Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AntiSpyware Master pop ups [RESOLVED]

Started by coldwars , Jul 18 2008 04:11 PM

  • This topic is locked This topic is locked

#1
coldwars
Posted 18 July 2008 - 04:11 PM

coldwars

    Member

  • Member
  • PipPip
  • 28 posts
I have been receiving AntiSpyware Master pop ups. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:49 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\joal\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {3CB08BE5-753A-4551-8F57-CEF3DC726019} - C:\WINDOWS\system32\qoMeETLD.dll
O2 - BHO: {62a63fd8-138e-6909-6564-00352468e665} - {566e8642-5300-4656-9096-e8318df36a26} - C:\WINDOWS\system32\qhtrti.dll
O2 - BHO: (no name) - {5D9C274D-AD45-4EF1-9EE8-A999829FA804} - C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\I1KLM5O7\3077ahntdksr[1].dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AFB2ACA1-990D-4762-A718-BDFC8D6F8171} - C:\WINDOWS\system32\fjyjgyvy.dll (file missing)
O2 - BHO: (no name) - {EAB15366-0E81-476D-83CC-1052FDF017C8} - C:\WINDOWS\system32\nnnlKaba.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [38b32812] rundll32.exe "C:\WINDOWS\system32\pesiqgau.dll",b
O4 - HKLM\..\Run: [BM3b801b8e] Rundll32.exe "C:\WINDOWS\system32\avkapveq.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O20 - Winlogon Notify: nnnlKaba - C:\WINDOWS\SYSTEM32\nnnlKaba.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8079 bytes
  • 0

Advertisements

#2
emeraldnzl
Posted 18 July 2008 - 05:10 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello coldwars,

I am looking at your log and will be back to you in a bit.

Regards
emeraldnzl
  • 0

#3
emeraldnzl
Posted 18 July 2008 - 05:46 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again coldwars,

Welcome to Geeks To Go.

You have a number of infections. We will need to take a multi level approach to solving your problems.

Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

It is important you carry out instructions exactly in the order they appear.

Now

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#4
coldwars
Posted 18 July 2008 - 06:36 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I ran SmitfraudFix and this is the report:

SmitFraudFix v2.329

Scan done at 20:32:41.75, Fri 07/18/2008
Run from C:\Documents and Settings\joal\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\joal


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\joal\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\joal\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G USB Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8932C987-853B-4952-B7F5-92BCAFF55148}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8932C987-853B-4952-B7F5-92BCAFF55148}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8932C987-853B-4952-B7F5-92BCAFF55148}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#5
emeraldnzl
Posted 19 July 2008 - 11:29 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello coldwars,

OK next move then.

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Next

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

So when you come back please post
  • Vundofix text
  • two Deckards Scanner reports
  • 0

#6
coldwars
Posted 19 July 2008 - 12:27 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here is the Vundofix text:


VundoFix V7.0.6

Scan started at 2:13:38 PM 7/19/2008

Listing files found while scanning....

C:\Windows\system32\fjyjgyvy.dll
C:\Windows\system32\pxjpsjvu.dll
C:\Windows\system32\rwdpslop.dll
C:\Windows\system32\svdurfms.dll

Beginning removal...

Attempting to delete C:\Windows\system32\fjyjgyvy.dll
C:\Windows\system32\fjyjgyvy.dll Has been deleted!

Attempting to delete C:\Windows\system32\pxjpsjvu.dll
C:\Windows\system32\pxjpsjvu.dll Has been deleted!

Attempting to delete C:\Windows\system32\rwdpslop.dll
C:\Windows\system32\rwdpslop.dll Has been deleted!

Attempting to delete C:\Windows\system32\svdurfms.dll
C:\Windows\system32\svdurfms.dll Has been deleted!

Performing Repairs to the registry.
Done!





This is the main.txt from Deckards System Scanner:




Deckard's System Scanner v20071014.68
Run by joal on 2008-07-19 14:20:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
32: 2008-07-19 18:20:36 UTC - RP200 - Deckard's System Scanner Restore Point
31: 2008-07-19 02:43:09 UTC - RP199 - Removed Apple Mobile Device Support
30: 2008-07-18 23:20:42 UTC - RP198 - Restore Operation
29: 2008-07-18 21:26:18 UTC - RP197 - Last known good configuration
28: 2008-07-18 21:26:13 UTC - RP196 - System Checkpoint


-- First Restore Point --
1: 2008-07-18 21:26:05 UTC - RP169 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as joal.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:18, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\dss.exe
C:\DOCUME~1\joal\Desktop\joal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: {62a63fd8-138e-6909-6564-00352468e665} - {566e8642-5300-4656-9096-e8318df36a26} - C:\WINDOWS\system32\qhtrti.dll
O2 - BHO: (no name) - {5D9C274D-AD45-4EF1-9EE8-A999829FA804} - C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\I1KLM5O7\3077ahntdksr[1].dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AFB2ACA1-990D-4762-A718-BDFC8D6F8171} - C:\WINDOWS\system32\fjyjgyvy.dll (file missing)
O2 - BHO: (no name) - {EAB15366-0E81-476D-83CC-1052FDF017C8} - C:\WINDOWS\system32\nnnlKaba.dll
O2 - BHO: (no name) - {F153EB2D-38DA-49C6-9D48-BDA9751F726C} - C:\WINDOWS\system32\qoMeETLD.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [38b32812] rundll32.exe "C:\WINDOWS\system32\pesiqgau.dll",b
O4 - HKLM\..\Run: [BM3b801b8e] Rundll32.exe "C:\WINDOWS\system32\avkapveq.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O20 - Winlogon Notify: nnnlKaba - C:\WINDOWS\SYSTEM32\nnnlKaba.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7744 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\joal\Desktop\backups\) ----------------

backup-20080611-231030-554 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20080614-123232-993 O2 - BHO: {7668099f-a462-b1b9-53b4-4f9accd2beda} - {adeb2dcc-a9f4-4b35-9b1b-264af9908667} - C:\WINDOWS\system32\xbphhnoc.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1002&DEV_5B60&SUBSYS_06021002&REV_00\4&1603E009&0&0008
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1002&DEV_5B60&SUBSYS_06021002&REV_00\4&1603E009&0&0008
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_1002&DEV_5B70&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&5855BE9&0&18F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&5855BE9&0&18F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-07-17 20:15:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-19 and 2008-07-19 -----------------------------

2008-07-18 22:45:38 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32:55 3568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57:38 0 d-------- C:\VundoFix Backups
2008-07-18 17:30:37 78336 --a------ C:\WINDOWS\system32\pesiqgau.dll
2008-07-18 17:27:53 102912 --a------ C:\WINDOWS\system32\qhtrti.dll
2008-07-18 17:27:49 102912 --a------ C:\WINDOWS\system32\xptjkrur.dll
2008-07-18 17:27:01 91648 --a------ C:\WINDOWS\system32\avkapveq.dll
2008-07-18 17:25:54 865943 --ahs---- C:\WINDOWS\system32\DLTEeMoq.ini2
2008-07-18 17:25:42 319488 --a------ C:\WINDOWS\system32\qoMeETLD.dll
2008-07-18 17:20:40 26112 --a------ C:\WINDOWS\system32\xxyxxwWo.dll
2008-07-18 17:20:40 26112 --a------ C:\WINDOWS\system32\nnnlKaba.dll
2008-07-13 18:56:14 0 d-------- C:\Program Files\iPod
2008-07-13 18:56:11 0 d-------- C:\Program Files\iTunes
2008-07-13 18:55:57 0 d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24:31 0 d-------- C:\Program Files\Windows Live Safety Center


-- Find3M Report ---------------------------------------------------------------

2008-07-19 14:21:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-19 00:41:54 0 d-------- C:\Program Files\Bonjour
2008-07-18 22:45:04 0 d-------- C:\Program Files\Common Files
2008-07-18 21:02:00 16 --a------ C:\WINDOWS\popcinfot.dat
2008-07-18 19:14:03 0 d-------- C:\Program Files\Windows Media Connect 2
2008-07-18 17:13:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-16 21:14:24 0 d-------- C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 00:29:23 0 d-------- C:\Program Files\Last.fm
2008-07-13 11:37:34 0 d-------- C:\Program Files\Creative
2008-07-02 00:48:01 0 d-------- C:\Program Files\ZillaTube
2008-07-02 00:44:55 2 --ahs---- C:\Documents and Settings\joal\Application Data\evf
2008-06-20 00:47:45 0 d-------- C:\Documents and Settings\joal\Application Data\IceChat
2008-06-14 23:05:39 0 d-------- C:\Program Files\QuickTime
2008-06-14 12:53:48 0 d-------- C:\Program Files\Java
2008-06-14 12:52:34 0 d-------- C:\Program Files\Common Files\Java
2008-06-14 12:47:19 0 d-------- C:\Program Files\Viewpoint
2008-06-12 18:22:28 0 d-------- C:\Documents and Settings\joal\Application Data\U3
2008-06-11 23:26:46 0 d-------- C:\Program Files\DivX
2008-06-07 00:39:38 0 d-------- C:\Documents and Settings\joal\Application Data\DivX
2008-05-30 22:58:23 0 d-------- C:\Program Files\Symantec
2008-05-10 22:00:42 70072 --a------ C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{566e8642-5300-4656-9096-e8318df36a26}]
07/18/2008 17:27 102912 --a------ C:\WINDOWS\system32\qhtrti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D9C274D-AD45-4EF1-9EE8-A999829FA804}]
07/18/2008 17:42 91648 --a------ C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\I1KLM5O7\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFB2ACA1-990D-4762-A718-BDFC8D6F8171}]
C:\WINDOWS\system32\fjyjgyvy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAB15366-0E81-476D-83CC-1052FDF017C8}]
07/18/2008 17:20 26112 --a------ C:\WINDOWS\system32\nnnlKaba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F153EB2D-38DA-49C6-9D48-BDA9751F726C}]
07/18/2008 17:25 319488 --a------ C:\WINDOWS\system32\qoMeETLD.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 02:59]
"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 18:20 C:\WINDOWS\stsystra.exe]
"PD0620 STISvc"="P0620Pin.dll" [05/10/2005 13:03 C:\WINDOWS\system32\P0620Pin.dll]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 20:51]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [02/08/2007 02:12]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [02/08/2007 02:13]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 18:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51]
"38b32812"="C:\WINDOWS\system32\pesiqgau.dll" [07/18/2008 17:30]
"BM3b801b8e"="C:\WINDOWS\system32\avkapveq.dll" [07/18/2008 17:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 16:35]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 11:37]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [1/6/2008 1:24:21 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EAB15366-0E81-476D-83CC-1052FDF017C8}"= C:\WINDOWS\system32\nnnlKaba.dll [07/18/2008 17:20 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlKaba]
nnnlKaba.dll 07/18/2008 17:20 26112 C:\WINDOWS\system32\nnnlKaba.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMeETLD

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-19 14:22:30 ------------





This is extra.txt:




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.66GHz
CPU 1: Intel® Pentium® D CPU 2.66GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 2046.07 MiB / 1581.9 MiB
Pagefile Memory (total/avail): 3939.09 MiB / 3583.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.45 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 144.31 GiB total, 88.46 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-75NCB3 - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 144.31 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB

\\.\PHYSICALDRIVE1 - PNY USB 2.0 FD USB Device - 1961.06 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 1967.98 MiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\IceChat7\\IceChat7.exe"="C:\\Program Files\\IceChat7\\IceChat7.exe:*:Disabled:Internet Relay Chat Client"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\joal\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOEL-A7ADC17C52
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\joal
LOGONSERVER=\\JOEL-A7ADC17C52
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\joal\LOCALS~1\Temp
TMP=C:\DOCUME~1\joal\LOCALS~1\Temp
USERDOMAIN=JOEL-A7ADC17C52
USERNAME=joal
USERPROFILE=C:\Documents and Settings\joal
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

joal (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Creative Photo Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9 /remove
Creative WebCam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5ABA5FD-EE3D-4F15-895D-B32321E6C96B}\setup.exe" -l0x9 /remove
Creative WebCam Instant Driver (1.03.02.0425) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script PD0620.uns -unsext NT -plugin P0620Pin.dll -pluginres CtCamPin.crl
Creative WebCam Instant User's Guide (English) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative WebCam Instant\Creative WebCam Instant User's Guide\English\CTManual.isu"
FINAL FANTASY XI for Windows - Official Benchmark Program 3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E4D0E11A-CF32-4F7A-8C06-8EC3E2DB2E92} /l1033
GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\joal\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IceChat 7.61 (Build 20071230) --> "C:\Program Files\IceChat7\unins000.exe"
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Last.fm 1.4.2.58376 --> "C:\Program Files\Last.fm\unins000.exe"
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Logitech Audio Echo Cancellation Component --> MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech QuickCam --> MsiExec.exe /X{7D2370AC-D8E6-4996-986A-19824F8A167C}
Logitech QuickCam Driver Package --> "C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.50.1145\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.50" /clone_wait /hide_progress
Logitech Video Enumerator --> MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Logitech® Camera Driver --> "C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\joal\Application Data\Move Networks\ie_bin\Uninst.exe
MPEG Encoder 3 --> C:\Program Files\ImTOO\MPEG Encoder 3\Uninstall.exe
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Peggle Deluxe 1.01 --> C:\Program Files\PopCap Games\Peggle Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Peggle Deluxe\Install.log"
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb953463) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {1B78D541-9FF1-4330-ADD8-CED14F0C1E8E}
WebCam Instant Product Registration --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADC07715-D995-45EE-8810-0F1A733D580D}\SETUP.EXE" -l0x9 /remove
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
WinAVI Video Converter --> "C:\Program Files\WinAVI Video Converter\unins000.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
ZillaTube 3.1 --> C:\Program Files\ZillaTube\uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3992 / Success
Event Submitted/Written: 07/19/2008 01:18:19 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3965 / Error
Event Submitted/Written: 07/19/2008 00:22:15 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.

Event Record #/Type3964 / Error
Event Submitted/Written: 07/19/2008 00:22:12 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3953 / Success
Event Submitted/Written: 07/18/2008 09:12:08 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3900 / Error
Event Submitted/Written: 07/18/2008 04:10:24 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aim.exe, version 5.9.6089.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f.
Processing media-specific event for [aim.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19879 / Error
Event Submitted/Written: 07/19/2008 01:13:18 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SRTSPL service failed to start due to the following error:
%%31

Event Record #/Type19878 / Error
Event Submitted/Written: 07/19/2008 01:13:17 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SRTSP service failed to start due to the following error:
%%31

Event Record #/Type19877 / Error
Event Submitted/Written: 07/19/2008 01:13:17 PM
Event ID/Source: 20 / SRTSPL
Event Description:
Unable to initialize the virus scanning engine database files.

Event Record #/Type19876 / Error
Event Submitted/Written: 07/19/2008 01:13:17 PM
Event ID/Source: 5 / SRTSP
Event Description:
Error loading Symantec real time Anti-Virus driver.

Event Record #/Type19875 / Error
Event Submitted/Written: 07/19/2008 01:13:17 PM
Event ID/Source: 4 / SRTSP
Event Description:
Error loading virus definitions.



-- End of Deckard's System Scanner: finished at 2008-07-19 14:22:30 ------------
  • 0

#7
coldwars
Posted 19 July 2008 - 08:32 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I don't know if this helps but also when I run Spybot -Search and Destroy it says I have Virtumonde despite "fixing the problem." Each time I run it it still says I have been afflicted with Virtumonde
  • 0

#8
emeraldnzl
Posted 20 July 2008 - 04:27 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again coldwars,

Well we seem to be on to it now. :)

Before we go further we need to disable Windows Firewall

How to Disable Windows Firewall in Windows XP SP2

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click Off (not recommended), and then click OK.

Now

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: {62a63fd8-138e-6909-6564-00352468e665} - {566e8642-5300-4656-9096-e8318df36a26} - C:\WINDOWS\system32\qhtrti.dll
O2 - BHO: (no name) - {5D9C274D-AD45-4EF1-9EE8-A999829FA804} - C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\I1KLM5O7\3077ahntdksr[1].dll
O2 - BHO: (no name) - {AFB2ACA1-990D-4762-A718-BDFC8D6F8171} - C:\WINDOWS\system32\fjyjgyvy.dll (file missing)
O2 - BHO: (no name) - {EAB15366-0E81-476D-83CC-1052FDF017C8} - C:\WINDOWS\system32\nnnlKaba.dll
O2 - BHO: (no name) - {F153EB2D-38DA-49C6-9D48-BDA9751F726C} - C:\WINDOWS\system32\qoMeETLD.dll
O4 - HKLM\..\Run: [38b32812] rundll32.exe "C:\WINDOWS\system32\pesiqgau.dll",b
O4 - HKLM\..\Run: [BM3b801b8e] Rundll32.exe "C:\WINDOWS\system32\avkapveq.dll",s
O20 - Winlogon Notify: nnnlKaba - C:\WINDOWS\SYSTEM32\nnnlKaba.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Next

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\system32\xbphhnoc.dll
C:\WINDOWS\system32\pesiqgau.dll
C:\WINDOWS\system32\qhtrti.dll
C:\WINDOWS\system32\xptjkrur.dll
C:\WINDOWS\system32\avkapveq.dll
C:\WINDOWS\system32\DLTEeMoq.ini2
C:\WINDOWS\system32\qoMeETLD.dll
C:\WINDOWS\system32\xxyxxwWo.dll
C:\WINDOWS\system32\nnnlKaba.dll
C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\I1KLM5O7\3077ahntdksr[1].dll
C:\WINDOWS\system32\fjyjgyvy.dll
C:\WINDOWS\system32\nnnlKaba.dll
C:\WINDOWS\system32\qoMeETLD.dll
C:\WINDOWS\system32\pesiqgau.dll
C:\WINDOWS\system32\avkapveq.dll
purity
EmptyTemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

-----Step 3-----

Run Deckards System Scanner again.

This time there will only be one log.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, dss will open Notepad .txt please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents in your next reply.

So when you come back please post
  • OTMoveIt2 report
  • DSS report
  • 0

#9
coldwars
Posted 20 July 2008 - 11:20 AM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I'm not sure it worked because recently I received a pop-up for an Antivirus 2009 offering to scan the computer. Also received an ad for a SystemErrorFixer

OTMoveIt2 report:

Explorer killed successfully
File/Folder C:\WINDOWS\system32\xbphhnoc.dll not found.
File/Folder C:\WINDOWS\system32\pesiqgau.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qhtrti.dll
C:\WINDOWS\system32\qhtrti.dll NOT unregistered.
C:\WINDOWS\system32\qhtrti.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xptjkrur.dll
C:\WINDOWS\system32\xptjkrur.dll NOT unregistered.
C:\WINDOWS\system32\xptjkrur.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\avkapveq.dll
C:\WINDOWS\system32\avkapveq.dll NOT unregistered.
C:\WINDOWS\system32\avkapveq.dll moved successfully.
C:\WINDOWS\system32\DLTEeMoq.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qoMeETLD.dll
C:\WINDOWS\system32\qoMeETLD.dll NOT unregistered.
C:\WINDOWS\system32\qoMeETLD.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\xxyxxwWo.dll
C:\WINDOWS\system32\xxyxxwWo.dll NOT unregistered.
C:\WINDOWS\system32\xxyxxwWo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nnnlKaba.dll
C:\WINDOWS\system32\nnnlKaba.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\nnnlKaba.dll scheduled to be moved on reboot.
< C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\I1KLM5O7\3077ahntdksr[1].dll >
File/Folder C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\I1KLM5O7\3077ahntdksr[1].dll not found.
File/Folder C:\WINDOWS\system32\fjyjgyvy.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nnnlKaba.dll
C:\WINDOWS\system32\nnnlKaba.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\nnnlKaba.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\qoMeETLD.dll not found.
File/Folder C:\WINDOWS\system32\pesiqgau.dll not found.
File/Folder C:\WINDOWS\system32\avkapveq.dll not found.
< purity >
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\JET95CF.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JET965B.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07202008_130901

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nnnlKaba.dll
C:\WINDOWS\system32\nnnlKaba.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\nnnlKaba.dll scheduled to be moved on reboot.
File C:\WINDOWS\temp\JET95CF.tmp not found!
File C:\WINDOWS\temp\JET965B.tmp not found!


DSS report:

Deckard's System Scanner v20071014.68
Run by joal on 2008-07-20 13:15:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as joal.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:22, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\joal\Desktop\dss.exe
C:\DOCUME~1\joal\Desktop\joal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D2643EF3-ECBB-42BC-A6C6-C7E9E1E93C46} - C:\WINDOWS\system32\qoMeETLD.dll (file missing)
O2 - BHO: (no name) - {EAB15366-0E81-476D-83CC-1052FDF017C8} - C:\WINDOWS\system32\nnnlKaba.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM3b801b8e] Rundll32.exe "C:\WINDOWS\system32\wcomqwqo.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O20 - Winlogon Notify: nnnlKaba - C:\WINDOWS\SYSTEM32\nnnlKaba.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7200 bytes

-- Files created between 2008-06-20 and 2008-07-20 -----------------------------

2008-07-19 22:29:33 102912 --a------ C:\WINDOWS\system32\kcetywfo.dll
2008-07-19 17:32:34 78336 --a------ C:\WINDOWS\system32\ekxkimkh.dll
2008-07-19 17:29:30 91136 --a------ C:\WINDOWS\system32\wcomqwqo.dll
2008-07-18 22:45:38 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32:55 3568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57:38 0 d-------- C:\VundoFix Backups
2008-07-18 17:20:40 26112 --a------ C:\WINDOWS\system32\nnnlKaba.dll
2008-07-13 18:56:14 0 d-------- C:\Program Files\iPod
2008-07-13 18:56:11 0 d-------- C:\Program Files\iTunes
2008-07-13 18:55:57 0 d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24:31 0 d-------- C:\Program Files\Windows Live Safety Center


-- Find3M Report ---------------------------------------------------------------

2008-07-19 14:21:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-19 00:41:54 0 d-------- C:\Program Files\Bonjour
2008-07-18 22:45:04 0 d-------- C:\Program Files\Common Files
2008-07-18 21:02:00 16 --a------ C:\WINDOWS\popcinfot.dat
2008-07-18 19:14:03 0 d-------- C:\Program Files\Windows Media Connect 2
2008-07-18 17:13:13 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-16 21:14:24 0 d-------- C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 00:29:23 0 d-------- C:\Program Files\Last.fm
2008-07-13 11:37:34 0 d-------- C:\Program Files\Creative
2008-07-02 00:48:01 0 d-------- C:\Program Files\ZillaTube
2008-07-02 00:44:55 2 --ahs---- C:\Documents and Settings\joal\Application Data\evf
2008-06-20 00:47:45 0 d-------- C:\Documents and Settings\joal\Application Data\IceChat
2008-06-14 23:05:39 0 d-------- C:\Program Files\QuickTime
2008-06-14 12:53:48 0 d-------- C:\Program Files\Java
2008-06-14 12:52:34 0 d-------- C:\Program Files\Common Files\Java
2008-06-14 12:47:19 0 d-------- C:\Program Files\Viewpoint
2008-06-12 18:22:28 0 d-------- C:\Documents and Settings\joal\Application Data\U3
2008-06-11 23:26:46 0 d-------- C:\Program Files\DivX
2008-06-07 00:39:38 0 d-------- C:\Documents and Settings\joal\Application Data\DivX
2008-05-30 22:58:23 0 d-------- C:\Program Files\Symantec
2008-05-10 22:00:42 70072 --a------ C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2643EF3-ECBB-42BC-A6C6-C7E9E1E93C46}]
C:\WINDOWS\system32\qoMeETLD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAB15366-0E81-476D-83CC-1052FDF017C8}]
07/18/2008 17:20 26112 --a------ C:\WINDOWS\system32\nnnlKaba.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 02:59]
"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 18:20 C:\WINDOWS\stsystra.exe]
"PD0620 STISvc"="P0620Pin.dll" [05/10/2005 13:03 C:\WINDOWS\system32\P0620Pin.dll]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 20:51]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [02/08/2007 02:12]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [02/08/2007 02:13]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 18:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51]
"BM3b801b8e"="C:\WINDOWS\system32\wcomqwqo.dll" [07/19/2008 17:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 16:35]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [03/01/2007 11:37]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [1/6/2008 1:24:21 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EAB15366-0E81-476D-83CC-1052FDF017C8}"= C:\WINDOWS\system32\nnnlKaba.dll [07/18/2008 17:20 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlKaba]
nnnlKaba.dll 07/18/2008 17:20 26112 C:\WINDOWS\system32\nnnlKaba.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMeETLD

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-20 13:15:54 ------------

Edited by coldwars, 20 July 2008 - 04:41 PM.

  • 0

#10
emeraldnzl
Posted 20 July 2008 - 05:11 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello coldwars,

Nope you are right. We didn't get everything.

As I mentioned at the start it is going take a multi level approach to deal with this. :)

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix.

Included in the tutorial are instructions for the installation of a recovery program if you don't already have it - Windows XP Recovery Console.

Once you have completed installation of the the Recovery Console and run ComboFix please post the log back here along with a new HijackThis log.
  • 0

Advertisements

#11
coldwars
Posted 21 July 2008 - 01:02 AM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here is the ComboFix log:

ComboFix 08-07-20.4 - joal 2008-07-21 1:57:27.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1636 [GMT -4:00]
Running from: C:\Documents and Settings\joal\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM3b801b8e.xml
.
---- Previous Run -------
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 13:09 . 2008-07-20 13:09 <DIR> d-------- C:\_OTMoveIt
2008-07-19 14:20 . 2008-07-19 14:20 <DIR> d-------- C:\Deckard
2008-07-18 22:45 . 2008-07-19 13:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32 . 2008-07-18 20:32 3,568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57 . 2008-07-19 14:13 <DIR> d-------- C:\VundoFix Backups
2008-07-18 17:25 . 2008-07-20 13:05 1,304 --ahs---- C:\WINDOWS\system32\DLTEeMoq.ini
2008-07-13 18:56 . 2008-07-16 00:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:55 . 2008-07-13 18:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24 . 2008-07-05 18:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 06:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-21 05:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-19 04:41 --------- d-----w C:\Program Files\Bonjour
2008-07-18 23:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-17 01:14 --------- d-----w C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 04:29 --------- d-----w C:\Program Files\Last.fm
2008-07-13 15:37 --------- d-----w C:\Program Files\Creative
2008-07-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-02 04:48 --------- d-----w C:\Program Files\ZillaTube
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 04:47 --------- d-----w C:\Documents and Settings\joal\Application Data\IceChat
2008-06-15 03:05 --------- d-----w C:\Program Files\QuickTime
2008-06-14 16:53 --------- d-----w C:\Program Files\Java
2008-06-14 16:52 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 16:47 --------- d-----w C:\Program Files\Viewpoint
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:22 --------- d-----w C:\Documents and Settings\joal\Application Data\U3
2008-06-12 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 03:26 --------- d-----w C:\Program Files\DivX
2008-06-07 04:39 --------- d-----w C:\Documents and Settings\joal\Application Data\DivX
2008-05-31 02:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 02:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 02:58 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 02:58 --------- d-----w C:\Program Files\Symantec
2008-05-11 02:00 70,072 ----a-w C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT
.
<pre>
----a-w	   100,189,297 2008-06-02 17:34:44  C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip																													   .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 13:24:21 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IceChat7\\IceChat7.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 00:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0a0ff996-a119-4e9f-84cb-1f28a966d96a} - C:\WINDOWS\system32\iljpfz.dll
BHO-{58838984-4B73-41A4-83A9-636DBC6EBF6A} - C:\WINDOWS\system32\ddcBUkhf.dll
ShellExecuteHooks-{EAB15366-0E81-476D-83CC-1052FDF017C8} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.myspace.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 02:49:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-07-21 2:54:12 - machine was rebooted [joal]
ComboFix-quarantined-files.txt 2008-07-21 06:54:08
ComboFix2.txt 2008-06-13 21:31:14

Pre-Run: 95,593,385,984 bytes free
Post-Run: 95,604,473,856 bytes free

148 --- E O F --- 2008-07-13 15:40:07



And here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:00:20, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\joal\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6678 bytes
  • 0

#12
emeraldnzl
Posted 21 July 2008 - 05:09 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again coldwars,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RenV::
----a-w 100,189,297 2008-06-02 17:34:44 C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip .exe

File::
C:\WINDOWS\system32\DLTEeMoq.ini

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After that reboot.

Next

Kaspersky only works if you are using Internet Explorer.

Please do an online scan with Kaspersky WebScanner.

Click on the Kaspersky Online Scanner button. A box will come up, click Accept, this will allow it to install an ActiveX component and download its latest anti-virus database. (Note: It may take a couple of minutes)
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    * Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post.

So when you come back post
  • Combofix.txt
  • Kaspersky scan results
  • A new HijackThis log
  • 0

#13
coldwars
Posted 21 July 2008 - 02:23 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Even before ComboFix the clock settings have been in the 24 hour mode and I can't get it back the way it was. Could it be the virus?

ComboFix log:

ComboFix 08-07-20.4 - joal 2008-07-21 12:31:39.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1667 [GMT -4:00]
Running from: C:\Documents and Settings\joal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joal\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\DLTEeMoq.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\DLTEeMoq.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 13:09 . 2008-07-20 13:09 <DIR> d-------- C:\_OTMoveIt
2008-07-19 14:20 . 2008-07-19 14:20 <DIR> d-------- C:\Deckard
2008-07-18 22:45 . 2008-07-19 13:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32 . 2008-07-18 20:32 3,568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57 . 2008-07-19 14:13 <DIR> d-------- C:\VundoFix Backups
2008-07-13 18:56 . 2008-07-16 00:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:55 . 2008-07-13 18:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24 . 2008-07-05 18:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 16:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-21 16:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-19 04:41 --------- d-----w C:\Program Files\Bonjour
2008-07-18 23:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-17 01:14 --------- d-----w C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 04:29 --------- d-----w C:\Program Files\Last.fm
2008-07-13 15:37 --------- d-----w C:\Program Files\Creative
2008-07-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-02 04:48 --------- d-----w C:\Program Files\ZillaTube
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 04:47 --------- d-----w C:\Documents and Settings\joal\Application Data\IceChat
2008-06-15 03:05 --------- d-----w C:\Program Files\QuickTime
2008-06-14 16:53 --------- d-----w C:\Program Files\Java
2008-06-14 16:52 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 16:47 --------- d-----w C:\Program Files\Viewpoint
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:22 --------- d-----w C:\Documents and Settings\joal\Application Data\U3
2008-06-12 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 03:26 --------- d-----w C:\Program Files\DivX
2008-06-07 04:39 --------- d-----w C:\Documents and Settings\joal\Application Data\DivX
2008-05-31 02:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 02:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 02:58 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 02:58 --------- d-----w C:\Program Files\Symantec
2008-05-11 02:00 70,072 ----a-w C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT
.
<pre>
----a-w	   100,189,297 2008-06-02 17:34:44  C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip																													   .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-07-21_ 2.53.50.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 20:52:52 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-21 06:57:42 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-29 20:52:52 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-21 06:57:42 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 13:24:21 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IceChat7\\IceChat7.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 00:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 12:35:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-21 12:41:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 16:41:45
ComboFix2.txt 2008-07-21 06:54:14
ComboFix3.txt 2008-06-13 21:31:14

Pre-Run: 95,509,848,064 bytes free
Post-Run: 95,548,379,136 bytes free

144 --- E O F --- 2008-07-13 15:40:07


Kaspersky scan results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 21, 2008 16:19:28
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/07/2008
Kaspersky Anti-Virus database records: 981105
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 62706
Number of viruses found: 8
Number of infected objects: 74
Number of suspicious objects: 0
Duration of the scan process: 00:45:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\joal\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080614-123232-993.dll Infected: Trojan.Win32.Monder.qf skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-338.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-446.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-524.dll Infected: Rootkit.Win32.Podnuha.zn skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-936.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080720-130346-978.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\joal\Desktop\backups\backup-20080721-015408-814.dll Infected: Rootkit.Win32.Podnuha.zn skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix\IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe/SmitfraudFix/IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe/SmitfraudFix/IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\joal\Desktop\SmitfraudFix.exe RAR: infected - 3 skipped
C:\Documents and Settings\joal\Local Settings\Application Data\Last.fm\Client\LastFmHelper.log Object is locked skipped
C:\Documents and Settings\joal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\joal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\joal\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\joal\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip/Lil Wayne - Tha Carter III Special Edition [2008] [RAP]/Lil Wayne - Tha Carter III.zip .exe/data0002 Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip/Lil Wayne - Tha Carter III Special Edition [2008] [RAP]/Lil Wayne - Tha Carter III.zip .exe Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\joal\My Documents\My Music\iTunes\iTunes Music\Lil Wayne - Tha Carter III Special Edition [2008] [RAP].zip ZIP: infected - 2 skipped
C:\Documents and Settings\joal\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\joal\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\arllpxyn.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bewnlmnx.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcBUkhf.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ekxkimkh.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fpktnwed.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\frygbdce.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iljpfz.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ipxiaygs.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jwkrrwka.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kcetywfo.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mixxpwji.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnlKaba.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ppfkprgh.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ukrfmurr.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uvturksg.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vrccofvv.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wcomqwqo.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ypsgqyfs.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP196\A0125811.exe Infected: Trojan.Win32.Obfuscated.muy skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126782.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126783.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126784.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP197\A0126785.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200\A0127979.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200\A0127998.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP200\A0127999.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe/SmitfraudFix/IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe/SmitfraudFix/IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP201\A0128070.exe RAR: infected - 3 skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128111.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128112.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128113.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128114.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128115.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128116.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128117.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128118.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128119.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128120.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128121.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128122.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128123.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128124.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128125.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128126.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128127.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP202\A0128128.dll Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\System Volume Information\_restore{5AFB35E4-54CF-42C3-A69B-0E5374F54C31}\RP204\change.log Object is locked skipped
C:\VundoFix Backups\fjyjgyvy.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\VundoFix Backups\pxjpsjvu.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\VundoFix Backups\rwdpslop.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\VundoFix Backups\svdurfms.dll.bad Infected: not-a-virus:AdWare.Win32.BHO.cbd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F92A8C99-F91D-475E-BF99-C1BFDEA100BD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\JET1339.tmp Object is locked skipped
C:\WINDOWS\temp\JET1387.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\avkapveq.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\qhtrti.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\qoMeETLD.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\xptjkrur.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\_OTMoveIt\MovedFiles\07202008_130901\WINDOWS\system32\xxyxxwWo.dll Infected: Trojan.Win32.Monderc.gen skipped

Scan process completed.

New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:21:48, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\joal\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx...owserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6602 bytes

Edited by coldwars, 21 July 2008 - 03:25 PM.

  • 0

#14
emeraldnzl
Posted 21 July 2008 - 06:40 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again coldwars,

Don't worry about the clock settings. We will deal with them later. :)

Things are looking much better, we are making progress. :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. When finished, it will produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

When you come back post
  • Combofix text
  • Malwarebytes report
  • and tell me how your computer is running now.
  • 0

#15
coldwars
Posted 21 July 2008 - 11:23 PM

coldwars

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I ran ComboFix and while it was preparing the log the whole computer turned blue saying it encountered a problem with the following fyle: catchme.sys

When I check in C:\ there is no ComboFix log. I will continue to try to run it.

Edit:

Well it worked when I ran ComboFix the second time however it said something about being unable to delete something. I'm not quite sure what it said because I didn't reach the computer on time and it began creating the log.

Here is the ComboFix Log:

ComboFix 08-07-20.4 - joal 2008-07-22 1:27:11.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1669 [GMT -4:00]
Running from: C:\Documents and Settings\joal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joal\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip
.

((((((((((((((((((((((((( Files Created from 2008-06-22 to 2008-07-22 )))))))))))))))))))))))))))))))
.

2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-21 12:46 . 2008-07-21 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-20 13:09 . 2008-07-20 13:09 <DIR> d-------- C:\_OTMoveIt
2008-07-19 14:20 . 2008-07-19 14:20 <DIR> d-------- C:\Deckard
2008-07-18 22:45 . 2008-07-19 13:08 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 20:32 . 2008-07-18 20:32 3,568 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-18 17:57 . 2008-07-19 14:13 <DIR> d-------- C:\VundoFix Backups
2008-07-13 18:56 . 2008-07-16 00:29 <DIR> d-------- C:\Program Files\iTunes
2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\iPod
2008-07-13 18:55 . 2008-07-13 18:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-05 18:24 . 2008-07-05 18:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-22 05:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-19 04:41 --------- d-----w C:\Program Files\Bonjour
2008-07-18 23:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-17 01:14 --------- d-----w C:\Documents and Settings\joal\Application Data\LimeWire
2008-07-16 04:29 --------- d-----w C:\Program Files\Last.fm
2008-07-13 15:37 --------- d-----w C:\Program Files\Creative
2008-07-09 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-02 04:48 --------- d-----w C:\Program Files\ZillaTube
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 04:47 --------- d-----w C:\Documents and Settings\joal\Application Data\IceChat
2008-06-15 03:05 --------- d-----w C:\Program Files\QuickTime
2008-06-14 16:53 --------- d-----w C:\Program Files\Java
2008-06-14 16:52 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 16:47 --------- d-----w C:\Program Files\Viewpoint
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 22:22 --------- d-----w C:\Documents and Settings\joal\Application Data\U3
2008-06-12 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 03:26 --------- d-----w C:\Program Files\DivX
2008-06-07 04:39 --------- d-----w C:\Documents and Settings\joal\Application Data\DivX
2008-05-31 02:58 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 02:58 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 02:58 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 02:58 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 02:58 --------- d-----w C:\Program Files\Symantec
2008-05-22 22:22 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-11 02:00 70,072 ----a-w C:\Documents and Settings\joal\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.
<pre>
----a-w	   100,189,297 2008-06-02 17:34:44  C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip																													   .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-07-21_ 2.53.50.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-29 20:52:52 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-21 06:57:42 40,836 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-29 20:52:52 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-21 06:57:42 314,508 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 11:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\joal\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 13:24:21 106496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\IceChat7\\IceChat7.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 00:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 01:40:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-22 1:50:47
ComboFix-quarantined-files.txt 2008-07-22 05:50:11
ComboFix2.txt 2008-07-21 16:41:53
ComboFix3.txt 2008-07-21 06:54:14
ComboFix4.txt 2008-06-13 21:31:14

Pre-Run: 95,559,053,312 bytes free
Post-Run: 95,565,660,160 bytes free

141 --- E O F --- 2008-07-13 15:40:07


Malwarebytes report:

Malwarebytes' Anti-Malware 1.22
Database version: 977
Windows 5.1.2600 Service Pack 2

2:04:28 AM 7/22/2008
mbam-log-7-22-2008 (02-04-28).txt

Scan type: Quick Scan
Objects scanned: 40295
Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


The computer seems to be running fine. I remember when I had the virus whenever I would open an Internet Explorer window the internet settings were automatically set to accept all cookies. They no longer are. However the file: C:\Documents and Settings\joal\My Documents\Albums\Lil Wayne - Tha Carter III Special Edition [2008] [RAP]\Lil Wayne - Tha Carter III.zip is still in there. When I view the contents of the folder as a list it says the file is an application. And in it's name there is a long space in between the .zip and the .exe.

Posted Image

Edited by coldwars, 22 July 2008 - 12:22 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP