS\mozver.dat
2008-03-10 21:24:00 49152 --a------ C:\WINDOWS\system32\apache.dll
2008-03-09 19:25:34 84757 --a------ C:\Program Files\R6Vegas_Launcher.rar


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E64C040-83F0-401D-BE0A-F00E529DE4AC}]
C:\WINDOWS\system32\tuvVLDwT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
05/14/2008 07:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{768DE0FC-ACFC-47E7-906E-92AC826141AD}]
C:\WINDOWS\system32\xxywVpPi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e6a9e027-072b-4e63-807f-043b22b6b67c}]
06/02/2008 08:09 PM 114688 --a------ C:\WINDOWS\system32\dlvcwraa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3F9072-FD77-44AA-A6F0-6C726007DFE3}]
C:\WINDOWS\system32\mlJDWppN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/09/2006 04:29 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 06:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/28/2007 08:04 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/03/2008 06:21 PM]
"VoipBuster"="C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" [01/17/2008 03:54 PM]
"VoipCheapCom"="C:\Program Files\VoipCheapCom\VoipCheapCom.exe" [02/20/2007 02:23 PM]

C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [6/6/1998 8:33:30 AM]
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe [10/12/2007 5:34:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [1/11/2008 10:16:38 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [7/4/2007 2:01:13 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [11/4/2007 12:29:18 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/03/2008 06:21 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/03/2008 06:21 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hblogon]
hblogon.dll 04/23/2007 06:52 AM 20480 C:\WINDOWS\system32\hblogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bob Boden^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.7]
C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8520 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-05 13:08:46 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 1023.29 MiB / 571.27 MiB
Pagefile Memory (total/avail): 2463.57 MiB / 2031.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.05 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 186.3 GiB total, 152.89 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2000JD-00HBB0 - 186.31 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 186.3 GiB - C:

\\.\PHYSICALDRIVE1 - USB2.0 CardReader CF RW USB Device

\\.\PHYSICALDRIVE2 - USB2.0 CardReader Combo USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton AntiVirus v15.5.0.23 (Symantec Corporation)
AV: Norton AntiVirus v15.5.0.23 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kaneva\\World of Kaneva\\KepClient.exe"="C:\\Program Files\\Kaneva\\World of Kaneva\\KepClient.exe:*:Disabled:KEP Game Client"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\Microsoft XNA\\XNA Game Studio Express\\v1.0\\Bin\\XnaTrans.exe"="C:\\Program Files\\Microsoft XNA\\XNA Game Studio Express\\v1.0\\Bin\\XnaTrans.exe:LocalSubNet:Disabled:XNA Game Studio Transport"
"C:\\Documents and Settings\\Bob Boden\\Desktop\\ps3proxy.exe"="C:\\Documents and Settings\\Bob Boden\\Desktop\\ps3proxy.exe:*:Disabled:PS3 Proxy"
"C:\\Program Files\\uSirius\\uSirius.exe"="C:\\Program Files\\uSirius\\uSirius.exe:*:Disabled:uSirius 1.0RC3"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Documents and Settings\\Bob Boden\\Local Settings\\Temp\\Rar$EX00.297\\Jumper Redux.exe"="C:\\Documents and Settings\\Bob Boden\\Local Settings\\Temp\\Rar$EX00.297\\Jumper Redux.exe:*:Enabled:Jumper Redux"
"C:\\Documents and Settings\\Bob Boden\\Local Settings\\Temp\\Rar$EX00.016\\Jumper Redux.exe"="C:\\Documents and Settings\\Bob Boden\\Local Settings\\Temp\\Rar$EX00.016\\Jumper Redux.exe:*:Disabled:Jumper Redux"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Documents and Settings\\Bob Boden\\Desktop\\uTorrent.exe"="C:\\Documents and Settings\\Bob Boden\\Desktop\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"="C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe:*:Enabled:VoipBuster"
"C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"="C:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe:*:Enabled:VoipCheapCom"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bob Boden\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BOB-LFYYUUR20TJ
ComSpec=C:\WINDOWS\system32\cmd.exe
DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (November 2007)\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bob Boden
LOGONSERVER=\\BOB-LFYYUUR20TJ
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Microsoft DirectX SDK (November 2007)\Utilities\Bin\x86;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\backburner 2\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\BOBBOD~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\BOBBOD~1\LOCALS~1\Temp
USERDOMAIN=BOB-LFYYUUR20TJ
USERNAME=Bob Boden
USERPROFILE=C:\Documents and Settings\Bob Boden
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bob Boden (admin)
Ty Boden (admin)
Cheryl Boden (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
--> MsiExec /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
--> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
--> MsiExec.exe /I{0D330013-4A99-46D6-83C6-2C959C68DBFF}
--> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
--> MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
--> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
--> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
--> MsiExec.exe /I{637099FB-45FD-4BC7-9651-6FB540DBB749}
--> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
--> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
--> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
--> MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
--> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
--> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AGEIA PhysX v7.09.13 --> MsiExec.exe /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Cakewalk Pro Audio 9 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Cakewalk\Cakewalk Pro Audio 9\CWPA9_Uninst.isu"
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Citrix ICA Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON TWAIN 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\Setup.exe" UNINSTALL
Game Maker 7.0 --> C:\Program Files\Game_Maker7\Uninstal.exe
GameSpot Download Manager --> "C:\Program Files\GameSpot\uninstall.exe"
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Handy Backup 5.7.0.1 --> C:\Program Files\Novosoft\Handy Backup\uninst.exe
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Development Kit 6 Update 2 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160020}
LightWave 3D 9.2 --> C:\WINDOWS\LightWave 3D 9.2 Uninstaller.exe
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Dreamweaver 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Macromedia\Dreamweaver 3\Uninst.isu"
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mario --> C:\Uninstal.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft DirectX SDK (November 2007) --> MsiExec.exe /I{CA97B421-06CB-4040-8EC9-6ED02EA87930}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server Compact 3.5 Design Tools ENU --> MsiExec.exe /X{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}
Microsoft SQL Server Compact 3.5 ENU --> MsiExec.exe /I{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C# 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C# 2005 Express Edition - ENU\setup.exe
Microsoft Visual C# 2005 Express Edition - ENU --> MsiExec.exe /X{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}
Microsoft Visual C# 2008 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual C# 2008 Express Edition - ENU\setup.exe
Microsoft Visual C# 2008 Express Edition - ENU --> MsiExec.exe /X{2D07422C-CA35-375A-A3A8-3631AB85BFE5}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework --> MsiExec.exe /X{B4C0A315-07FB-39F9-85CD-8CE20C019350}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32 --> MsiExec.exe /X{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}
Microsoft XNA Game Studio Express --> MsiExec.exe /I{26DBF096-6283-43E2-B7A3-4C36785C635C}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NetBeans IDE 5.5.1 --> C:\Program Files\netbeans-5.5.1\_uninst\uninstaller.exe
NETGEAR WG111T 108Mbps Wireless USB2.0 Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51123D42-6B9C-4B93-900C-29F9EC5963C9}\Setup.exe"
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_5_0_23\Setup.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenAL --> "C:\Program Files\OpenAL\oalinst.exe" /U
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PLAYSTATION 3 02 Screen Saver --> C:\WINDOWS\system32\PLAYSTATION 3 02.scr /u
PrintMaster 7.00 --> c:\PROGRA~1\MINDSC~1\PRINTM~1\uninst32.exe /IFirst
PS3 Video 9 2.25 --> C:\Program Files\Red Kawa\Video Converter\uninstaller.exe
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Roxio Drag-to-Disc --> MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Easy Media Creator 9 Suite --> MsiExec.exe /I{938B1CD7-7C60-491E-AA90-1F1888168240}
Savings Bond Wizard --> C:\WINDOWS\unvise32.exe C:\Program Files\Savings Bond Wizard\uninstal.log
Serif DrawPlus 3.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Serif\dp30\DrawPlus_uninst.isu"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Style Enhancer Micro 1.28 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NTONYX\SEM128\se128.isu"
Sun Download Manager 2.0 (web) --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://javadl-esd.su...m20/sdm20.jnlp"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SureThing CD Labeler - Stomper Edition 32 bit --> C:\WINDOWS\MVUNINST\App1\unwise.exe C:\WINDOWS\MVUNINST\APP1\INSTALL.LOG "SureThing CD Labeler - Stomper Edition Uninstall"
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Terragen --> MsiExec.exe /I{CCEB53A5-A252-4CF3-8602-429AB06BF0AE}
VoipBuster --> "C:\Program Files\VoipBuster.com\VoipBuster\unins000.exe"
VoipCheapCom --> "C:\Program Files\VoipCheapCom\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Documents and Settings\Bob Boden\My Documents\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WinZip Self-Extractor --> "C:\Program Files\WinZip Self-Extractor\setup.exe" /uninstall
Xbox Backup Creator --> MsiExec.exe /X{1D187E68-A03C-4E34-BE30-75CE94710A0D}
XML Paper Specification Shared Components Pack 1.0 -->
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type19020 / Error
Event Submitted/Written: 06/04/2008 02:28:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type19019 / Error
Event Submitted/Written: 06/04/2008 02:27:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module shell32.dll, version 6.0.2900.3241, fault address 0x00035bb5.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type18993 / Error
Event Submitted/Written: 06/03/2008 09:49:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type18969 / Warning
Event Submitted/Written: 06/03/2008 07:41:44 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type18840 / Warning
Event Submitted/Written: 06/01/2008 07:31:08 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0150048383C9}', feature 'SpeechFiles' failed during request for component '{B70A08EE-C463-11D3-8F30-00C04F5EFF06}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type39918 / Error
Event Submitted/Written: 06/03/2008 09:49:46 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type39917 / Error
Event Submitted/Written: 06/03/2008 09:49:38 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type39916 / Error
Event Submitted/Written: 06/03/2008 09:49:30 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type39915 / Error
Event Submitted/Written: 06/03/2008 09:49:22 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.

Event Record #/Type39914 / Error
Event Submitted/Written: 06/03/2008 09:49:13 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom1, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-06-05 13:08:46 ------------
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. Please do the following..


Please go to Start >> Run and type or copy/paste the following in the run box: "%userprofile%\desktop\dss.exe" /daft . Then press Enter
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.



NEXT


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.



Regards
fenzodahl512
  • 0

#7
Bob Boden

Bob Boden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I am having difficulty installing Windows XP recovery console. Instructions say:

Starting the Windows Recovery Console
To start the Windows Recovery Console, use one of the following methods:
• Use the Windows Setup floppy disks or the Windows CD-ROM to start your computer. At the "Welcome to Setup" screen, press F10 or press 'R" to repair.
• Use the Winnt32.exe utility with the /cmdcons option to add the Windows Recovery Console to the Windows Startup folder. This procedure requires approximately 7 megabytes (MB) of hard disk space on the system partition to hold the Cmdcons folder and files.

Which one should I use? If I am to use the second one, what is the "Winnt32.exe utility with the /cmdcons option"?

Thanks,

Bob
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. just run ComboFix then, and post the log here.. :)
  • 0

#9
Bob Boden

Bob Boden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OK, Here 'tis.

Bob


ComboFix 08-06-05.3 - Bob Boden 2008-06-07 11:10:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.597 [GMT -7:00]
Running from: C:\Documents and Settings\Bob Boden\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMdf3bcb22.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\agjhrqtl.dll
C:\WINDOWS\system32\bkkeiioc.dll
C:\WINDOWS\system32\dlvcwraa.dll
C:\WINDOWS\system32\ecgcbblt.dll
C:\WINDOWS\system32\ejvknick.dll
C:\WINDOWS\system32\fkcrmkjn.ini
C:\WINDOWS\system32\fsqybdvo.dll
C:\WINDOWS\system32\gpprsesy.dll
C:\WINDOWS\system32\iifcaXOh.dll
C:\WINDOWS\system32\iPpVwyxx.ini
C:\WINDOWS\system32\iPpVwyxx.ini2
C:\WINDOWS\system32\kcinkvje.ini
C:\WINDOWS\system32\kgcpvcsa.ini
C:\WINDOWS\system32\KRXENXbc.ini
C:\WINDOWS\system32\KRXENXbc.ini2
C:\WINDOWS\system32\ltqrhjga.ini
C:\WINDOWS\system32\mdcdsukf.ini
C:\WINDOWS\system32\mlnmuasx.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ndudyeej.dll
C:\WINDOWS\system32\NppWDJlm.ini
C:\WINDOWS\system32\NppWDJlm.ini2
C:\WINDOWS\system32\nUwyxyay.ini
C:\WINDOWS\system32\nUwyxyay.ini2
C:\WINDOWS\system32\ownquxns.dll
C:\WINDOWS\system32\plhvuouo.dll
C:\WINDOWS\system32\qpsisubq.ini
C:\WINDOWS\system32\splptudp.dll
C:\WINDOWS\system32\srmgigeo.dll
C:\WINDOWS\system32\TDKQqtwa.ini
C:\WINDOWS\system32\TDKQqtwa.ini2
C:\WINDOWS\system32\tjqqdrre.dll
C:\WINDOWS\system32\TwDLVvut.ini
C:\WINDOWS\system32\TwDLVvut.ini2
C:\WINDOWS\system32\vwcdvbgg.dll
C:\WINDOWS\system32\xutwfnyo.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-06 12:04 . 2008-06-06 12:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 12:04 . 2008-06-06 12:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-05 13:03 . 2008-06-05 13:03 <DIR> d-------- C:\Deckard
2008-06-04 14:09 . 2008-06-04 14:09 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipCheapCom
2008-06-04 14:00 . 2008-06-04 14:20 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipBuster
2008-06-03 18:25 . 2008-06-03 18:26 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 16:12 . 2008-06-03 18:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-03 16:12 . 2008-06-03 16:12 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\SUPERAntiSpyware.com
2008-06-03 16:12 . 2008-06-03 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 15:58 . 2008-06-03 15:58 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\Malwarebytes
2008-06-03 15:57 . 2008-06-03 15:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 15:57 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-03 15:57 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-02 20:00 . 2008-06-03 16:07 277,504 --------- C:\WINDOWS\system32\yayxywUn.dll
2008-05-27 10:48 . 2008-05-27 11:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-16 22:43 . 2008-06-06 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-14 19:55 . 2008-05-14 19:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-14 19:55 . 2008-05-14 19:59 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-05-14 19:55 . 2008-05-14 19:56 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-14 19:55 . 2008-05-14 19:56 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-14 19:55 . 2008-05-14 19:56 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-14 19:55 . 2008-05-14 19:56 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-14 18:00 . 2008-05-14 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 18:08 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-03 23:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 03:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 21:58 --------- d-----w C:\Program Files\Common Files\Real
2008-05-29 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 19:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:49 --------- d-----w C:\Program Files\QuickTime
2008-05-26 18:36 --------- d-----w C:\Documents and Settings\Bob Boden\Application Data\LimeWire
2008-05-17 05:43 --------- d-----w C:\Program Files\Google
2008-05-15 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 02:56 --------- d-----w C:\Program Files\Symantec
2008-05-05 02:24 --------- d-----w C:\Documents and Settings\Bob Boden\Application Data\Download Manager
2008-04-17 04:34 --------- d-----w C:\Program Files\netbeans-5.5.1
2008-04-14 22:39 7,168 --sha-w C:\Program Files\Thumbs.db
2008-04-07 03:18 --------- d-----w C:\Documents and Settings\Bob Boden\Application Data\Image Zone Express
2008-03-10 02:25 84,757 ----a-w C:\Program Files\R6Vegas_Launcher.rar
2007-12-23 23:02 2,895,672 ----a-w C:\Program Files\gh3.zip
2007-12-23 22:48 7,636 ----a-w C:\Program Files\hatred.nfo
2007-12-23 22:48 6,989,824 ----a-w C:\Program Files\gh3.exe
2007-12-23 22:48 163,840 ----a-w C:\Program Files\hatred.exe
2007-11-03 00:48 6,781 ----a-w C:\Program Files\install.log
2007-05-30 20:11 167 ----a-w C:\Documents and Settings\Bob Boden\5359.bat
2007-05-26 06:11 22 ----a-w C:\Program Files\c.zip
2007-05-26 06:11 22 ----a-w C:\Program Files\b.zip
2007-05-26 06:11 22 ----a-w C:\Program Files\a.zip
2007-05-23 00:01 167 ----a-w C:\Documents and Settings\Bob Boden\8614.bat
2007-05-23 00:00 12,798 ----a-w C:\Documents and Settings\Bob Boden\x.dat
2007-05-19 17:30 256 ----a-w C:\Documents and Settings\Ty Boden\x.dat
2007-05-13 17:50 167 ----a-w C:\Documents and Settings\Bob Boden\5525.bat
2007-05-13 17:49 25,214 ----a-w C:\Program Files\B.ico
2007-05-13 17:49 25,214 ----a-w C:\Program Files\A.ico
2007-05-12 19:39 167 ----a-w C:\Documents and Settings\Bob Boden\7040.bat
2007-05-10 14:46 167 ----a-w C:\Documents and Settings\Bob Boden\6891.bat
2007-05-09 20:13 167 ----a-w C:\Documents and Settings\Bob Boden\4570.bat
2007-04-05 07:08 18,154 ----a-w C:\Program Files\ReadMe.txt
2007-02-01 06:47 28,659,712 ----a-w C:\Program Files\R6Vegas_Game.exe
2007-01-23 17:11 5 ----a-w C:\Program Files\ver.ini
2006-12-01 16:54 636,609 ----a-w C:\Program Files\Manual.pdf
2006-11-28 20:54 145 ----a-w C:\Program Files\DARE.INI
2006-11-17 03:57 208,896 ----a-w C:\Program Files\R6Vegas_Launcher.exe
2006-11-09 14:18 1,060,864 ----a-w C:\Program Files\mfc71.dll
2006-10-14 05:52 3,899,392 ----a-w C:\Program Files\wxmsw253u.dll
2006-10-14 05:52 16,896 ----a-w C:\Program Files\vorbisfile.dll
2006-10-14 05:52 126,976 ----a-w C:\Program Files\vorbis.dll
2006-10-14 05:51 864,256 ----a-w C:\Program Files\NxCooking.dll
2006-10-14 05:51 719,360 ----a-w C:\Program Files\dbghelp.dll
2006-10-14 05:51 3,842,048 ----a-w C:\Program Files\PhysXCore.dll
2006-10-14 05:51 217,088 ----a-w C:\Program Files\cgGL.dll
2006-10-14 05:51 193,024 ----a-w C:\Program Files\binkw32.dll
2006-10-14 05:51 139,264 ----a-w C:\Program Files\eax.dll
2006-10-14 05:51 11,264 ----a-w C:\Program Files\ogg.dll
2006-10-14 05:51 106,496 ----a-w C:\Program Files\PhysXLoader.dll
2006-10-14 05:51 1,683,456 ----a-w C:\Program Files\cg.dll
2007-06-03 02:29 80 --sh--r C:\WINDOWS\system32\85617AB7A9.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E64C040-83F0-401D-BE0A-F00E529DE4AC}]
C:\WINDOWS\system32\tuvVLDwT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-14 19:57 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{768DE0FC-ACFC-47E7-906E-92AC826141AD}]
C:\WINDOWS\system32\xxywVpPi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3F9072-FD77-44AA-A6F0-6C726007DFE3}]
C:\WINDOWS\system32\mlJDWppN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 20:04 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-03 18:21 1506544]
"VoipBuster"="C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" [ ]
"VoipCheapCom"="C:\Program Files\VoipCheapCom\VoipCheapCom.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 16:29 7561216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]

C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 08:33:30 325632]
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe [2007-10-12 17:34:50 872448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 22:16:38 39792]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-07-04 14:01:13 884840]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-11-04 12:29:18 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-03 18:21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-03 18:21 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hblogon]
hblogon.dll 2007-04-23 06:52 20480 C:\WINDOWS\system32\hblogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Bob Boden^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.7]
C:\Program Files\Novosoft\Handy Backup\hbagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.sys [2006-03-04 05:00]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 21:06]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 05:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 06:12:02 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
"2008-01-21 06:12:02 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- C:\Program Files\Microsoft IntelliType Pro\itype.exe
"2008-06-07 00:36:32 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bob Boden.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 11:16:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\hblogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-06-07 11:21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 18:21:24

Pre-Run: 163,891,384,320 bytes free
Post-Run: 163,768,348,672 bytes free

241 --- E O F --- 2008-05-28 04:30:43
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



Please post the following logs in your next reply.. Please post each log in separate post

1. SDFix
2. A fresh Deckard System Scanner (after SDFix step)


Regards
fenzodahl512
  • 0

Advertisements


#11
Bob Boden

Bob Boden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here 'tis. Thanks

Bob


SDFix: Version 1.189
Run by Bob Boden on Sat 06/07/2008 at 02:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\a.zip - Deleted
C:\Program Files\b.zip - Deleted
C:\Program Files\c.zip - Deleted
C:\Program Files\A.ico - Deleted
C:\Program Files\B.ico - Deleted
C:\Documents and Settings\Bob Boden\x.dat - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 14:32:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft XNA\\XNA Game Studio Express\\v1.0\\Bin\\XnaTrans.exe"="C:\\Program Files\\Microsoft XNA\\XNA Game Studio Express\\v1.0\\Bin\\XnaTrans.exe:LocalSubNet:Disabled:XNA Game Studio Transport"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 2 Jun 2007 80 ..SHR --- "C:\WINDOWS\system32\85617AB7A9.dll"
Wed 2 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 31 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT278.tmp"
Fri 31 Aug 2007 10,919,033 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3eec5cddf4f469cfa4fb09ffb6f6bb18\BIT142.tmp"
Sun 22 Jul 2007 637,952 ...H. --- "C:\Documents and Settings\Bob Boden\Application Data\Microsoft\Word\~WRL3616.tmp"
Wed 2 May 2007 4,348 ...H. --- "C:\Documents and Settings\Bob Boden\My Documents\My Music\License Backup\drmv1key.bak"
Wed 2 May 2007 20 A..H. --- "C:\Documents and Settings\Bob Boden\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 3 Mar 2007 312 A.SH. --- "C:\Documents and Settings\Bob Boden\My Documents\My Music\License Backup\drmv2key.bak"
Mon 26 May 2008 4,268 A.SH. --- "C:\Documents and Settings\Bob Boden\Application Data\Roxio\Dragon\3.x\DiscInfoCache\LITE-ON_DVDRW_SOHW-1633S_BS0C_000_DICV018_DRGV9000007.TMP"

Finished!



Deckard's System Scanner v20071014.68
Run by Bob Boden on 2008-06-07 14:40:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-07 14:41:17
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Bob Boden\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5E64C040-83F0-401D-BE0A-F00E529DE4AC} - C:\WINDOWS\system32\tuvVLDwT.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {768DE0FC-ACFC-47E7-906E-92AC826141AD} - C:\WINDOWS\system32\xxywVpPi.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FC3F9072-FD77-44AA-A6F0-6C726007DFE3} - C:\WINDOWS\system32\mlJDWppN.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111T\wlan111t.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.micr...heckControl.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} () - http://download.micr...78f/wvc1dmo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1172958902843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172969176000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: hblogon - C:\WINDOWS\system32\hblogon.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 9946 bytes

-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-07 14:20:51 0 d-------- C:\WINDOWS\ERUNT
2008-06-07 11:09:11 68096 --a------ C:\WINDOWS\zip.exe
2008-06-07 11:09:11 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-07 11:09:10 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-07 11:09:10 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-07 11:09:10 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-07 11:09:10 98816 --a------ C:\WINDOWS\sed.exe
2008-06-07 11:09:10 80412 --a------ C:\WINDOWS\grep.exe
2008-06-07 11:09:10 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-04 14:09:12 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipCheapCom
2008-06-04 14:00:38 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipBuster
2008-06-03 18:25:03 0 d-------- C:\Program Files\Panda Security
2008-06-03 16:12:39 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 16:12:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-03 16:12:24 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\SUPERAntiSpyware.com
2008-06-03 15:58:06 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\Malwarebytes
2008-06-03 15:57:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 15:57:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:57:01 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-02 20:00:12 277504 -----n--- C:\WINDOWS\system32\yayxywUn.dll
2008-05-29 13:10:04 0 d-------- C:\WINDOWS\CSC
2008-05-27 10:48:15 0 d-------- C:\WINDOWS\system32\NtmsData
2008-05-25 16:47:49 0 d-------- C:\Documents and Settings\Ty Boden\Application Data\Real
2008-05-16 22:43:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-14 19:55:41 0 d-------- C:\Program Files\Windows Sidebar
2008-05-14 19:55:40 0 d-------- C:\Program Files\Norton AntiVirus
2008-05-14 18:00:40 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files


-- Find3M Report ---------------------------------------------------------------

2008-06-07 13:55:42 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-03 16:11:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 15:57:01 0 d-------- C:\Program Files\Common Files
2008-06-02 20:10:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-31 14:58:05 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 14:56:02 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\Real
2008-05-29 11:49:03 0 d-------- C:\Program Files\QuickTime
2008-05-26 11:36:34 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\LimeWire
2008-05-16 22:43:20 0 d-------- C:\Program Files\Google
2008-05-14 19:56:19 0 d-------- C:\Program Files\Symantec
2008-05-04 19:24:25 0 d-------- C:\Documents and Settings\Bob Boden\Application Data\Download Manager
2008-04-16 21:34:11 0 d-------- C:\Program Files\netbeans-5.5.1
2008-04-14 15:39:15 7168 --ahs---- C:\Program Files\Thumbs.db
2008-03-13 13:22:31 4064 --a------ C:\WINDOWS\mozver.dat
2008-03-10 21:24:00 49152 --a------ C:\WINDOWS\system32\apache.dll
2008-03-09 19:25:34 84757 --a------ C:\Program Files\R6Vegas_Launcher.rar


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E64C040-83F0-401D-BE0A-F00E529DE4AC}]
C:\WINDOWS\system32\tuvVLDwT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
05/14/2008 07:57 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{768DE0FC-ACFC-47E7-906E-92AC826141AD}]
C:\WINDOWS\system32\xxywVpPi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3F9072-FD77-44AA-A6F0-6C726007DFE3}]
C:\WINDOWS\system32\mlJDWppN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/09/2006 04:29 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/25/2008 06:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/28/2007 08:04 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/03/2008 06:21 PM]
"VoipBuster"="C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" []
"VoipCheapCom"="C:\Program Files\VoipCheapCom\VoipCheapCom.exe" []

C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [6/6/1998 8:33:30 AM]
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe [10/12/2007 5:34:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [1/11/2008 10:16:38 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [7/4/2007 2:01:13 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [11/4/2007 12:29:18 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/03/2008 06:21 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/03/2008 06:21 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hblogon]
hblogon.dll 04/23/2007 06:52 AM 20480 C:\WINDOWS\system32\hblogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bob Boden^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.7]
C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray




-- End of Deckard's System Scanner: finished at 2008-06-07 14:41:42 ------------
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, thanks for the reply.. Please do the following...


Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\hblogon.dll
      C:\WINDOWS\system32\85617AB7A9.dll
  • Click on the submit button. You can send only one file per round.
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


Installing Recovery Console:

It appears your computer has no Recovery Console installed. We need to install Recovery Console first before proceed to our next fix. Please do the following..

Please go to Microsoft's website => HERE
Select the download that's appropriate for your Operating System: Windows XP Professional Service Pack 2 (SP2)


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

After successfully install Recovery Console, a pop-on will appear asking to run ComboFix, please select NO.




NEXT



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\yayxywUn.dll
C:\WINDOWS\system32\tuvVLDwT.dll
C:\WINDOWS\system32\xxywVpPi.dll
C:\WINDOWS\system32\mlJDWppN.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E64C040-83F0-401D-BE0A-F00E529DE4AC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{768DE0FC-ACFC-47E7-906E-92AC826141AD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{768DE0FC-ACFC-47E7-906E-92AC826141AD}]

3. Save the above as CFScript.txt in your Desktop.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Jotti Report
  • Combofix.txt
  • A new HijackThis log.


Regards
fenzodahl512

Edited by fenzodahl512, 08 June 2008 - 01:54 AM.

  • 0

#13
Bob Boden

Bob Boden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks again for the help. Here are the logs you requested.

Best Regards,

Bob


File: hblogon.dll
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 43a6fe54123cdf49d3099fa908ea7472
Packers detected:
-
Scanner results
Scan taken on 08 Jun 2008 16:47:02 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

File: 85617AB7A9.dll
Status:
OK
MD5: 65b3735d50f9ecd0507319534eeac107
Packers detected:
-
Scanner results
Scan taken on 08 Jun 2008 16:44:44 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

ComboFix 08-06-05.3 - Bob Boden 2008-06-08 10:03:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.606 [GMT -7:00]
Running from: C:\Documents and Settings\Bob Boden\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bob Boden\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\mlJDWppN.dll
C:\WINDOWS\system32\tuvVLDwT.dll
C:\WINDOWS\system32\xxywVpPi.dll
C:\WINDOWS\system32\yayxywUn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\yayxywUn.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-07 18:59 . 2008-06-07 18:59 <DIR> d-------- C:\Program Files\VoipBuster.com
2008-06-07 14:20 . 2008-06-07 14:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-07 14:00 . 2008-06-07 14:35 <DIR> d-------- C:\SDFix
2008-06-06 12:04 . 2008-06-06 12:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 12:04 . 2008-06-06 12:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-05 13:03 . 2008-06-05 13:03 <DIR> d-------- C:\Deckard
2008-06-04 14:09 . 2008-06-04 14:09 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipCheapCom
2008-06-04 14:00 . 2008-06-07 19:12 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipBuster
2008-06-03 18:25 . 2008-06-03 18:26 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 16:12 . 2008-06-03 18:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-03 16:12 . 2008-06-03 16:12 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\SUPERAntiSpyware.com
2008-06-03 16:12 . 2008-06-03 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 15:58 . 2008-06-03 15:58 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\Malwarebytes
2008-06-03 15:57 . 2008-06-03 15:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 15:57 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-03 15:57 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-27 10:48 . 2008-05-27 11:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-16 22:43 . 2008-06-07 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-14 19:55 . 2008-05-14 19:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-14 19:55 . 2008-05-14 19:59 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-05-14 19:55 . 2008-05-14 19:56 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-14 19:55 . 2008-05-14 19:56 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-14 19:55 . 2008-05-14 19:56 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-14 19:55 . 2008-05-14 19:56 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-14 18:00 . 2008-05-14 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 16:59 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-03 23:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 03:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 21:58 --------- d-----w C:\Program Files\Common Files\Real
2008-05-29 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 19:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:49 --------- d-----w C:\Program Files\QuickTime
2008-05-26 18:36 --------- d-----w C:\Documents and Settings\Bob Boden\Application Data\LimeWire
2008-05-17 05:43 --------- d-----w C:\Program Files\Google
2008-05-15 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 02:56 --------- d-----w C:\Program Files\Symantec
2008-05-05 02:24 --------- d-----w C:\Documents and Settings\Bob Boden\Application Data\Download Manager
2008-04-17 04:34 --------- d-----w C:\Program Files\netbeans-5.5.1
2008-04-14 22:39 7,168 --sha-w C:\Program Files\Thumbs.db
2008-03-10 02:25 84,757 ----a-w C:\Program Files\R6Vegas_Launcher.rar
2007-12-23 23:02 2,895,672 ----a-w C:\Program Files\gh3.zip
2007-12-23 22:48 7,636 ----a-w C:\Program Files\hatred.nfo
2007-12-23 22:48 6,989,824 ----a-w C:\Program Files\gh3.exe
2007-12-23 22:48 163,840 ----a-w C:\Program Files\hatred.exe
2007-11-03 00:48 6,781 ----a-w C:\Program Files\install.log
2007-05-30 20:11 167 ----a-w C:\Documents and Settings\Bob Boden\5359.bat
2007-05-23 00:01 167 ----a-w C:\Documents and Settings\Bob Boden\8614.bat
2007-05-19 17:30 256 ----a-w C:\Documents and Settings\Ty Boden\x.dat
2007-05-13 17:50 167 ----a-w C:\Documents and Settings\Bob Boden\5525.bat
2007-05-12 19:39 167 ----a-w C:\Documents and Settings\Bob Boden\7040.bat
2007-05-10 14:46 167 ----a-w C:\Documents and Settings\Bob Boden\6891.bat
2007-05-09 20:13 167 ----a-w C:\Documents and Settings\Bob Boden\4570.bat
2007-04-05 07:08 18,154 ----a-w C:\Program Files\ReadMe.txt
2007-02-01 06:47 28,659,712 ----a-w C:\Program Files\R6Vegas_Game.exe
2007-01-23 17:11 5 ----a-w C:\Program Files\ver.ini
2006-12-01 16:54 636,609 ----a-w C:\Program Files\Manual.pdf
2006-11-28 20:54 145 ----a-w C:\Program Files\DARE.INI
2006-11-17 03:57 208,896 ----a-w C:\Program Files\R6Vegas_Launcher.exe
2006-11-09 14:18 1,060,864 ----a-w C:\Program Files\mfc71.dll
2006-10-14 05:52 3,899,392 ----a-w C:\Program Files\wxmsw253u.dll
2006-10-14 05:52 16,896 ----a-w C:\Program Files\vorbisfile.dll
2006-10-14 05:52 126,976 ----a-w C:\Program Files\vorbis.dll
2006-10-14 05:51 864,256 ----a-w C:\Program Files\NxCooking.dll
2006-10-14 05:51 719,360 ----a-w C:\Program Files\dbghelp.dll
2006-10-14 05:51 3,842,048 ----a-w C:\Program Files\PhysXCore.dll
2006-10-14 05:51 217,088 ----a-w C:\Program Files\cgGL.dll
2006-10-14 05:51 193,024 ----a-w C:\Program Files\binkw32.dll
2006-10-14 05:51 139,264 ----a-w C:\Program Files\eax.dll
2006-10-14 05:51 11,264 ----a-w C:\Program Files\ogg.dll
2006-10-14 05:51 106,496 ----a-w C:\Program Files\PhysXLoader.dll
2006-10-14 05:51 1,683,456 ----a-w C:\Program Files\cg.dll
2007-06-03 02:29 80 --sh--r C:\WINDOWS\system32\85617AB7A9.dll
.

((((((((((((((((((((((((((((( [email protected]_11.21.08.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 18:14:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-08 17:06:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 16:25:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-07 21:21:24 7,024,640 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-06-07 21:21:24 491,520 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-07 16:25:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-07 21:21:07 7,024,640 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-06-07 21:21:07 491,520 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-14 19:57 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3F9072-FD77-44AA-A6F0-6C726007DFE3}]
C:\WINDOWS\system32\mlJDWppN.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 20:04 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-03 18:21 1506544]
"VoipBuster"="C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" [2008-01-17 15:54 8811824]
"VoipCheapCom"="C:\Program Files\VoipCheapCom\VoipCheapCom.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 16:29 7561216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]

C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 08:33:30 325632]
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe [2007-10-12 17:34:50 872448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 22:16:38 39792]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-07-04 14:01:13 884840]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-11-04 12:29:18 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-03 18:21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-03 18:21 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hblogon]
hblogon.dll 2007-04-23 06:52 20480 C:\WINDOWS\system32\hblogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Bob Boden^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.7]
C:\Program Files\Novosoft\Handy Backup\hbagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=

R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.sys [2006-03-04 05:00]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 21:06]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 05:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 06:12:02 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
"2008-01-21 06:12:02 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- C:\Program Files\Microsoft IntelliType Pro\itype.exe
"2008-06-08 01:14:49 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bob Boden.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 10:07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\hblogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-08 10:12:39 - machine was rebooted [Bob Boden]
ComboFix-quarantined-files.txt 2008-06-08 17:12:35
ComboFix2.txt 2008-06-07 18:21:30

Pre-Run: 163,505,590,272 bytes free
Post-Run: 163,566,170,112 bytes free

215 --- E O F --- 2008-05-28 04:30:43


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:10 AM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {FC3F9072-FD77-44AA-A6F0-6C726007DFE3} - C:\WINDOWS\system32\mlJDWppN.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1172958902843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172969176000
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8758 bytes
  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\mlJDWppN.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3F9072-FD77-44AA-A6F0-6C726007DFE3}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#15
Bob Boden

Bob Boden

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here 'tis...


ComboFix 08-06-05.3 - Bob Boden 2008-06-08 13:41:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.592 [GMT -7:00]
Running from: C:\Documents and Settings\Bob Boden\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bob Boden\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\mlJDWppN.dll
.

((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-08 10:17 . 2008-06-08 10:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 18:59 . 2008-06-07 18:59 <DIR> d-------- C:\Program Files\VoipBuster.com
2008-06-07 14:20 . 2008-06-07 14:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-07 14:00 . 2008-06-07 14:35 <DIR> d-------- C:\SDFix
2008-06-06 12:04 . 2008-06-06 12:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 12:04 . 2008-06-06 12:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-05 13:03 . 2008-06-05 13:03 <DIR> d-------- C:\Deckard
2008-06-04 14:09 . 2008-06-04 14:09 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipCheapCom
2008-06-04 14:00 . 2008-06-07 19:12 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\VoipBuster
2008-06-03 18:25 . 2008-06-03 18:26 <DIR> d-------- C:\Program Files\Panda Security
2008-06-03 16:12 . 2008-06-03 18:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-03 16:12 . 2008-06-03 16:12 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\SUPERAntiSpyware.com
2008-06-03 16:12 . 2008-06-03 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-03 15:58 . 2008-06-03 15:58 <DIR> d-------- C:\Documents and Settings\Bob Boden\Application Data\Malwarebytes
2008-06-03 15:57 . 2008-06-03 15:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-03 15:57 . 2008-06-03 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-03 15:57 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-03 15:57 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-27 10:48 . 2008-05-27 11:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-05-16 22:43 . 2008-06-07 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-14 19:55 . 2008-05-14 19:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-14 19:55 . 2008-05-14 19:59 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-05-14 19:55 . 2008-05-14 19:56 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-14 19:55 . 2008-05-14 19:56 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-14 19:55 . 2008-05-14 19:56 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-14 19:55 . 2008-05-14 19:56 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-14 18:00 . 2008-05-14 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 20:39 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-08 18:15 --------- d-----w C:\Program Files\Roxio
2008-06-03 23:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-03 03:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 21:58 --------- d-----w C:\Program Files\Common Files\Real
2008-05-29 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 19:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-29 18:49 --------- d-----w C:\Program Files\QuickTime
2008-05-26 18:36 --------- d-----w C:\Documents and Settings\Bob Boden\Application Data\LimeWire
2008-05-17 05:43 --------- d-----w C:\Program Files\Google
2008-05-15 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 02:56 --------- d-----w C:\Program Files\Symantec
2008-05-05 02:24 --------- d-----w C:\Documents and Settings\Bob Boden\Application Data\Download Manager
2008-04-17 04:34 --------- d-----w C:\Program Files\netbeans-5.5.1
2008-04-14 22:39 7,168 --sha-w C:\Program Files\Thumbs.db
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 04:24 49,152 ----a-w C:\WINDOWS\system32\apache.dll
2008-03-10 02:25 84,757 ----a-w C:\Program Files\R6Vegas_Launcher.rar
2007-12-23 23:02 2,895,672 ----a-w C:\Program Files\gh3.zip
2007-12-23 22:48 7,636 ----a-w C:\Program Files\hatred.nfo
2007-12-23 22:48 6,989,824 ----a-w C:\Program Files\gh3.exe
2007-12-23 22:48 163,840 ----a-w C:\Program Files\hatred.exe
2007-11-03 00:48 6,781 ----a-w C:\Program Files\install.log
2007-05-30 20:11 167 ----a-w C:\Documents and Settings\Bob Boden\5359.bat
2007-05-23 00:01 167 ----a-w C:\Documents and Settings\Bob Boden\8614.bat
2007-05-19 17:30 256 ----a-w C:\Documents and Settings\Ty Boden\x.dat
2007-05-13 17:50 167 ----a-w C:\Documents and Settings\Bob Boden\5525.bat
2007-05-12 19:39 167 ----a-w C:\Documents and Settings\Bob Boden\7040.bat
2007-05-10 14:46 167 ----a-w C:\Documents and Settings\Bob Boden\6891.bat
2007-05-09 20:13 167 ----a-w C:\Documents and Settings\Bob Boden\4570.bat
2007-04-05 07:08 18,154 ----a-w C:\Program Files\ReadMe.txt
2007-02-01 06:47 28,659,712 ----a-w C:\Program Files\R6Vegas_Game.exe
2007-01-23 17:11 5 ----a-w C:\Program Files\ver.ini
2006-12-01 16:54 636,609 ----a-w C:\Program Files\Manual.pdf
2006-11-28 20:54 145 ----a-w C:\Program Files\DARE.INI
2006-11-17 03:57 208,896 ----a-w C:\Program Files\R6Vegas_Launcher.exe
2006-11-09 14:18 1,060,864 ----a-w C:\Program Files\mfc71.dll
2006-10-14 05:52 3,899,392 ----a-w C:\Program Files\wxmsw253u.dll
2006-10-14 05:52 16,896 ----a-w C:\Program Files\vorbisfile.dll
2006-10-14 05:52 126,976 ----a-w C:\Program Files\vorbis.dll
2006-10-14 05:51 864,256 ----a-w C:\Program Files\NxCooking.dll
2006-10-14 05:51 719,360 ----a-w C:\Program Files\dbghelp.dll
2006-10-14 05:51 3,842,048 ----a-w C:\Program Files\PhysXCore.dll
2006-10-14 05:51 217,088 ----a-w C:\Program Files\cgGL.dll
2006-10-14 05:51 193,024 ----a-w C:\Program Files\binkw32.dll
2006-10-14 05:51 139,264 ----a-w C:\Program Files\eax.dll
2006-10-14 05:51 11,264 ----a-w C:\Program Files\ogg.dll
2006-10-14 05:51 106,496 ----a-w C:\Program Files\PhysXLoader.dll
2006-10-14 05:51 1,683,456 ----a-w C:\Program Files\cg.dll
2007-06-03 02:29 80 --sh--r C:\WINDOWS\system32\85617AB7A9.dll
.

((((((((((((((((((((((((((((( [email protected]_11.21.08.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 18:14:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-08 18:17:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 16:25:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-07 21:21:24 7,024,640 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-06-07 21:21:24 491,520 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-07 16:25:03 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-07 21:21:07 7,024,640 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-06-07 21:21:07 491,520 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-05-14 19:57 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 20:04 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-03 18:21 1506544]
"VoipBuster"="C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" [2008-01-17 15:54 8811824]
"VoipCheapCom"="C:\Program Files\VoipCheapCom\VoipCheapCom.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 16:29 7561216]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 18:47 51048]

C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 08:33:30 325632]
GameSpot Download Manager.lnk - C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe [2007-10-12 17:34:50 872448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 22:16:38 39792]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
NETGEAR WG111T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111T\wlan111t.exe [2007-07-04 14:01:13 884840]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-11-04 12:29:18 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-03 18:21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-03 18:21 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hblogon]
hblogon.dll 2007-04-23 06:52 20480 C:\WINDOWS\system32\hblogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Bob Boden^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Bob Boden\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Handy Backup 5.7]
C:\Program Files\Novosoft\Handy Backup\hbagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=

R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.sys [2006-03-04 05:00]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\WG11TND5.sys [2005-09-05 11:21]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 05:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 06:12:02 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
"2008-01-21 06:12:02 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- C:\Program Files\Microsoft IntelliType Pro\itype.exe
"2008-06-08 01:14:49 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bob Boden.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 13:44:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\hblogon.dll
.
Completion time: 2008-06-08 13:45:26
ComboFix-quarantined-files.txt 2008-06-08 20:45:12
ComboFix2.txt 2008-06-08 17:12:40
ComboFix3.txt 2008-06-07 18:21:30

Pre-Run: 163,521,777,664 bytes free
Post-Run: 163,507,224,576 bytes free

197 --- E O F --- 2008-05-28 04:30:43


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:10 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1172958902843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172969176000
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: hblogon - C:\WINDOWS\SYSTEM32\hblogon.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8403 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP