Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"Cool Web Search"(?) Infection on HP Laptop [RESOLVED]


  • This topic is locked This topic is locked

#1
nosrevia

nosrevia

    Member

  • Member
  • PipPip
  • 52 posts
Once again, I'd like to give the staff of geekstogo.com much kudos for all the great work you've done on this site. I first visited here when my desktop computer became infected with BraveSentry malware, and thanks to you guys, its been virus free since 06! I've since told many others about the great work you do here. Unfortunately, I have now become infected by what I believe is called a "Cool Web Search" virus on my laptop computer.
Some of the problems occuring are that every time I open Firefox or go to a new site, several Internet Explorer windows open up, and of course, my task manager has been disabled. I hope you guys are able to help me again. Thanks in advance..

P.S. This laptop has three individual settings; mine, my mom's and Administrator. I ran this Hijack on the Administrator account during safe mode to ensure no pop-ups. Should I run it on the infected account (which is mine)?

Logfile of HijackThis v1.99.1
Scan saved at 4:53:13 AM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\01-HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vbpdtvdp.exe,
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\R Omar\lsass.exe
O4 - HKLM\..\Run: [{E3-30-06-69-DW}] c:\windows\system32\rwwnw64d.exe DWramFF
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ocntnkdm.exe DWramFF
O4 - HKLM\..\Run: [{2fa0b3b1-cc68-ca3a-5242-f7a2074f24c8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll" DllStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UiBPbWFy\command.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by nosrevia, 02 June 2008 - 04:44 AM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
nosrevia

nosrevia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Thanks for your prompt response, Rors! Here is the SDFix report. Quick question, am I supposed to run dss.exe in Safe Mode, or not? I haven't run it yet, just in case.

SDFix: Version 1.187
Run by ? ???? on Mon 06/02/2008 at 02:29 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
cmdService
MsSecurity1.209.4
Network Monitor
MQACC

Path :
C:\WINDOWS\UiBPbWFy\command.exe
C:\WINDOWS\444.470 service
C:\Program Files\Network Monitor\netmon.exe service
System32\drivers\mqacc.sys

cmdService - Deleted
MsSecurity1.209.4 - Deleted
Network Monitor - Deleted
MQACC - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\byXPijkI.dll - Deleted
C:\WINDOWS\UiBPbWFy\asappsrv.dll - Deleted
C:\WINDOWS\UiBPbWFy\command.exe - Deleted
C:\WINDOWS\UiBPbWFy\o21jvqIV.vbs - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\vtmp2\ktnv33.log - Deleted
C:\WINDOWS\system32\vntiho18\vntiho182328.exe - Deleted
C:\WINDOWS\x.exe - Deleted
C:\WINDOWS\y.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu1188.exe - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\Documents and Settings\R Omar\lsass.exe - Deleted
C:\Documents and Settings\R Omar\services.exe - Deleted
C:\Documents and Settings\R Omar\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\R Omar\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\accesss.exe - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\avpcc.dll - Deleted
C:\WINDOWS\clrssn.exe - Deleted
C:\WINDOWS\cpan.dll - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\ctrlpan.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\editpad.exe - Deleted
C:\WINDOWS\explore.exe - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\iedll.exe - Deleted
C:\WINDOWS\iexplorer.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\loader.exe - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msconfd.dll - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mssys.exe - Deleted
C:\WINDOWS\msupdate.exe - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\mtwirl32.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\notepad32.exe - Deleted
C:\WINDOWS\olehelp.exe - Deleted
C:\WINDOWS\qttasks.exe - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll16.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\sistem.exe - Deleted
C:\WINDOWS\svchost32.exe - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\systeem.exe - Deleted
C:\WINDOWS\systemcritical.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\users32.exe - Deleted
C:\WINDOWS\waol.exe - Deleted
C:\WINDOWS\win32e.exe - Deleted
C:\WINDOWS\win64.exe - Deleted
C:\WINDOWS\winajbm.dll - Deleted
C:\WINDOWS\window.exe - Deleted
C:\WINDOWS\winmgnt.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\xxxvideo.hta - Deleted
C:\WINDOWS\system32\drivers\MQACC.sys - Deleted



Folder C:\Program Files\Network Monitor - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\Temp\vtmp2 - Removed
Folder C:\WINDOWS\system32\vntiho18 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 14:41:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

C:\WINDOWS\rundll16.exe 18944 bytes
C:\WINDOWS\rundll32.vbe 23296 bytes
C:\WINDOWS\searchword.dll 10240 bytes
C:\WINDOWS\sistem.exe 19712 bytes
C:\WINDOWS\svchost32.exe 28928 bytes
C:\WINDOWS\svcinit.exe 28672 bytes
C:\WINDOWS\systeem.exe 16640 bytes
C:\WINDOWS\systemcritical.exe 21248 bytes
C:\WINDOWS\time.exe 30464 bytes
C:\WINDOWS\users32.exe 11008 bytes
C:\WINDOWS\waol.exe 21504 bytes
C:\WINDOWS\win32e.exe 18432 bytes
C:\WINDOWS\win64.exe 11776 bytes
C:\WINDOWS\winajbm.dll 12288 bytes
C:\WINDOWS\window.exe 9984 bytes
C:\WINDOWS\msconfd.dll 31488 bytes
C:\WINDOWS\msspi.dll 19200 bytes
C:\WINDOWS\mssys.exe 28416 bytes
C:\WINDOWS\msupdate.exe 19200 bytes
C:\WINDOWS\mswsc10.dll 24576 bytes
C:\WINDOWS\mswsc20.dll 24320 bytes
C:\WINDOWS\mtwirl32.dll 12032 bytes
C:\WINDOWS\notepad32.exe 8192 bytes
C:\WINDOWS\winmgnt.exe 19968 bytes
C:\WINDOWS\x.exe 26624 bytes
C:\WINDOWS\xplugin.dll 14336 bytes
C:\WINDOWS\xxxvideo.hta 30208 bytes
C:\WINDOWS\y.exe 12288 bytes
C:\WINDOWS\loader.exe 28672 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 29


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"

Remaining Files :

C:\WINDOWS\x.exe Found
C:\WINDOWS\y.exe Found
C:\WINDOWS\accesss.exe Found
C:\WINDOWS\astctl32.ocx Found
C:\WINDOWS\avpcc.dll Found
C:\WINDOWS\clrssn.exe Found
C:\WINDOWS\cpan.dll Found
C:\WINDOWS\ctfmon32.exe Found
C:\WINDOWS\ctrlpan.dll Found
C:\WINDOWS\default.htm Found
C:\WINDOWS\directx32.exe Found
C:\WINDOWS\dnsrelay.dll Found
C:\WINDOWS\editpad.exe Found
C:\WINDOWS\explore.exe Found
C:\WINDOWS\explorer32.exe Found
C:\WINDOWS\funniest.exe Found
C:\WINDOWS\funny.exe Found
C:\WINDOWS\gfmnaaa.dll Found
C:\WINDOWS\helpcvs.exe Found
C:\WINDOWS\iedll.exe Found
C:\WINDOWS\iexplorer.exe Found
C:\WINDOWS\inetinf.exe Found
C:\WINDOWS\internet.exe Found
C:\WINDOWS\loader.exe Found
C:\WINDOWS\msconfd.dll Found
C:\WINDOWS\msspi.dll Found
C:\WINDOWS\mssys.exe Found
C:\WINDOWS\msupdate.exe Found
C:\WINDOWS\mswsc10.dll Found
C:\WINDOWS\mswsc20.dll Found
C:\WINDOWS\mtwirl32.dll Found
C:\WINDOWS\notepad32.exe Found
C:\WINDOWS\olehelp.exe Found
C:\WINDOWS\qttasks.exe Found
C:\WINDOWS\quicken.exe Found
C:\WINDOWS\rundll16.exe Found
C:\WINDOWS\rundll32.vbe Found
C:\WINDOWS\searchword.dll Found
C:\WINDOWS\sistem.exe Found
C:\WINDOWS\svchost32.exe Found
C:\WINDOWS\svcinit.exe Found
C:\WINDOWS\systeem.exe Found
C:\WINDOWS\systemcritical.exe Found
C:\WINDOWS\time.exe Found
C:\WINDOWS\users32.exe Found
C:\WINDOWS\waol.exe Found
C:\WINDOWS\win32e.exe Found
C:\WINDOWS\win64.exe Found
C:\WINDOWS\winajbm.dll Found
C:\WINDOWS\window.exe Found
C:\WINDOWS\winmgnt.exe Found
C:\WINDOWS\xplugin.dll Found
C:\WINDOWS\xxxvideo.hta Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 15 Mar 2006 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 25 Dec 2006 22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Tue 13 Nov 2007 12,208 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 26 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Edited by nosrevia, 02 June 2008 - 01:51 PM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Leave DSS and do this instead

Run it in Normal Mode

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
nosrevia

nosrevia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
I have Windows XP Media Center Edition with Service Pack 2, but I all can find are these two:

Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install
http://www.microsoft...;displaylang=en

Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install
http://www.microsoft...;displaylang=en

What should I download?
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Leave that and just go and run ComboFix
  • 0

#7
nosrevia

nosrevia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ComboFix 08-06-01.6 - ? ???? 2008-06-03 19:41:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -5:00]
Running from: C:\Documents and Settings\? ????\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\WINDOWS\BM0a3d035a.xml
C:\WINDOWS\default.htm
C:\WINDOWS\explore.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\EgiRrqss.ini
C:\WINDOWS\system32\EgiRrqss.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmwehtdb.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\qtopafyn.dll
C:\WINDOWS\system32\rikhlpqu.dll
C:\WINDOWS\system32\uqplhkir.ini
C:\WINDOWS\system32\ycinhinf.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-02 20:04 . 2008-06-03 19:33 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-02 14:50 . 2008-06-02 14:50 <DIR> d-------- C:\Deckard
2008-06-02 14:26 . 2008-06-02 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-02 14:11 . 2008-06-02 14:43 <DIR> d-------- C:\SDFix
2008-06-02 04:26 . 2008-06-02 04:26 401,974 --a------ C:\WINDOWS\system32\g78.exe
2008-06-02 04:26 . 2008-06-02 04:26 200,773 --a------ C:\WINDOWS\system32\ocntnkdm.exe
2008-06-02 04:26 . 2008-06-02 04:34 63,918 --a------ C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll-uninst.exe
2008-06-02 04:26 . 2008-06-02 04:26 860 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-02 04:21 . 2008-06-02 04:21 275,456 --a------ C:\WINDOWS\system32\ssqrRigE.dll
2008-06-02 04:19 . 2008-06-02 04:19 <DIR> d-------- C:\Program Files\CCleaner
2008-06-02 04:16 . 2008-06-02 14:32 <DIR> d-------- C:\WINDOWS\UiBPbWFy
2008-06-02 04:16 . 2008-06-02 04:16 <DIR> d-------- C:\WINDOWS\system32\Vco1
2008-06-02 04:16 . 2008-06-02 04:16 <DIR> d-------- C:\WINDOWS\system32\sTMP
2008-06-02 04:16 . 2008-06-02 04:16 <DIR> d-------- C:\WINDOWS\system32\Dev3
2008-06-02 04:16 . 2008-06-02 04:16 <DIR> d-------- C:\WINDOWS\system32\a053
2008-06-02 04:16 . 2008-06-02 04:16 <DIR> d-------- C:\WINDOWS\system32\6026c
2008-06-02 04:16 . 2008-06-02 14:41 <DIR> d-------- C:\Temp
2008-06-02 04:16 . 2008-06-02 04:16 89,049 --a------ C:\WINDOWS\system32\vbpdtvdp.exe
2008-06-02 04:16 . 2008-06-02 04:16 30,728 --a------ C:\WINDOWS\444.470
2008-05-27 08:47 . 2008-05-27 08:47 371,200 --a------ C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
2008-05-24 06:25 . 2008-05-31 14:29 <DIR> d-------- C:\Program Files\FriendBlasterPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 09:05 --------- d-----w C:\Program Files\McAfee
2008-04-28 16:13 --------- d-----w C:\Program Files\Xilisoft
2006-12-25 14:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-11-13 08:31 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{716b67e5-ea6a-75ef-167c-b802f3fd838f}]
2008-05-27 08:47 371200 --a------ C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8D419FD-FAA4-4BAF-B292-71542ECC4EA6}]
2008-06-02 04:21 275456 --a------ C:\WINDOWS\system32\ssqrRigE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 23:03 36975]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 03:00 7585792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 03:00 86016]
"nwiz"="nwiz.exe" [2006-08-18 03:00 1617920 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 19:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 00:01 761946]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 23:55 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 13:33 163840]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 18:02 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-11-01 01:00 307200]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"{2fa0b3b1-cc68-ca3a-5242-f7a2074f24c8}"="C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll" [2008-05-27 08:47 371200]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 11:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= KORGUMDD.DRV

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 18:49]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 15:39]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS [2004-07-12 02:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02fe2b26-dced-11dc-a77c-001636a43ae4}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{416e4bc3-a114-11dc-a751-001636a43ae4}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{748796b6-b5f0-11dc-a762-001636a43ae4}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{748796b7-b5f0-11dc-a762-001636a43ae4}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0aa19ea-d96a-11dc-a777-001636a43ae4}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0aa19eb-d96a-11dc-a777-001636a43ae4}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 19:46:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<[email protected]? ??? [email protected]?????<[email protected]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-03 19:49:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 00:49:32

Pre-Run: 3,257,688,064 bytes free
Post-Run: 3,414,786,048 bytes free

176 --- E O F --- 2008-05-25 08:02:48

Edited by nosrevia, 03 June 2008 - 07:06 PM.

  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\g78.exe
C:\WINDOWS\system32\ocntnkdm.exe
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
F:\Start.exe
E:\Start.exe
G:\Start.exe
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll-uninst.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\ssqrRigE.dll
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\444.470

Folder::
C:\WINDOWS\UiBPbWFy
C:\WINDOWS\system32\Vco1
C:\WINDOWS\system32\sTMP
C:\WINDOWS\system32\Dev3
C:\WINDOWS\system32\a053
C:\WINDOWS\system32\6026c

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02fe2b26-dced-11dc-a77c-001636a43ae4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{416e4bc3-a114-11dc-a751-001636a43ae4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{748796b6-b5f0-11dc-a762-001636a43ae4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{748796b7-b5f0-11dc-a762-001636a43ae4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0aa19ea-d96a-11dc-a777-001636a43ae4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0aa19eb-d96a-11dc-a777-001636a43ae4}]

Sysrst::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#9
nosrevia

nosrevia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ComboFix 08-06-01.6 - R Omar 2008-06-04 15:10:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.645 [GMT -5:00]
Running from: C:\Documents and Settings\R Omar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\R Omar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\444.470
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll-uninst.exe
C:\WINDOWS\system32\g78.exe
C:\WINDOWS\system32\ocntnkdm.exe
C:\WINDOWS\system32\ssqrRigE.dll
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\winpfz33.sys
E:\Start.exe
F:\Start.exe
G:\Start.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\R Omar\lsass.exe
C:\WINDOWS\444.470
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000019_.tmp.dll
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll-uninst.exe
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
C:\WINDOWS\system32\6026c
C:\WINDOWS\system32\6026c\wsDRV3.exe
C:\WINDOWS\system32\a053
C:\WINDOWS\system32\a053\updatdll95.exe
C:\WINDOWS\system32\Dev3
C:\WINDOWS\system32\Dev3\moolckr.exe
C:\WINDOWS\system32\EgiRrqss.ini
C:\WINDOWS\system32\EgiRrqss.ini2
C:\WINDOWS\system32\g78.exe
C:\WINDOWS\system32\ocntnkdm.exe
C:\WINDOWS\system32\ssqrRigE.dll
C:\WINDOWS\system32\sTMP
C:\WINDOWS\system32\sTMP\lutdtx2.exe
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\Vco1
C:\WINDOWS\system32\Vco1\hdpars11.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\UiBPbWFy
C:\WINDOWS\x.exe
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-02 20:04 . 2008-06-03 19:33 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-02 14:50 . 2008-06-02 14:50 <DIR> d-------- C:\Deckard
2008-06-02 14:26 . 2008-06-02 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-02 14:11 . 2008-06-02 14:43 <DIR> d-------- C:\SDFix
2008-06-02 04:19 . 2008-06-02 04:19 <DIR> d-------- C:\Program Files\CCleaner
2008-06-02 04:16 . 2008-06-02 14:41 <DIR> d-------- C:\Temp
2008-05-24 06:25 . 2008-05-31 14:29 <DIR> d-------- C:\Program Files\FriendBlasterPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 09:05 --------- d-----w C:\Program Files\McAfee
2008-04-28 16:13 --------- d-----w C:\Program Files\Xilisoft
2006-12-25 14:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-11-13 08:31 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.49.20.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 00:45:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 20:14:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-04 00:34:09 56,124 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-04 20:12:20 56,124 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-04 00:34:09 391,638 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-04 20:12:20 391,638 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

2006-03-15 23:00 25600 C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2006-03-15 23:00 25600 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036151.dll
2006-03-15 23:00 25600 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038082.dll

C:\Documents and Settings\R Omar\lsass.exe
2008-05-17 01:40 86016 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036662.exe

C:\Documents and Settings\R Omar\services.exe
2008-06-02 04:15 15360 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036663.exe

2008-03-24 23:50 554008 C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll
2006-03-15 23:00 561179 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036064.dll

2008-06-04 15:17 510668 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
2008-05-24 09:29 510668 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP322\A0035999.dll
2008-06-04 15:10 510668 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038078.dll

2008-05-25 23:48 1777664 C:\Program Files\FriendBlasterPro\FriendBlasterPro.exe
2008-01-30 17:57 429568 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036202.exe

2006-07-29 01:22 51712 C:\Program Files\FriendBlasterPro\GetDiskSerial.dll
2006-07-29 01:22 51712 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036206.dll

2008-05-25 23:47 695578 C:\Program Files\FriendBlasterPro\unins000.exe
2008-05-24 05:35 695578 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036209.exe

2008-02-15 04:07 18432 C:\Program Files\Internet Explorer\iedw.exe
2007-12-06 05:05 18432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036098.exe

2008-04-05 21:11 689472 C:\Program Files\McAfee\MSC\oem\108\mccobres.dll
2008-02-05 02:33 566592 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036125.dll

C:\Program Files\Network Monitor\netmon.exe
2006-01-04 18:09 94208 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036661.exe

C:\SDFix\attrib.exe
2006-03-15 23:00 11264 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036879.exe

C:\SDFix\backupreg\AppInit_DLLs.reg
2008-06-02 14:26 624 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036848.reg

C:\SDFix\backupreg\bat_shell_open.reg
2008-06-02 14:26 204 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036849.reg

C:\SDFix\backupreg\BHO.reg
2008-06-02 14:26 8844 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036850.reg

C:\SDFix\backupreg\com_shell_open.reg
2008-06-02 14:26 204 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036851.reg

C:\SDFix\backupreg\ControlPanel_Load.reg
2008-06-02 14:26 9560 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036852.reg

C:\SDFix\backupreg\Drivers32.reg
2008-06-02 14:26 3562 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036853.reg

C:\SDFix\backupreg\exe_shell_open.reg
2008-06-02 14:26 204 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036854.reg

C:\SDFix\backupreg\HKCU_SOFTWARE_Policy.reg
2008-06-02 14:26 3118 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036857.reg

C:\SDFix\backupreg\HKCU_WINDOWS_Policy.reg
2008-06-02 14:26 690 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036858.reg

C:\SDFix\backupreg\HKCURun.reg
2008-06-02 14:26 486 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036855.reg

C:\SDFix\backupreg\HKCURunServices.reg
2008-06-02 14:26 74 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036856.reg

C:\SDFix\backupreg\HKLM_SOFTWARE_Policy.reg
2008-06-02 14:26 113534 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036861.reg

C:\SDFix\backupreg\HKLM_WINDOWS_Policy.reg
2008-06-02 14:26 3156 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036862.reg

C:\SDFix\backupreg\HKLMRun.reg
2008-06-02 14:26 5804 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036859.reg

C:\SDFix\backupreg\HKLMRunServices.reg
2008-06-02 14:26 74 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036860.reg

C:\SDFix\backupreg\hta_shell_open.reg
2008-06-02 14:26 270 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036863.reg

C:\SDFix\backupreg\IEDesktop.reg
2008-06-02 14:26 4474 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036864.reg

C:\SDFix\backupreg\IEMain.reg
2008-06-02 14:26 3332 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036865.reg

C:\SDFix\backupreg\Installed_Components.reg
2008-06-02 14:26 36254 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036866.reg

C:\SDFix\backupreg\pif_shell_open.reg
2008-06-02 14:26 204 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036867.reg

C:\SDFix\backupreg\reg_shell_open.reg
2008-06-02 14:26 230 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036868.reg

C:\SDFix\backupreg\SecurityProviders.reg
2008-06-02 14:26 8002 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036869.reg

C:\SDFix\backupreg\SharedTaskScheduler.reg
2008-06-02 14:26 546 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036870.reg

C:\SDFix\backupreg\ShellServiceObjectDelayLoad.reg
2008-06-02 14:26 816 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036871.reg

C:\SDFix\backupreg\SubSystems.reg
2008-06-02 14:26 5282 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036872.reg

C:\SDFix\backupreg\txt_shell_open.reg
2008-06-02 14:26 668 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036873.reg

C:\SDFix\backupreg\Winlogon.reg
2008-06-02 14:26 29168 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036874.reg

C:\SDFix\backupreg\WinlogonNotify.reg
2008-06-02 14:26 12638 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036875.reg

C:\SDFix\backups\accesss.exe
2008-06-02 04:31 15104 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036729.exe

C:\SDFix\backups\asappsrv.dll
2005-08-02 16:46 187904 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036828.dll

C:\SDFix\backups\atmtd.dll
2008-06-02 04:16 687592 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036829.dll

C:\SDFix\backups\avpcc.dll
2008-06-02 04:31 20224 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036733.dll

C:\SDFix\backups\byXPijkI.dll
2008-06-02 04:16 69632 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036830.dll

C:\SDFix\backups\clrssn.exe
2008-06-02 04:31 12288 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036735.exe

C:\SDFix\backups\command.exe
2005-08-02 16:58 293888 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036831.exe

C:\SDFix\backups\cpan.dll
2008-06-02 04:31 25088 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036737.dll

C:\SDFix\backups\ctfmon32.exe
2008-06-02 04:31 29952 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036739.exe

C:\SDFix\backups\ctrlpan.dll
2008-06-02 04:31 10752 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036741.dll

C:\SDFix\backups\directx32.exe
2008-06-02 04:31 21504 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036743.exe

C:\SDFix\backups\dnsrelay.dll
2008-06-02 04:31 19968 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036745.dll

C:\SDFix\backups\editpad.exe
2008-06-02 04:31 32512 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036747.exe

C:\SDFix\backups\explore.exe
2008-06-02 04:31 15872 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036749.exe

C:\SDFix\backups\explorer32.exe
2008-06-02 04:31 14592 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036751.exe

C:\SDFix\backups\funniest.exe
2008-06-02 04:31 23552 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036753.exe

C:\SDFix\backups\funny.exe
2008-06-02 04:31 20480 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036755.exe

C:\SDFix\backups\gfmnaaa.dll
2008-06-02 04:31 15104 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036757.dll

C:\SDFix\backups\helpcvs.exe
2008-06-02 04:31 26112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036759.exe

C:\SDFix\backups\iedll.exe
2008-06-02 04:31 26880 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036761.exe

C:\SDFix\backups\iexplorer.exe
2008-06-02 04:31 8704 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036763.exe

C:\SDFix\backups\inetinf.exe
2008-06-02 04:31 23040 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036765.exe

C:\SDFix\backups\internet.exe
2008-06-02 04:31 26624 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036767.exe

C:\SDFix\backups\loader.exe
2008-06-02 04:31 9472 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036769.exe

C:\SDFix\backups\lsass.exe
2008-05-17 01:40 86016 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036835.exe

C:\SDFix\backups\mrofinu1000106.exe
2008-06-02 04:16 41984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036836.exe

C:\SDFix\backups\mrofinu1188.exe
2008-06-02 04:16 41984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036837.exe

C:\SDFix\backups\msconfd.dll
2008-06-02 04:31 17920 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036771.dll

C:\SDFix\backups\msspi.dll
2008-06-02 04:31 8704 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036773.dll

C:\SDFix\backups\mssys.exe
2008-06-02 04:31 11520 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036775.exe

C:\SDFix\backups\msupdate.exe
2008-06-02 04:31 20736 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036777.exe

C:\SDFix\backups\mswsc10.dll
2008-06-02 04:31 20224 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036779.dll

C:\SDFix\backups\mswsc20.dll
2008-06-02 04:31 25088 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036781.dll

C:\SDFix\backups\mtwirl32.dll
2008-06-02 04:31 8704 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036783.dll

C:\SDFix\backups\netmon.exe
2006-01-04 18:09 94208 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036839.exe

C:\SDFix\backups\notepad32.exe
2008-06-02 04:31 9984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036785.exe

C:\SDFix\backups\o21jvqIV.vbs
2005-07-29 16:24 472 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036840.vbs

C:\SDFix\backups\olehelp.exe
2008-06-02 04:31 12544 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036787.exe

C:\SDFix\backups\qttasks.exe
2008-06-02 04:31 18432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036789.exe

C:\SDFix\backups\quicken.exe
2008-06-02 04:31 19968 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036791.exe

C:\SDFix\backups\RepairRun09.reg
2008-06-02 14:28 104 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036841.reg

C:\SDFix\backups\RepairVundo.reg
2008-06-02 14:27 310 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036842.reg

C:\SDFix\backups\rundll16.exe
2008-06-02 04:31 13312 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036793.exe

C:\SDFix\backups\rwwnw64d.exe
2008-06-02 04:16 49155 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036843.exe

C:\SDFix\backups\searchword.dll
2008-06-02 04:31 13056 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036795.dll

C:\SDFix\backups\services.exe
2008-06-02 04:15 15360 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036844.exe

C:\SDFix\backups\sistem.exe
2008-06-02 04:31 8448 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036797.exe

C:\SDFix\backups\svchost32.exe
2008-06-02 04:31 17920 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036799.exe

C:\SDFix\backups\svcinit.exe
2008-06-02 04:31 30976 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036801.exe

C:\SDFix\backups\systeem.exe
2008-06-02 04:31 10240 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036803.exe

C:\SDFix\backups\systemcritical.exe
2008-06-02 04:31 30208 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036805.exe

C:\SDFix\backups\time.exe
2008-06-02 04:31 32256 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036807.exe

C:\SDFix\backups\uninstall_nmon.vbs
2006-01-03 17:45 1989 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036845.vbs

C:\SDFix\backups\users32.exe
2008-06-02 04:31 30720 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036809.exe

C:\SDFix\backups\vntiho182328.exe
2008-05-20 16:13 32768 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036846.exe

C:\SDFix\backups\waol.exe
2008-06-02 04:31 8448 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036811.exe

C:\SDFix\backups\win32e.exe
2008-06-02 04:31 22784 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036813.exe

C:\SDFix\backups\win64.exe
2008-06-02 04:31 22272 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036815.exe

C:\SDFix\backups\winajbm.dll
2008-06-02 04:31 22272 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036817.dll

C:\SDFix\backups\window.exe
2008-06-02 04:31 16896 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036819.exe

C:\SDFix\backups\winmgnt.exe
2008-06-02 04:31 29440 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036821.exe

C:\SDFix\backups\x.exe
2008-06-02 04:31 9728 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036725.exe

C:\SDFix\backups\xplugin.dll
2008-06-02 04:31 31232 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036823.dll

C:\SDFix\backups\y.exe
2008-06-02 04:31 11776 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036727.exe

C:\SDFix\dummy.exe
2008-06-01 19:12 6656 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036876.exe

C:\SDFix\find.exe
2006-03-15 23:00 9216 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036877.exe

C:\SDFix\findstr.exe
2006-03-15 23:00 27136 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036878.exe

C:\SDFix\regedit.exe
2006-03-15 23:00 146432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036880.exe

C:\SDFix\RepairRun09.reg
2008-06-02 14:28 104 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036881.reg

C:\SDFix\RepairVundo1.reg
2008-06-02 14:27 310 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036882.reg

C:\SDFix\userinfix.reg
2008-06-02 14:30 141 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036883.reg

C:\WINDOWS\_000004_.tmp.dll
2008-02-28 11:48 11284 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036076.dll
2008-02-28 18:49 10578 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036120.dll

C:\WINDOWS\_000005_.tmp.dll
2008-03-03 02:39 11990 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036066.dll
2007-12-18 21:32 11990 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036071.dll

C:\WINDOWS\_000020_.tmp.dll
2008-03-27 23:33 15505 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036047.dll

C:\WINDOWS\_000047_.tmp.dll
2008-03-01 05:32 24290 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036082.dll

2008-06-02 14:41 8448 C:\WINDOWS\accesss.exe
2008-06-02 04:31 15104 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036666.exe
2008-06-02 14:32 22016 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036730.exe

2008-06-02 14:41 12288 C:\WINDOWS\avpcc.dll
2008-06-02 04:31 20224 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036668.dll
2008-06-02 14:32 15360 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036734.dll

2008-06-02 14:41 18688 C:\WINDOWS\clrssn.exe
2008-06-02 04:31 12288 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036669.exe
2008-06-02 14:32 20736 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036736.exe

2008-06-02 14:41 18944 C:\WINDOWS\cpan.dll
2008-06-02 04:31 25088 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036670.dll
2008-06-02 14:32 25088 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036738.dll

2008-06-02 14:41 10496 C:\WINDOWS\ctfmon32.exe
2008-06-02 04:31 29952 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036671.exe
2008-06-02 14:32 24064 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036740.exe

2008-06-02 14:41 16896 C:\WINDOWS\ctrlpan.dll
2008-06-02 04:31 10752 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036672.dll
2008-06-02 14:32 13568 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036742.dll

2008-06-02 14:41 30464 C:\WINDOWS\directx32.exe
2008-06-02 04:31 21504 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036673.exe
2008-06-02 14:32 32512 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036744.exe

2008-06-02 14:41 24832 C:\WINDOWS\dnsrelay.dll
2008-06-02 04:31 19968 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036674.dll
2008-06-02 14:32 32256 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036746.dll

2008-06-02 14:41 10240 C:\WINDOWS\editpad.exe
2008-06-02 04:31 32512 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036675.exe
2008-06-02 14:32 13824 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036748.exe

C:\WINDOWS\explore.exe
2008-06-02 04:31 15872 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036676.exe
2008-06-02 14:41 29696 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP333\A0037949.exe

2008-06-02 14:41 19968 C:\WINDOWS\explorer32.exe
2008-06-02 04:31 14592 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036677.exe
2008-06-02 14:32 23040 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036752.exe

2008-06-02 14:41 27392 C:\WINDOWS\funniest.exe
2008-06-02 04:31 23552 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036678.exe
2008-06-02 14:32 10240 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036754.exe

2008-06-02 14:41 14336 C:\WINDOWS\funny.exe
2008-06-02 04:31 20480 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036679.exe
2008-06-02 14:32 18944 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036756.exe

2008-06-02 14:41 25856 C:\WINDOWS\gfmnaaa.dll
2008-06-02 04:31 15104 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036680.dll
2008-06-02 14:32 15616 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036758.dll

2008-06-02 14:41 23296 C:\WINDOWS\helpcvs.exe
2008-06-02 04:31 26112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036681.exe
2008-06-02 14:32 28928 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036760.exe

2008-06-02 14:41 27136 C:\WINDOWS\iedll.exe
2008-06-02 04:31 26880 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036682.exe
2008-06-02 14:32 12288 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036762.exe

C:\WINDOWS\iexplorer.exe
2008-06-02 04:31 8704 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036683.exe
2008-06-02 14:41 22784 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP333\A0037950.exe

2008-06-02 14:41 18944 C:\WINDOWS\inetinf.exe
2008-06-02 04:31 23040 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036684.exe
2008-06-02 14:32 23552 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036766.exe

C:\WINDOWS\inf\_000000_.tmp.dll
2007-07-06 07:55 705 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036046.dll
2008-03-01 03:25 705 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036119.dll

2008-06-02 14:41 26880 C:\WINDOWS\internet.exe
2008-06-02 04:31 26624 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036685.exe
2008-06-02 14:32 16640 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036768.exe

C:\WINDOWS\lfn.exe
2008-06-02 04:16 89049 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP333\A0037951.exe

2008-06-02 14:41 28672 C:\WINDOWS\loader.exe
2008-06-02 04:31 9472 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036686.exe
2008-06-02 14:32 31744 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036770.exe

C:\WINDOWS\mrofinu1000106.exe
2008-06-02 04:16 41984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036659.exe

C:\WINDOWS\mrofinu1188.exe
2008-06-02 04:16 41984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036660.exe

2008-06-02 14:41 31488 C:\WINDOWS\msconfd.dll
2008-06-02 04:31 17920 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036687.dll
2008-06-02 14:32 18432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036772.dll

2008-06-02 14:41 19200 C:\WINDOWS\msspi.dll
2008-06-02 04:31 8704 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036688.dll
2008-06-02 14:32 17408 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036774.dll

2008-06-02 14:41 28416 C:\WINDOWS\mssys.exe
2008-06-02 04:31 11520 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036689.exe
2008-06-02 14:32 10496 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036776.exe

2008-06-02 14:41 19200 C:\WINDOWS\msupdate.exe
2008-06-02 04:31 20736 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036690.exe
2008-06-02 14:32 28160 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036778.exe

2008-06-02 14:41 24576 C:\WINDOWS\mswsc10.dll
2008-06-02 04:31 20224 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036691.dll
2008-06-02 14:32 25344 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036780.dll

2008-06-02 14:41 24320 C:\WINDOWS\mswsc20.dll
2008-06-02 04:31 25088 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036692.dll
2008-06-02 14:32 25600 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036782.dll

2008-06-02 14:41 12032 C:\WINDOWS\mtwirl32.dll
2008-06-02 04:31 8704 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036693.dll
2008-06-02 14:32 10240 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036784.dll

2008-06-02 14:41 8192 C:\WINDOWS\notepad32.exe
2008-06-02 04:31 9984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036694.exe
2008-06-02 14:32 24320 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036786.exe

2008-06-02 14:41 25344 C:\WINDOWS\olehelp.exe
2008-06-02 04:31 12544 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036695.exe
2008-06-02 14:32 20992 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036788.exe

2008-06-02 14:41 24576 C:\WINDOWS\qttasks.exe
2008-06-02 04:31 18432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036696.exe
2008-06-02 14:32 20736 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036790.exe

2008-06-02 14:41 13312 C:\WINDOWS\quicken.exe
2008-06-02 04:31 19968 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036697.exe
2008-06-02 14:32 29952 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036792.exe

2008-06-02 14:41 18944 C:\WINDOWS\rundll16.exe
2008-06-02 04:31 13312 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036698.exe
2008-06-02 14:32 28672 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036794.exe

2008-06-02 14:41 10240 C:\WINDOWS\searchword.dll
2008-06-02 04:31 13056 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036699.dll
2008-06-02 14:32 17664 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036796.dll

2008-06-02 14:41 19712 C:\WINDOWS\sistem.exe
2008-06-02 04:31 8448 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036700.exe
2008-06-02 14:32 11264 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036798.exe

2008-06-02 14:41 28928 C:\WINDOWS\svchost32.exe
2008-06-02 04:31 17920 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036701.exe
2008-06-02 14:32 9472 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036800.exe

2008-06-02 14:41 28672 C:\WINDOWS\svcinit.exe
2008-06-02 04:31 30976 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036702.exe
2008-06-02 14:32 8448 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036802.exe

2008-06-02 14:41 16640 C:\WINDOWS\systeem.exe
2008-06-02 04:31 10240 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036703.exe
2008-06-02 14:32 16640 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036804.exe

C:\WINDOWS\system32\_{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
2008-05-05 11:24 330752 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036629.dll

C:\WINDOWS\system32\_000003_.tmp.dll
2006-03-15 23:00 96768 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038059.dll

C:\WINDOWS\system32\_000005_.tmp.dll
2007-03-08 08:47 1843584 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036130.dll

C:\WINDOWS\system32\_000006_.tmp.dll
2006-03-15 23:00 983552 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038060.dll

C:\WINDOWS\system32\_000007_.tmp.dll
2006-03-15 23:00 611328 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038061.dll

C:\WINDOWS\system32\_000008_.tmp.dll
2006-03-15 23:00 1835904 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038062.dll

C:\WINDOWS\system32\_000011_.tmp.dll
2006-03-15 23:00 111104 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038063.dll

C:\WINDOWS\system32\_000012_.tmp.dll
2006-03-15 23:00 132096 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038064.dll

C:\WINDOWS\system32\_000013_.tmp.dll
2006-03-15 23:00 721920 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038065.dll

C:\WINDOWS\system32\_000019_.tmp.dll
2005-04-28 22:31 37888 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038066.dll

C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll-uninst.exe
2008-06-02 04:34 63918 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038049.exe

C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
2008-05-27 08:47 371200 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038048.dll

C:\WINDOWS\system32\6026c\wsDRV3.exe
2008-05-05 11:16 127488 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038043.exe

C:\WINDOWS\system32\a053\updatdll95.exe
2008-06-01 12:13 37900 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038044.exe

C:\WINDOWS\system32\atmtd.dll
2008-06-02 04:16 687592 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036705.dll

2008-02-16 04:32 1024000 C:\WINDOWS\system32\browseui.dll
2007-12-06 19:44 1024000 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036097.dll
2007-12-06 19:44 1024000 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036136.dll

C:\WINDOWS\system32\byXPijkI.dll
2008-06-02 04:16 69632 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036652.dll

2008-02-16 04:32 151040 C:\WINDOWS\system32\cdfview.dll
2007-12-06 19:44 151040 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036096.dll

2008-02-16 04:32 1054208 C:\WINDOWS\system32\danim.dll
2007-12-06 19:44 1054208 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036095.dll

C:\WINDOWS\system32\Dev3\moolckr.exe
2008-04-22 22:49 49152 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038045.exe

2008-02-16 04:32 1024000 C:\WINDOWS\system32\dllcache\browseui.dll
2007-12-06 19:44 1024000 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036118.dll

2008-02-16 04:32 151040 C:\WINDOWS\system32\dllcache\cdfview.dll
2007-12-06 19:44 151040 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036117.dll

2008-02-16 04:32 1054208 C:\WINDOWS\system32\dllcache\danim.dll
2007-12-06 19:44 1054208 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036116.dll

2008-02-20 00:32 148992 C:\WINDOWS\system32\dllcache\dnsapi.dll
2006-06-26 12:37 148480 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036069.dll

2008-02-16 04:32 357888 C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-06 19:44 357888 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036115.dll

2008-02-16 04:32 205312 C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-12-06 19:44 205824 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036114.dll

2008-02-16 04:32 55808 C:\WINDOWS\system32\dllcache\extmgr.dll
2007-12-06 19:44 55808 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036113.dll

2008-02-20 01:51 282624 C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-19 08:31 282112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036077.dll

2008-02-15 04:07 18432 C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-06 05:05 18432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036112.exe

2008-02-16 04:32 251904 C:\WINDOWS\system32\dllcache\iepeers.dll
2007-12-06 19:44 251904 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036111.dll

2008-02-16 04:32 96256 C:\WINDOWS\system32\dllcache\inseng.dll
2007-12-06 19:44 96256 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036110.dll

2007-12-18 09:40 450560 C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-14 02:26 450560 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036074.dll

2008-02-16 04:32 16384 C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-12-06 19:44 16384 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036109.dll

2008-02-16 04:32 3066880 C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 19:44 3066368 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036108.dll

2008-02-16 04:32 449024 C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-12-06 19:44 449024 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036107.dll

2008-02-16 04:32 146432 C:\WINDOWS\system32\dllcache\msrating.dll
2007-12-06 19:44 146432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036106.dll

2008-02-16 04:32 532480 C:\WINDOWS\system32\dllcache\mstime.dll
2007-12-06 19:44 532480 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036105.dll

2008-02-16 04:32 39424 C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-06 19:44 39424 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036104.dll

2008-02-16 04:32 1499136 C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-12-06 19:44 1499136 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036103.dll

2008-02-16 04:32 474112 C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-12-06 19:44 474112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036102.dll

2008-02-16 04:32 618496 C:\WINDOWS\system32\dllcache\urlmon.dll
2007-12-06 19:44 617984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036101.dll

2008-03-19 04:47 1845248 C:\WINDOWS\system32\dllcache\win32k.sys
2007-03-08 08:47 1843584 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036080.sys

2008-02-16 04:32 666112 C:\WINDOWS\system32\dllcache\wininet.dll
2007-12-06 19:44 666112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036100.dll

2008-02-20 00:32 148992 C:\WINDOWS\system32\dnsapi.dll
2006-06-26 12:37 148480 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036068.dll
2006-06-26 12:37 148480 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036127.dll

2008-02-20 00:32 45568 C:\WINDOWS\system32\dnsrslvr.dll
2006-03-15 23:00 45568 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036067.dll
2006-03-15 23:00 45568 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036126.dll

C:\WINDOWS\system32\drivers\mqacc.sys
2008-06-02 04:16 86144 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036827.sys

2008-02-16 04:32 357888 C:\WINDOWS\system32\dxtmsft.dll
2007-12-06 19:44 357888 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036094.dll

2008-02-16 04:32 205312 C:\WINDOWS\system32\dxtrans.dll
2007-12-06 19:44 205824 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036093.dll

2008-02-16 04:32 55808 C:\WINDOWS\system32\extmgr.dll
2007-12-06 19:44 55808 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036099.dll

C:\WINDOWS\system32\g78.exe
2008-06-02 04:26 401974 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038050.exe

2008-02-20 01:51 282624 C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036129.dll

2008-02-16 04:32 251904 C:\WINDOWS\system32\iepeers.dll
2007-12-06 19:44 251904 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036092.dll

2008-02-16 04:32 96256 C:\WINDOWS\system32\inseng.dll
2007-12-06 19:44 96256 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036091.dll

2007-12-18 09:40 450560 C:\WINDOWS\system32\jscript.dll
2007-11-14 02:26 450560 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036073.dll
2007-11-14 02:26 450560 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036128.dll

2008-02-16 04:32 16384 C:\WINDOWS\system32\jsproxy.dll
2007-12-06 19:44 16384 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036090.dll

C:\WINDOWS\system32\mmwehtdb.dll
2008-06-03 04:32 114688 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP333\A0037953.dll

2008-05-09 14:35 16863864 C:\WINDOWS\system32\MRT.exe
2008-03-05 08:30 19148408 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036045.exe

2008-03-24 23:50 518944 C:\WINDOWS\system32\msexch40.dll
2006-03-15 23:00 512029 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036063.dll

2008-03-24 23:50 326432 C:\WINDOWS\system32\msexcl40.dll
2006-03-15 23:00 319517 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036062.dll

2008-02-16 04:32 3066880 C:\WINDOWS\system32\mshtml.dll
2007-12-06 19:44 3066368 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036135.dll

2008-02-16 04:32 449024 C:\WINDOWS\system32\mshtmled.dll
2007-12-06 19:44 449024 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036089.dll

2008-03-24 23:50 1516568 C:\WINDOWS\system32\msjet40.dll
2006-03-15 23:00 1507356 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036061.dll

2008-03-24 23:50 355112 C:\WINDOWS\system32\msjetoledb40.dll
2006-03-15 23:00 358976 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036060.dll

2008-03-27 03:12 151583 C:\WINDOWS\system32\msjint40.dll
2006-03-15 23:00 151583 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036059.dll

2008-03-24 23:50 60192 C:\WINDOWS\system32\msjter40.dll
2006-03-15 23:00 53279 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036058.dll

2008-03-24 23:50 248608 C:\WINDOWS\system32\msjtes40.dll
2006-03-15 23:00 241693 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036057.dll

2008-03-24 23:50 219936 C:\WINDOWS\system32\msltus40.dll
2006-03-15 23:00 213023 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036056.dll

2008-03-24 23:50 355104 C:\WINDOWS\system32\mspbde40.dll
2006-03-15 23:00 348189 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036055.dll

2008-02-16 04:32 146432 C:\WINDOWS\system32\msrating.dll
2007-12-06 19:44 146432 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036088.dll

2008-03-24 23:50 432928 C:\WINDOWS\system32\msrd2x40.dll
2006-03-15 23:00 421919 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036054.dll

2008-03-24 23:50 322336 C:\WINDOWS\system32\msrd3x40.dll
2006-03-15 23:00 315423 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036053.dll

2008-03-24 23:50 559904 C:\WINDOWS\system32\msrepl40.dll
2006-03-15 23:00 552989 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036052.dll

2008-03-24 23:50 264992 C:\WINDOWS\system32\mstext40.dll
2006-03-15 23:00 258077 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036051.dll

2008-02-16 04:32 532480 C:\WINDOWS\system32\mstime.dll
2007-12-06 19:44 532480 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036087.dll

2008-03-24 23:50 838432 C:\WINDOWS\system32\mswdat10.dll
2006-03-15 23:00 831519 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036050.dll

2008-03-24 23:50 621344 C:\WINDOWS\system32\mswstr10.dll
2006-03-15 23:00 614429 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036049.dll

2008-03-24 23:50 355104 C:\WINDOWS\system32\msxbde40.dll
2006-03-15 23:00 348189 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036048.dll

C:\WINDOWS\system32\ocntnkdm.exe
2008-06-02 04:26 200773 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038051.exe

2008-02-16 04:32 39424 C:\WINDOWS\system32\pngfilt.dll
2007-12-06 19:44 39424 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036086.dll

C:\WINDOWS\system32\qtopafyn.dll
2008-06-03 04:23 103424 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP333\A0037954.dll

C:\WINDOWS\system32\rikhlpqu.dll
2008-06-03 04:26 89088 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP333\A0037955.dll

C:\WINDOWS\system32\rwwnw64d.exe
2008-06-02 04:16 49155 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036708.exe

2008-02-16 04:32 1499136 C:\WINDOWS\system32\shdocvw.dll
2007-12-06 19:44 1499136 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036134.dll

2008-02-16 04:32 474112 C:\WINDOWS\system32\shlwapi.dll
2007-12-06 19:44 474112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036085.dll
2007-12-06 19:44 474112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036133.dll

C:\WINDOWS\system32\ssqrRigE.dll
2008-06-02 04:21 275456 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038052.dll

C:\WINDOWS\system32\sTMP\lutdtx2.exe
2008-05-30 03:33 8790 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038046.exe

2008-02-16 04:32 618496 C:\WINDOWS\system32\urlmon.dll
2007-12-06 19:44 617984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036084.dll
2007-12-06 19:44 617984 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036132.dll

C:\WINDOWS\system32\vbpdtvdp.exe
2008-06-02 04:16 89049 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038053.exe

2007-12-18 09:40 417792 C:\WINDOWS\system32\vbscript.dll
2006-03-15 23:00 417792 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036072.dll

C:\WINDOWS\system32\Vco1\hdpars11.exe
2007-08-14 16:22 25105 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038047.exe

C:\WINDOWS\system32\vntiho18\vntiho182328.exe
2008-05-20 16:13 32768 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036656.exe

2008-02-16 04:32 666112 C:\WINDOWS\system32\wininet.dll
2007-12-06 19:44 666112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036083.dll
2007-12-06 19:44 666112 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036131.dll

C:\WINDOWS\system32\winpfz33.sys
2008-06-02 04:26 860 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038054.sys

2008-02-15 04:06 351744 C:\WINDOWS\system32\xpsp3res.dll
2007-12-06 04:38 350720 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP323\A0036137.dll

C:\WINDOWS\system32\ycinhinf.exe
2008-06-03 04:35 2560 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP333\A0037956.exe

2008-06-02 14:41 21248 C:\WINDOWS\systemcritical.exe
2008-06-02 04:31 30208 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036704.exe
2008-06-02 14:32 24576 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036806.exe

2008-06-02 14:41 30464 C:\WINDOWS\time.exe
2008-06-02 04:31 32256 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036710.exe
2008-06-02 14:32 28416 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036808.exe

C:\WINDOWS\UiBPbWFy\asappsrv.dll
2005-08-02 16:46 187904 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036653.dll

C:\WINDOWS\UiBPbWFy\command.exe
2005-08-02 16:58 293888 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036654.exe

C:\WINDOWS\UiBPbWFy\o21jvqIV.vbs
2005-07-29 16:24 472 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036655.vbs

C:\WINDOWS\uninstall_nmon.vbs
2006-01-03 17:45 1989 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036711.vbs

2008-06-02 14:41 11008 C:\WINDOWS\users32.exe
2008-06-02 04:31 30720 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036712.exe
2008-06-02 14:32 13312 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036810.exe

2008-06-02 14:41 21504 C:\WINDOWS\waol.exe
2008-06-02 04:31 8448 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036713.exe
2008-06-02 14:32 8960 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036812.exe

2008-06-02 14:41 18432 C:\WINDOWS\win32e.exe
2008-06-02 04:31 22784 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036714.exe
2008-06-02 14:32 27392 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036814.exe

2008-06-02 14:41 11776 C:\WINDOWS\win64.exe
2008-06-02 04:31 22272 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036715.exe
2008-06-02 14:32 14080 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036816.exe

2008-06-02 14:41 12288 C:\WINDOWS\winajbm.dll
2008-06-02 04:31 22272 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036716.dll
2008-06-02 14:32 9216 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036818.dll

2008-06-02 14:41 9984 C:\WINDOWS\window.exe
2008-06-02 04:31 16896 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036717.exe
2008-06-02 14:32 31744 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036820.exe

2008-06-02 14:41 19968 C:\WINDOWS\winmgnt.exe
2008-06-02 04:31 29440 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036718.exe
2008-06-02 14:32 9728 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036822.exe

C:\WINDOWS\x.exe
2008-06-02 04:31 9728 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036657.exe
2008-06-02 14:41 26624 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038057.exe

2008-06-02 14:41 14336 C:\WINDOWS\xplugin.dll
2008-06-02 04:31 31232 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036719.dll
2008-06-02 14:32 26624 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036824.dll

C:\WINDOWS\y.exe
2008-06-02 04:31 11776 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP331\A0036658.exe
2008-06-02 14:41 12288 {3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP335\A0038058.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 23:03 36975]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 03:00 7585792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 03:00 86016]
"nwiz"="nwiz.exe" [2006-08-18 03:00 1617920 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 19:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 00:01 761946]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 23:55 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 13:33 163840]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 18:02 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-11-01 01:00 307200]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"{2fa0b3b1-cc68-ca3a-5242-f7a2074f24c8}"="C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 11:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= KORGUMDD.DRV

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 18:49]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 15:39]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS [2004-07-12 02:05]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 15:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<[email protected]? ??? [email protected]?????<[email protected]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-04 15:17:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 20:17:51
ComboFix2.txt 2008-06-04 00:49:37

Pre-Run: 3,494,912,000 bytes free
Post-Run: 3,473,518,592 bytes free

770 --- E O F --- 2008-05-25 08:02:48
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\Documents and Settings\R Omar\lsass.exe
C:\Documents and Settings\R Omar\services.exe
C:\WINDOWS\_000004_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000020_.tmp.dll
C:\WINDOWS\_000047_.tmp.dll
C:\WINDOWS\accesss.exe
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\_{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000019_.tmp.dll
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll-uninst.exe
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\byXPijkI.dll
C:\WINDOWS\system32\drivers\mqacc.sys
C:\WINDOWS\system32\g78.exe
C:\WINDOWS\system32\mmwehtdb.dll
C:\WINDOWS\system32\ocntnkdm.exe
C:\WINDOWS\system32\qtopafyn.dll
C:\WINDOWS\system32\rikhlpqu.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\ssqrRigE.dll
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\ycinhinf.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\y.exe

Folder::
C:\Program Files\Network Monitor
C:\WINDOWS\UiBPbWFy
C:\WINDOWS\system32\Dev3
C:\WINDOWS\system32\a053
C:\WINDOWS\system32\6026c
C:\WINDOWS\system32\sTMP
C:\WINDOWS\system32\Vco1
C:\WINDOWS\system32\vntiho18

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

Advertisements


#11
nosrevia

nosrevia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ComboFix 08-06-01.6 - R Omar 2008-06-04 16:47:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.701 [GMT -5:00]
Running from: C:\Documents and Settings\R Omar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\R Omar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\R Omar\lsass.exe
C:\Documents and Settings\R Omar\services.exe
C:\WINDOWS\_000004_.tmp.dll
C:\WINDOWS\_000005_.tmp.dll
C:\WINDOWS\_000020_.tmp.dll
C:\WINDOWS\_000047_.tmp.dll
C:\WINDOWS\accesss.exe
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\inf\_000000_.tmp.dll
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\_{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000019_.tmp.dll
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll
C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll-uninst.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\byXPijkI.dll
C:\WINDOWS\system32\drivers\mqacc.sys
C:\WINDOWS\system32\g78.exe
C:\WINDOWS\system32\mmwehtdb.dll
C:\WINDOWS\system32\ocntnkdm.exe
C:\WINDOWS\system32\qtopafyn.dll
C:\WINDOWS\system32\rikhlpqu.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\ssqrRigE.dll
C:\WINDOWS\system32\vbpdtvdp.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\ycinhinf.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\y.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\R Omar\lsass.exe
C:\WINDOWS\accesss.exe
C:\WINDOWS\avpcc.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\xplugin.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-02 20:04 . 2008-06-04 16:45 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-02 14:50 . 2008-06-02 14:50 <DIR> d-------- C:\Deckard
2008-06-02 14:41 . 2008-06-02 14:41 30,208 --a------ C:\WINDOWS\xxxvideo.hta
2008-06-02 14:41 . 2008-06-02 14:41 25,344 --a------ C:\WINDOWS\astctl32.ocx
2008-06-02 14:41 . 2008-06-02 14:41 23,296 --a------ C:\WINDOWS\rundll32.vbe
2008-06-02 14:26 . 2008-06-02 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-02 14:11 . 2008-06-02 14:43 <DIR> d-------- C:\SDFix
2008-06-02 04:19 . 2008-06-02 04:19 <DIR> d-------- C:\Program Files\CCleaner
2008-06-02 04:16 . 2008-06-02 14:41 <DIR> d-------- C:\Temp
2008-05-24 06:25 . 2008-05-31 14:29 <DIR> d-------- C:\Program Files\FriendBlasterPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 09:05 --------- d-----w C:\Program Files\McAfee
2008-04-28 16:13 --------- d-----w C:\Program Files\Xilisoft
2006-12-25 14:15 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2007-11-13 08:31 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [email protected]_19.49.20.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 00:45:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 21:50:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-04 00:34:09 56,124 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-04 21:49:17 56,124 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-04 00:34:09 391,638 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-04 21:49:17 391,638 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 23:03 36975]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 03:00 7585792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 03:00 86016]
"nwiz"="nwiz.exe" [2006-08-18 03:00 1617920 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 19:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 00:01 761946]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 23:55 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11 49152]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30 81920]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 13:33 163840]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 18:02 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-11-01 01:00 307200]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"{2fa0b3b1-cc68-ca3a-5242-f7a2074f24c8}"="C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 11:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= KORGUMDD.DRV

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 18:49]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 15:39]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS [2004-07-12 02:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{416e4bc3-a114-11dc-a751-001636a43ae4}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 16:50:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<[email protected]? ??? [email protected]?????<[email protected]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-04 16:53:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 21:53:21
ComboFix2.txt 2008-06-04 20:17:55
ComboFix3.txt 2008-06-04 00:49:37

Pre-Run: 3,456,913,408 bytes free
Post-Run: 3,449,589,760 bytes free

267 --- E O F --- 2008-05-25 08:02:48
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\rundll32.vbe
F:\Start.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{416e4bc3-a114-11dc-a751-001636a43ae4}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log
  • 0

#13
nosrevia

nosrevia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:13 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Documents and Settings\R Omar\lsass.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{2fa0b3b1-cc68-ca3a-5242-f7a2074f24c8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll" DllStart
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\R Omar\lsass.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7697 bytes


Also, everytime I log on, I receive this prompt:
Posted Image
How do I get rid of this? Or will it be addressed later?

Thanks again for all your help so far, Rors. :)
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
That will be gone soon enough :)

Do the steps in my previous post and do this


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [{2fa0b3b1-cc68-ca3a-5242-f7a2074f24c8}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{43451195-72b1-a114-59ec-29f7755ebdb3}.dll" DllStart
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\R Omar\lsass.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0

#15
nosrevia

nosrevia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:17 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7412 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP