wildbill327
asked on
Facebook link infected my system
Son clicked on facebook link on AIM. Computer is infected with Downloader, spyot32, and Vundo. I have all the tools to remove it ie hijack this, combo fix atf cleaner etc. I need someone to look at my hijackthis log and give the sequence to run the programs .
The free version of SuperAntiSpyware should be able to clean these pests. In any case post another HJT log after cleaning with SuperAntiSpyware:
http://www.superantispyware.com/
http://www.superantispyware.com/
>> I need someone to look at my hijackthis log and give the sequence to run the programs
that's a vundo infection; so get SAS as r-k suggested above, install and update it
then boot under safemode and run SAS first
after that run VundoFix
then CCleaner to clean temp files
reboot back and post a fresh log file
that's a vundo infection; so get SAS as r-k suggested above, install and update it
then boot under safemode and run SAS first
after that run VundoFix
then CCleaner to clean temp files
reboot back and post a fresh log file
ASKER
OK I ran SAS in safe mode after I updated it. ran VundoFix(no problem found) Ran CCleaner also ran combofix. I'm still getting W32.Spybot.worm file = mgrsvc.exe file alert from Symantec. Here is the hjt and combofix log.
***Combofix and Hijackthis logs removed by rpggamergirl, Zone Advisor***
***Combofix and Hijackthis logs removed by rpggamergirl, Zone Advisor***
fix this entry in hjt
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.e xe
then boot under safemode and delete the following file,
C:\WINDOWS\system\mgrsvc.e xe
it should get you rid of the virus alert.
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.e
then boot under safemode and delete the following file,
C:\WINDOWS\system\mgrsvc.e
it should get you rid of the virus alert.
Is combofix the last scanner ran?
Still a lot of bad files there. Is your Combofix a recent download? If not then delete that one and download a new one.
Open notepad and copy/paste the text inside the lines below into it.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -------
File::
C:\WINDOWS\system32\kioxep rt.dll
C:\WINDOWS\system32\ubtqjp kg.exe
C:\WINDOWS\system32\aiqueh cq.exe
C:\WINDOWS\system32\yctcdp vf.exe
C:\WINDOWS\system32\pezugk jt.dll
C:\WINDOWS\system32\rqrolm k.dll
C:\WINDOWS\system32\mljgdc a.dll
C:\WINDOWS\system32\lgntur dw.dll
C:\WINDOWS\system32\yiuujo hm.exe
C:\WINDOWS\system32\cbxxyv u.dll.vir
C:\WINDOWS\system32\qgpwlh qr.dll
C:\WINDOWS\system32\cgsstd jy.exe
C:\WINDOWS\system32\tuvtqq n.dll
C:\WINDOWS\system32\jkkhgf f.dll
C:\WINDOWS\system32\hggday w.dll
C:\WINDOWS\system32\yayvwt q.dll
C:\WINDOWS\system32\urqqon l.dll
C:\WINDOWS\system32\tuvtsq r.dll
C:\WINDOWS\system32\rqromk l.dll
C:\WINDOWS\system32\cbxyvs s.dll.vir
C:\WINDOWS\system32\urqrst t.dll
C:\WINDOWS\system32\iifghg g.dll
C:\WINDOWS\system32\rqrpqn o.dll
C:\WINDOWS\system32\vtuuss q.dll
C:\WINDOWS\system32\byxwuu t.dll.vir
C:\WINDOWS\system32\hggecd b.dll
C:\WINDOWS\system32\jkkhff g.dll
C:\WINDOWS\system32\jkkhhe f.dll
C:\WINDOWS\system32\khfded b.dll
C:\WINDOWS\system32\nnnonl k.dll
C:\WINDOWS\system32\opnolj g.dll
C:\WINDOWS\system32\ggddgl ax.exe
C:\WINDOWS\system32\ssqqqq r.dll
C:\WINDOWS\system32\khfgfd b.dll
C:\WINDOWS\system32\nnnmmj i.dll
C:\WINDOWS\system32\awtspp q.dll
C:\WINDOWS\system32\dwlvoj av.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Bro wser Helper Objects\{A95B2816-1D7E-456 1-A202-68C 0DE02353A} ]
[-HKEY_LOCAL_MACHINE\~\Bro wser Helper Objects\{BACEB7AF-8D88-456 E-82D0-7BE B9A4410FE} ]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Interne t Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF- 45AF828255 83}"=-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Toolbar\WebBrowse r]
"{11A69AE4-FBED-4832-A2BF- 45AF828255 83}"=-
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Shell ExecuteHoo ks]
"{BACEB7AF-8D88-456E-82D0- 7BEB9A4410 FE}"=-
[-HKEY_LOCAL_MACHINE\softw are\micros oft\window s nt\currentversion\winlogon \notify\aw tsppq]
[-HKEY_LOCAL_MACHINE\softw are\micros oft\window s nt\currentversion\winlogon \notify\ki oxeprt]
[-HKEY_LOCAL_MACHINE\softw are\micros oft\window s nt\currentversion\winlogon \notify\ml jgdca]
[-HKEY_LOCAL_MACHINE\softw are\micros oft\window s nt\currentversion\winlogon \notify\nn nmmji]
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------
Save this as CFScript (CFScript.txt) in the same location as ComboFix.exe
then drag CFScript into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThisl og.
Still a lot of bad files there. Is your Combofix a recent download? If not then delete that one and download a new one.
Open notepad and copy/paste the text inside the lines below into it.
--------------------------
File::
C:\WINDOWS\system32\kioxep
C:\WINDOWS\system32\ubtqjp
C:\WINDOWS\system32\aiqueh
C:\WINDOWS\system32\yctcdp
C:\WINDOWS\system32\pezugk
C:\WINDOWS\system32\rqrolm
C:\WINDOWS\system32\mljgdc
C:\WINDOWS\system32\lgntur
C:\WINDOWS\system32\yiuujo
C:\WINDOWS\system32\cbxxyv
C:\WINDOWS\system32\qgpwlh
C:\WINDOWS\system32\cgsstd
C:\WINDOWS\system32\tuvtqq
C:\WINDOWS\system32\jkkhgf
C:\WINDOWS\system32\hggday
C:\WINDOWS\system32\yayvwt
C:\WINDOWS\system32\urqqon
C:\WINDOWS\system32\tuvtsq
C:\WINDOWS\system32\rqromk
C:\WINDOWS\system32\cbxyvs
C:\WINDOWS\system32\urqrst
C:\WINDOWS\system32\iifghg
C:\WINDOWS\system32\rqrpqn
C:\WINDOWS\system32\vtuuss
C:\WINDOWS\system32\byxwuu
C:\WINDOWS\system32\hggecd
C:\WINDOWS\system32\jkkhff
C:\WINDOWS\system32\jkkhhe
C:\WINDOWS\system32\khfded
C:\WINDOWS\system32\nnnonl
C:\WINDOWS\system32\opnolj
C:\WINDOWS\system32\ggddgl
C:\WINDOWS\system32\ssqqqq
C:\WINDOWS\system32\khfgfd
C:\WINDOWS\system32\nnnmmj
C:\WINDOWS\system32\awtspp
C:\WINDOWS\system32\dwlvoj
Registry::
[-HKEY_LOCAL_MACHINE\~\Bro
[-HKEY_LOCAL_MACHINE\~\Bro
[HKEY_LOCAL_MACHINE\SOFTWA
"{11A69AE4-FBED-4832-A2BF-
[HKEY_CURRENT_USER\Softwar
"{11A69AE4-FBED-4832-A2BF-
[HKEY_LOCAL_MACHINE\SOFTWA
"{BACEB7AF-8D88-456E-82D0-
[-HKEY_LOCAL_MACHINE\softw
[-HKEY_LOCAL_MACHINE\softw
[-HKEY_LOCAL_MACHINE\softw
[-HKEY_LOCAL_MACHINE\softw
--------------------------
Save this as CFScript (CFScript.txt) in the same location as ComboFix.exe
then drag CFScript into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThisl og.
ASKER
ComboFix is current here are the results after following your instructions.
Followed by the HiJT log.
***Combofix and Hijackthis logs removed by rpggamergirl, Zone Advisor***
Followed by the HiJT log.
***Combofix and Hijackthis logs removed by rpggamergirl, Zone Advisor***
Did you drag and drop the CFScript.txt into the Combofix.exe?
The above Combofix log shows that it DID NOT delete those files I listed on the script.
I don't know why it didn't, but it should have.
Please try again and if that still won't work, then we'll use another tool.
Your hijackthis log shows that you're running in diagnostic startup mode, did you uncheck any malware startup entries? only checked entries will show up in the scan.
The above Combofix log shows that it DID NOT delete those files I listed on the script.
I don't know why it didn't, but it should have.
Please try again and if that still won't work, then we'll use another tool.
Your hijackthis log shows that you're running in diagnostic startup mode, did you uncheck any malware startup entries? only checked entries will show up in the scan.
>>ComboFix is current here are the results after following your instructions.<<
I asked because "CFScript" doesn't work on the older version of Combofix.
I asked because "CFScript" doesn't work on the older version of Combofix.
ASKER
Ran it again in Normal Starup not Safe with the script here is the Combo Fix log along with the HJT log I ran immediately following the ComboFix.
ComboFix 07-10-12.4 - Dad 2007-10-15 8:03:30.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18. 162 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\My Documents\Bill\ComboFix.ex e
Command switches used :: C:\Documents and Settings\Dad\My Documents\Bill\CFScript.tx t
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 )))))))))))))))))))))))))) )))))
.
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk l.dll
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon n.dll
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb b.dll
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt r.dll
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk h.dll
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv s.dll
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy v.dll
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy v.dll.vir
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu ji.exe
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb ht.dll.vir
2007-10-14 09:34 389,184 --a------ C:\WINDOWS\system32\ubtqjp kg.exe
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 08:36 389,184 --a------ C:\WINDOWS\system32\aiqueh cq.exe
2007-10-13 06:33 389,184 --a------ C:\WINDOWS\system32\yctcdp vf.exe
2007-10-13 06:33 339,968 --a------ C:\WINDOWS\system32\pezugk jt.dll
2007-10-12 23:58 34,304 --a------ C:\WINDOWS\system32\rqrolm k.dll
2007-10-12 21:25 34,304 --a------ C:\WINDOWS\system32\mljgdc a.dll
2007-10-12 21:06 339,968 --a------ C:\WINDOWS\system32\lgntur dw.dll
2007-10-12 21:05 389,184 --a------ C:\WINDOWS\system32\yiuujo hm.exe
2007-10-12 21:01 34,304 --a------ C:\WINDOWS\system32\cbxxyv u.dll.vir
2007-10-12 20:50 339,968 --a------ C:\WINDOWS\system32\qgpwlh qr.dll
2007-10-12 20:49 389,184 --a------ C:\WINDOWS\system32\cgsstd jy.exe
2007-10-12 20:13 34,304 --a------ C:\WINDOWS\system32\tuvtqq n.dll
2007-10-12 17:39 34,304 --a------ C:\WINDOWS\system32\jkkhgf f.dll
2007-10-12 16:09 34,304 --a------ C:\WINDOWS\system32\hggday w.dll
2007-10-12 13:36 34,304 --a------ C:\WINDOWS\system32\yayvwt q.dll
2007-10-11 22:15 34,304 --a------ C:\WINDOWS\system32\urqqon l.dll
2007-10-11 22:06 34,304 --a------ C:\WINDOWS\system32\tuvtsq r.dll
2007-10-11 22:02 34,304 --a------ C:\WINDOWS\system32\rqromk l.dll
2007-10-11 21:41 34,304 --a------ C:\WINDOWS\system32\cbxyvs s.dll.vir
2007-10-11 21:38 34,304 --a------ C:\WINDOWS\system32\urqrst t.dll
2007-10-11 19:58 34,304 --a------ C:\WINDOWS\system32\iifghg g.dll
2007-10-11 17:58 34,304 --a------ C:\WINDOWS\system32\rqrpqn o.dll
2007-10-11 15:25 34,304 --a------ C:\WINDOWS\system32\vtuuss q.dll
2007-10-11 14:08 34,304 --a------ C:\WINDOWS\system32\byxwuu t.dll.vir
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 20:59 0 --a------ C:\WINDOWS\system32\hggecd b.dll
2007-10-05 18:17 0 --a------ C:\WINDOWS\system32\jkkhff g.dll
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-05 15:22 0 --a------ C:\WINDOWS\system32\jkkhhe f.dll
2007-10-04 20:27 0 --a------ C:\WINDOWS\system32\khfded b.dll
2007-10-04 20:22 0 --a------ C:\WINDOWS\system32\nnnonl k.dll
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver s\SYMEVENT .SYS
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN T1.DLL
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-10-04 17:36 0 --a------ C:\WINDOWS\system32\opnolj g.dll
2007-10-04 17:05 0 --a------ C:\WINDOWS\system32\ggddgl ax.exe
2007-10-04 16:49 0 --a------ C:\WINDOWS\system32\ssqqqq r.dll
2007-10-02 19:48 34,304 --a------ C:\WINDOWS\system32\khfgfd b.dll
2007-10-02 19:36 34,304 --a------ C:\WINDOWS\system32\nnnmmj i.dll
2007-10-02 17:59 34,304 --a------ C:\WINDOWS\system32\awtspp q.dll
2007-10-02 17:59 31,232 -r-hs---- C:\WINDOWS\system\mgrsvc.e xe
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-05 21:12 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow nloadHelpe r.exe
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco mm.dll
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio n Data\acccore
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dl l
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi. dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuaucl t.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2. dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltu i.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb. dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuauen g.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.d ll
.
(((((((((((((((((((((((((( ((( snapshot@2007-10-13_ 9.51.16.20 )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF11.ex e
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF13.ex e
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF15.ex e
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver s\gmer.sys
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e xe
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e xe
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw. exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw. exe
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws .exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws .exe
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode s.dat
+ 2007-10-14 19:04:20 17,128 ----a-w C:\WINDOWS\system32\nvMode s.dat
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\ system32\N vCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_03\bin \jusched.e xe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e xe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP 32.EXE]
"PrinTray"="C:\WINDOWS\Sys tem32\spoo l\DRIVERS\ W32X86\3\p rintray.ex e" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe " [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA NT~1\VPTra y.exe" [2006-03-17 06:34]
"MSConfig"="C:\WINDOWS\PCH ealth\Help Ctr\Binari es\MSConfi g.exe" [2004-08-04 03:56]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-04 03:56]
[HKEY_USERS\.default\softw are\micros oft\window s\currentv ersion\run ]
"DWQueuedReporting"="C:\PR OGRA~1\COM MON~1\MICR OS~1\DW\dw trig20.exe " -t
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Shell ExecuteHoo ks]
"{5AE067D3-9AFB-48E0-853A- EBB7F4A000 DA}"= C:\Program Files\SUPERAntiSpyware\SAS SEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupfold er\C:^Docu ments and Settings^Dad^Start Menu^Programs^Startup^Lime Wire On Startup.lnk]
path=C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Lime Wire On Startup.lnk
backup=C:\WINDOWS\pss\Lime Wire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SearchInde xer]
rundll32.exe "C:\WINDOWS\system32\dwlvo jav.dll",s itypnow
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\services]
"WLTRYSVC"=2 (0x2)
"SavRoam"=3 (0x3)
R2 IISLvc;Intel Input Service;"C:\WINDOWS\system \mgrsvc.ex e"
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\ DRIVERS\BC MSM.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 05:48:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32. job"
- C:\WINDOWS\twain_32
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 08:06:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 2007-10-15 8:06:49
C:\ComboFix2.txt ... 2007-10-15 06:31
C:\ComboFix3.txt ... 2007-10-14 23:10
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:58 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCE S.EXE
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\lxamsp 32.exe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\pri ntray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\WINDOWS\system32\lexpps .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\LexmarkX63\AcBtnMgr_ X63.exe
C:\Program Files\LexmarkX63\ACMonitor _X63.exe
C:\WINDOWS\system\mgrsvc.e xe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa d.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\pri ntray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'Default user')
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_ X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor _X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \npjpi160_ 03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \npjpi160_ 03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D 00330E511D 3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B 5388FFDD0D 8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-9 17ABDD035B 3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153129484593
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-D A8CF814E78 A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-A EA0D228730 3} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C 771BB36993 7} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.e xe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE S.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
--
End of file - 7718 bytes
ComboFix 07-10-12.4 - Dad 2007-10-15 8:03:30.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\Dad\My Documents\Bill\ComboFix.ex
Command switches used :: C:\Documents and Settings\Dad\My Documents\Bill\CFScript.tx
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 ))))))))))))))))))))))))))
.
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb
2007-10-14 09:34 389,184 --a------ C:\WINDOWS\system32\ubtqjp
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 08:36 389,184 --a------ C:\WINDOWS\system32\aiqueh
2007-10-13 06:33 389,184 --a------ C:\WINDOWS\system32\yctcdp
2007-10-13 06:33 339,968 --a------ C:\WINDOWS\system32\pezugk
2007-10-12 23:58 34,304 --a------ C:\WINDOWS\system32\rqrolm
2007-10-12 21:25 34,304 --a------ C:\WINDOWS\system32\mljgdc
2007-10-12 21:06 339,968 --a------ C:\WINDOWS\system32\lgntur
2007-10-12 21:05 389,184 --a------ C:\WINDOWS\system32\yiuujo
2007-10-12 21:01 34,304 --a------ C:\WINDOWS\system32\cbxxyv
2007-10-12 20:50 339,968 --a------ C:\WINDOWS\system32\qgpwlh
2007-10-12 20:49 389,184 --a------ C:\WINDOWS\system32\cgsstd
2007-10-12 20:13 34,304 --a------ C:\WINDOWS\system32\tuvtqq
2007-10-12 17:39 34,304 --a------ C:\WINDOWS\system32\jkkhgf
2007-10-12 16:09 34,304 --a------ C:\WINDOWS\system32\hggday
2007-10-12 13:36 34,304 --a------ C:\WINDOWS\system32\yayvwt
2007-10-11 22:15 34,304 --a------ C:\WINDOWS\system32\urqqon
2007-10-11 22:06 34,304 --a------ C:\WINDOWS\system32\tuvtsq
2007-10-11 22:02 34,304 --a------ C:\WINDOWS\system32\rqromk
2007-10-11 21:41 34,304 --a------ C:\WINDOWS\system32\cbxyvs
2007-10-11 21:38 34,304 --a------ C:\WINDOWS\system32\urqrst
2007-10-11 19:58 34,304 --a------ C:\WINDOWS\system32\iifghg
2007-10-11 17:58 34,304 --a------ C:\WINDOWS\system32\rqrpqn
2007-10-11 15:25 34,304 --a------ C:\WINDOWS\system32\vtuuss
2007-10-11 14:08 34,304 --a------ C:\WINDOWS\system32\byxwuu
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 20:59 0 --a------ C:\WINDOWS\system32\hggecd
2007-10-05 18:17 0 --a------ C:\WINDOWS\system32\jkkhff
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-05 15:22 0 --a------ C:\WINDOWS\system32\jkkhhe
2007-10-04 20:27 0 --a------ C:\WINDOWS\system32\khfded
2007-10-04 20:22 0 --a------ C:\WINDOWS\system32\nnnonl
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-10-04 17:36 0 --a------ C:\WINDOWS\system32\opnolj
2007-10-04 17:05 0 --a------ C:\WINDOWS\system32\ggddgl
2007-10-04 16:49 0 --a------ C:\WINDOWS\system32\ssqqqq
2007-10-02 19:48 34,304 --a------ C:\WINDOWS\system32\khfgfd
2007-10-02 19:36 34,304 --a------ C:\WINDOWS\system32\nnnmmj
2007-10-02 17:59 34,304 --a------ C:\WINDOWS\system32\awtspp
2007-10-02 17:59 31,232 -r-hs---- C:\WINDOWS\system\mgrsvc.e
.
((((((((((((((((((((((((((
.
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-05 21:12 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dl
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuaucl
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltu
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuauen
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.d
.
((((((((((((((((((((((((((
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw.
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode
+ 2007-10-14 19:04:20 17,128 ----a-w C:\WINDOWS\system32\nvMode
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWA
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D
"SunJavaUpdateSched"="C:\P
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e
"PrinTray"="C:\WINDOWS\Sys
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe
"iTunesHelper"="C:\Program
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA
"MSConfig"="C:\WINDOWS\PCH
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
[HKEY_USERS\.default\softw
"DWQueuedReporting"="C:\PR
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex
[HKEY_LOCAL_MACHINE\SOFTWA
"{5AE067D3-9AFB-48E0-853A-
[HKEY_LOCAL_MACHINE\softwa
path=C:\Documents and Settings\Dad\Start Menu\Programs\Startup\Lime
backup=C:\WINDOWS\pss\Lime
[HKEY_LOCAL_MACHINE\softwa
rundll32.exe "C:\WINDOWS\system32\dwlvo
[HKEY_LOCAL_MACHINE\softwa
"WLTRYSVC"=2 (0x2)
"SavRoam"=3 (0x3)
R2 IISLvc;Intel Input Service;"C:\WINDOWS\system
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\
.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 05:48:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.
- C:\WINDOWS\twain_32
.
**************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 08:06:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 2007-10-15 8:06:49
C:\ComboFix2.txt ... 2007-10-15 06:31
C:\ComboFix3.txt ... 2007-10-14 23:10
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:58 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\D
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\lxamsp
C:\WINDOWS\System32\spool\
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\system32\lexpps
C:\WINDOWS\system32\ctfmon
C:\Program Files\LexmarkX63\AcBtnMgr_
C:\Program Files\LexmarkX63\ACMonitor
C:\WINDOWS\system\mgrsvc.e
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O16 - DPF: {05D44720-58E3-49E6-BDF6-D
O16 - DPF: {3BB54395-5982-4788-8AF4-B
O16 - DPF: {5736C456-EA94-4AAC-BB08-9
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-D
O16 - DPF: {9BDF4724-10AA-43D5-BD15-A
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.e
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
--
End of file - 7718 bytes
What I meant was your hijackthis log shows that Windows is running in diagnostic mode, which usually happens when you uncheck startup entries in msconfig.
Still the same, entries are still there.
Let's use Avenger to delete those entries, you need to paste exactly what's between the lines, everything, all characters, including the colon ":" otherwise the script will not run.
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -
Files to delete:
C:\WINDOWS\system32\kioxep rt.dll
C:\WINDOWS\system32\ubtqjp kg.exe
C:\WINDOWS\system32\aiqueh cq.exe
C:\WINDOWS\system32\yctcdp vf.exe
C:\WINDOWS\system32\pezugk jt.dll
C:\WINDOWS\system32\rqrolm k.dll
C:\WINDOWS\system32\mljgdc a.dll
C:\WINDOWS\system32\lgntur dw.dll
C:\WINDOWS\system32\yiuujo hm.exe
C:\WINDOWS\system32\cbxxyv u.dll.vir
C:\WINDOWS\system32\qgpwlh qr.dll
C:\WINDOWS\system32\cgsstd jy.exe
C:\WINDOWS\system32\tuvtqq n.dll
C:\WINDOWS\system32\jkkhgf f.dll
C:\WINDOWS\system32\hggday w.dll
C:\WINDOWS\system32\yayvwt q.dll
C:\WINDOWS\system32\urqqon l.dll
C:\WINDOWS\system32\tuvtsq r.dll
C:\WINDOWS\system32\rqromk l.dll
C:\WINDOWS\system32\cbxyvs s.dll.vir
C:\WINDOWS\system32\urqrst t.dll
C:\WINDOWS\system32\iifghg g.dll
C:\WINDOWS\system32\rqrpqn o.dll
C:\WINDOWS\system32\vtuuss q.dll
C:\WINDOWS\system32\byxwuu t.dll.vir
C:\WINDOWS\system32\hggecd b.dll
C:\WINDOWS\system32\jkkhff g.dll
C:\WINDOWS\system32\jkkhhe f.dll
C:\WINDOWS\system32\khfded b.dll
C:\WINDOWS\system32\nnnonl k.dll
C:\WINDOWS\system32\opnolj g.dll
C:\WINDOWS\system32\ggddgl ax.exe
C:\WINDOWS\system32\ssqqqq r.dll
C:\WINDOWS\system32\khfgfd b.dll
C:\WINDOWS\system32\nnnmmj i.dll
C:\WINDOWS\system32\awtspp q.dll
C:\WINDOWS\system32\dwlvoj av.dll
Registry keys to delete:
HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\aw tsppq
HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ki oxeprt
HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ml jgdca
HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\nn nmmji
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
Next time you run Hijackthis, can you please rename it before scanning so it won't have the word "hijackthis", rename it to anything.exe or whatever.exe
or you can use this already renamed version --> http://danborg.org/spy/hjt/alternativ.exe
and show us the logfile from the renamed version.
Still the same, entries are still there.
Let's use Avenger to delete those entries, you need to paste exactly what's between the lines, everything, all characters, including the colon ":" otherwise the script will not run.
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):
--------------------------
Files to delete:
C:\WINDOWS\system32\kioxep
C:\WINDOWS\system32\ubtqjp
C:\WINDOWS\system32\aiqueh
C:\WINDOWS\system32\yctcdp
C:\WINDOWS\system32\pezugk
C:\WINDOWS\system32\rqrolm
C:\WINDOWS\system32\mljgdc
C:\WINDOWS\system32\lgntur
C:\WINDOWS\system32\yiuujo
C:\WINDOWS\system32\cbxxyv
C:\WINDOWS\system32\qgpwlh
C:\WINDOWS\system32\cgsstd
C:\WINDOWS\system32\tuvtqq
C:\WINDOWS\system32\jkkhgf
C:\WINDOWS\system32\hggday
C:\WINDOWS\system32\yayvwt
C:\WINDOWS\system32\urqqon
C:\WINDOWS\system32\tuvtsq
C:\WINDOWS\system32\rqromk
C:\WINDOWS\system32\cbxyvs
C:\WINDOWS\system32\urqrst
C:\WINDOWS\system32\iifghg
C:\WINDOWS\system32\rqrpqn
C:\WINDOWS\system32\vtuuss
C:\WINDOWS\system32\byxwuu
C:\WINDOWS\system32\hggecd
C:\WINDOWS\system32\jkkhff
C:\WINDOWS\system32\jkkhhe
C:\WINDOWS\system32\khfded
C:\WINDOWS\system32\nnnonl
C:\WINDOWS\system32\opnolj
C:\WINDOWS\system32\ggddgl
C:\WINDOWS\system32\ssqqqq
C:\WINDOWS\system32\khfgfd
C:\WINDOWS\system32\nnnmmj
C:\WINDOWS\system32\awtspp
C:\WINDOWS\system32\dwlvoj
Registry keys to delete:
HKLM\software\microsoft\wi
HKLM\software\microsoft\wi
HKLM\software\microsoft\wi
HKLM\software\microsoft\wi
--------------------------
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
Next time you run Hijackthis, can you please rename it before scanning so it won't have the word "hijackthis", rename it to anything.exe or whatever.exe
or you can use this already renamed version --> http://danborg.org/spy/hjt/alternativ.exe
and show us the logfile from the renamed version.
Please also run this, and see if it finds any nasties to remove.
Download MsnCleaner_eng.zip
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please post the contents of C:\MsnCleaner.txt in a reply to this post.
Download MsnCleaner_eng.zip
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please post the contents of C:\MsnCleaner.txt in a reply to this post.
ASKER
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\C urrentCont rolSet\Ser vices\foux hgbs
*******************
Script file located at: \??\C:\Program Files\yvtdcwty.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\aw tsppq not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\aw tsppq failed!
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ki oxeprt not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ki oxeprt failed!
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ml jgdca not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ml jgdca failed!
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\nn nmmji not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\nn nmmji failed!
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Running from registry key:
\Registry\Machine\System\C
*******************
Script file located at: \??\C:\Program Files\yvtdcwty.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
ASKER
Logfile of HijackThis v1.99.1
Scan saved at 9:06:47 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCE S.EXE
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp 32.exe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\pri ntray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\LexmarkX63\AcBtnMgr_ X63.exe
C:\Program Files\LexmarkX63\ACMonitor _X63.exe
C:\Program Files\LimeWire\LimeWire.ex e
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\notepa d.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system\mgrsvc.e xe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\WINDOWS\System32\wltrys vc.exe
C:\WINDOWS\System32\bcmwlt ry.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Dad\My Documents\Bill\alternativ. exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\pri ntray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dwlvo jav.dll",s itypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.ex e
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_ X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor _X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \npjpi160_ 03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \npjpi160_ 03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D 00330E511D 3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B 5388FFDD0D 8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-9 17ABDD035B 3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153129484593
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-D A8CF814E78 A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-A EA0D228730 3} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C 771BB36993 7} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog on.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.e xe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE S.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrys vc.exe
Scan saved at 9:06:47 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\LEXPPS
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\D
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp
C:\WINDOWS\System32\spool\
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\system32\ctfmon
C:\Program Files\LexmarkX63\AcBtnMgr_
C:\Program Files\LexmarkX63\ACMonitor
C:\Program Files\LimeWire\LimeWire.ex
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\notepa
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system\mgrsvc.e
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie
C:\WINDOWS\System32\wltrys
C:\WINDOWS\System32\bcmwlt
C:\Program Files\iPod\bin\iPodService
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuaucl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Dad\My Documents\Bill\alternativ.
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\dwlvo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.ex
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D
O16 - DPF: {3BB54395-5982-4788-8AF4-B
O16 - DPF: {5736C456-EA94-4AAC-BB08-9
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-D
O16 - DPF: {9BDF4724-10AA-43D5-BD15-A
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.e
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrys
Now thats a weird result!
let's assume that those bad reg entries are gone, but what about the files???
avenger should say, something like files either "deleted successfully" or "delete failed"
it didn't mentioned the files at all, all those files were included in the script right?
let's assume that those bad reg entries are gone, but what about the files???
avenger should say, something like files either "deleted successfully" or "delete failed"
it didn't mentioned the files at all, all those files were included in the script right?
ASKER
Yes I'll run it again MsnCleaner_eng found nothing
ASKER
Here is another Avenger log I just ran
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\C urrentCont rolSet\Ser vices\ydsx qgmq
*******************
Script file located at: \??\C:\WINDOWS\system32\gq yqkkbb.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\aw tsppq not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\aw tsppq failed!
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ki oxeprt not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ki oxeprt failed!
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ml jgdca not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\ml jgdca failed!
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\nn nmmji not found!
Deletion of registry key HKLM\software\microsoft\wi ndows nt\currentversion\winlogon \notify\nn nmmji failed!
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\C
*******************
Script file located at: \??\C:\WINDOWS\system32\gq
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Registry key HKLM\software\microsoft\wi
Deletion of registry key HKLM\software\microsoft\wi
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
ASKER
Symantec is still finding win32.spybot.worm file is msgsvc.exe. Unable to remove in safe mode with HijT.
ASKER
CORRECTION : Symantec is still finding win32.spybot.worm file is MGRSVC.EXE. Unable to remove in safe mode with HijT
ASKER
Ran Kaspersky Scan Here are the results
-------------------------- ---------- ---------- ---------- ---------- ---------- ---
KASPERSKY ONLINE SCANNER REPORT
Monday, October 15, 2007 2:44:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/10/2007
Kaspersky Anti-Virus database records: 436309
-------------------------- ---------- ---------- ---------- ---------- ---------- ---
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 44223
Number of viruses found: 4
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 00:53:25
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\ MachineKey s\ad467c05 beccc10a49 51384e1f0c 67d3_7d1d6 4b6-da05-4 db9-addd-c 62855bda6e c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-010 22007-1452 57.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\049 C0000\479E 4FB7.VBN Infected: Trojan-Downloader.Win32.Ti ny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B C0000\4FBE C49A.VBN Infected: Trojan-Downloader.Win32.Ti ny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\093 C0000\4F3E 67B6.VBN Infected: Trojan-Downloader.Win32.Ti ny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C7 C0000\4F7D 8B11.VBN Infected: Trojan-Downloader.Win32.Ti ny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D1 80000\4F1E A9DA.VBN Infected: Trojan-Downloader.Win32.Ti ny.id skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC C0000\4FCD 6195.VBN Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Dad\Cookies\index .dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\Usr Class.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\Usr Class.dat. LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{00E1 CD54-706E- 4F66-97A2- 7ABD98A133 36} Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.I E5\index.d at Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.I E5\MSHist0 1200710152 0071016\in dex.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BB A-E7D5-40A B-A041-A5B 1C0B26C8F. dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.da t Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LO G Object is locked skipped
C:\Documents and Settings\LocalService\Cook ies\index. dat Object is locked skipped
C:\Documents and Settings\LocalService\Loca l Settings\Application Data\Microsoft\Windows\Usr Class.dat Object is locked skipped
C:\Documents and Settings\LocalService\Loca l Settings\Application Data\Microsoft\Windows\Usr Class.dat. LOG Object is locked skipped
C:\Documents and Settings\LocalService\Loca l Settings\History\History.I E5\index.d at Object is locked skipped
C:\Documents and Settings\LocalService\Loca l Settings\Temporary Internet Files\Content.IE5\index.da t Object is locked skipped
C:\Documents and Settings\LocalService\NTUS ER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntus er.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lo cal Settings\Application Data\Microsoft\Windows\Usr Class.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lo cal Settings\Application Data\Microsoft\Windows\Usr Class.dat. LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NT USER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\nt user.dat.L OG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DA T Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug. log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.l og Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg 2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot. log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg. log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt. log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI. log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid. log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy .log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart. log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.l og Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0480NAV~.T MP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0732NAV~.T MP Object is locked skipped
C:\qoobox\Quarantine\C\WIN DOWS\syste m32\rkwhls ha.dll.vir Infected: not-a-virus:AdWare.Win32.V irtumonde. ace skipped
C:\qoobox\Quarantine\C\WIN DOWS\syste m32\twboxk bs.dll.vir Infected: not-a-virus:AdWare.Win32.V irtumonde. wn skipped
C:\System Volume Information\MountPointMana gerRemoteD atabase Object is locked skipped
C:\VundoFix Backups\hnaapohi.dll.bad Infected: not-a-virus:AdWare.Win32.V irtumonde. ace skipped
C:\VundoFix Backups\qdicikhv.dll.bad Infected: not-a-virus:AdWare.Win32.V irtumonde. ace skipped
C:\VundoFix Backups\qkiwyuiy.dll.bad Infected: not-a-virus:AdWare.Win32.V irtumonde. ace skipped
C:\VundoFix Backups\yhvqoice.dll.bad Infected: not-a-virus:AdWare.Win32.V irtumonde. ace skipped
C:\WINDOWS\$NtUninstallKB8 35732$\cal lcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\cmd evtgprov.d ll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\evt gprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\gdi 32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\h32 3.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\h32 3msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\hel pctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\ipn athlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\lsa srv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\mf3 216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\msa sn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\msg ina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\mst 120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\net api32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\nmc om.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\rtc dll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\sch annel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB8 35732$\xps p2res.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LO G Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistrib ution\Even tCache\{84 BA63FD-9B6 6-4C9E-A74 1-E711AFEB 1EE4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistrib ution\Repo rtingEvent s.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoo t2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoo t2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config \AppEvent. Evt Object is locked skipped
C:\WINDOWS\system32\config \default Object is locked skipped
C:\WINDOWS\system32\config \default.L OG Object is locked skipped
C:\WINDOWS\system32\config \Internet. evt Object is locked skipped
C:\WINDOWS\system32\config \SAM Object is locked skipped
C:\WINDOWS\system32\config \SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config \SecEvent. Evt Object is locked skipped
C:\WINDOWS\system32\config \SECURITY Object is locked skipped
C:\WINDOWS\system32\config \SECURITY. LOG Object is locked skipped
C:\WINDOWS\system32\config \software Object is locked skipped
C:\WINDOWS\system32\config \software. LOG Object is locked skipped
C:\WINDOWS\system32\config \SysEvent. Evt Object is locked skipped
C:\WINDOWS\system32\config \system Object is locked skipped
C:\WINDOWS\system32\config \system.LO G Object is locked skipped
C:\WINDOWS\system32\h323lo g.txt Object is locked skipped
C:\WINDOWS\system32\wbem\R epository\ FS\INDEX.B TR Object is locked skipped
C:\WINDOWS\system32\wbem\R epository\ FS\INDEX.M AP Object is locked skipped
C:\WINDOWS\system32\wbem\R epository\ FS\MAPPING .VER Object is locked skipped
C:\WINDOWS\system32\wbem\R epository\ FS\MAPPING 1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\R epository\ FS\MAPPING 2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\R epository\ FS\OBJECTS .DATA Object is locked skipped
C:\WINDOWS\system32\wbem\R epository\ FS\OBJECTS .MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.l og Object is locked skipped
Scan process completed.
--------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 15, 2007 2:44:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/10/2007
Kaspersky Anti-Virus database records: 436309
--------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 44223
Number of viruses found: 4
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 00:53:25
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-010
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\049
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\093
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C7
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC
C:\Documents and Settings\Dad\Cookies\index
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\Usr
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\Usr
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{00E1
C:\Documents and Settings\Dad\Local Settings\History\History.I
C:\Documents and Settings\Dad\Local Settings\History\History.I
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BB
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.da
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LO
C:\Documents and Settings\LocalService\Cook
C:\Documents and Settings\LocalService\Loca
C:\Documents and Settings\LocalService\Loca
C:\Documents and Settings\LocalService\Loca
C:\Documents and Settings\LocalService\Loca
C:\Documents and Settings\LocalService\NTUS
C:\Documents and Settings\LocalService\ntus
C:\Documents and Settings\NetworkService\Lo
C:\Documents and Settings\NetworkService\Lo
C:\Documents and Settings\NetworkService\NT
C:\Documents and Settings\NetworkService\nt
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DA
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.l
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.l
C:\Program Files\Symantec AntiVirus\SAVRT\0480NAV~.T
C:\Program Files\Symantec AntiVirus\SAVRT\0732NAV~.T
C:\qoobox\Quarantine\C\WIN
C:\qoobox\Quarantine\C\WIN
C:\System Volume Information\MountPointMana
C:\VundoFix Backups\hnaapohi.dll.bad Infected: not-a-virus:AdWare.Win32.V
C:\VundoFix Backups\qdicikhv.dll.bad Infected: not-a-virus:AdWare.Win32.V
C:\VundoFix Backups\qkiwyuiy.dll.bad Infected: not-a-virus:AdWare.Win32.V
C:\VundoFix Backups\yhvqoice.dll.bad Infected: not-a-virus:AdWare.Win32.V
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\$NtUninstallKB8
C:\WINDOWS\Debug\PASSWD.LO
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistrib
C:\WINDOWS\SoftwareDistrib
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoo
C:\WINDOWS\system32\CatRoo
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\config
C:\WINDOWS\system32\h323lo
C:\WINDOWS\system32\wbem\R
C:\WINDOWS\system32\wbem\R
C:\WINDOWS\system32\wbem\R
C:\WINDOWS\system32\wbem\R
C:\WINDOWS\system32\wbem\R
C:\WINDOWS\system32\wbem\R
C:\WINDOWS\system32\wbem\R
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.l
Scan process completed.
I'm very much confused with this.
Combofix latest version can't make the CFScript works, this never happens before.
Avenger result doesn't makes sense, it didn't process the files to be deleted.
are you sure this line was included in the script? --> Files to delete:
that has to be included for avenger to process it.
and about hat service file that NOD32 keeps alerting,
Stop and delete that service --> IISLvc
Go to Start Menu > Run > type
cmd
Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:
sc stop IISLvc
sc delete IISLvc
exit
C:\WINDOWS\system\mgrsvc.e xe <-- see if this file still exists, don't use "Search" to look for it, use explorer and showing hidden files.
Combofix latest version can't make the CFScript works, this never happens before.
Avenger result doesn't makes sense, it didn't process the files to be deleted.
are you sure this line was included in the script? --> Files to delete:
that has to be included for avenger to process it.
and about hat service file that NOD32 keeps alerting,
Stop and delete that service --> IISLvc
Go to Start Menu > Run > type
cmd
Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line:
sc stop IISLvc
sc delete IISLvc
exit
C:\WINDOWS\system\mgrsvc.e
ASKER
OK Avenger ran and deleted those files. I didn't leave the file to delete line the first timeI lost the log here is the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:59, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCE S.EXE
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp 32.exe
C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\pri ntray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\Program Files\LexmarkX63\AcBtnMgr_ X63.exe
C:\Program Files\LexmarkX63\ACMonitor _X63.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cmd.ex e
C:\WINDOWS\system32\rundll 32.exe
C:\WINDOWS\system32\cmd.ex e
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
C:\WINDOWS\system32\cmd.ex e
C:\WINDOWS\system32\cscrip t.exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4 5AF8282558 3} - C:\WINDOWS\system32\jzorku sd.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\pri ntray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR OS~1\DW\dw trig20.exe " -t (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.ex e
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_ X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor _X63.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \npjpi160_ 03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \npjpi160_ 03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D 00330E511D 3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9 BD8C29F7F7 5} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B 5388FFDD0D 8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-9 17ABDD035B 3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153129484593
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-D A8CF814E78 A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-A EA0D228730 3} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C 771BB36993 7} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE S.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3 2.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie wpointServ ice.exe
--
End of file - 8013 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:59, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\LEXPPS
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\D
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp
C:\WINDOWS\System32\spool\
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\nvsvc3
C:\Program Files\LexmarkX63\AcBtnMgr_
C:\Program Files\LexmarkX63\ACMonitor
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Viewpoint\Common\Vie
C:\Program Files\iPod\bin\iPodService
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuaucl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cmd.ex
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\cmd.ex
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\WINDOWS\system32\cmd.ex
C:\WINDOWS\system32\cscrip
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.ex
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O16 - DPF: {05D44720-58E3-49E6-BDF6-D
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9
O16 - DPF: {3BB54395-5982-4788-8AF4-B
O16 - DPF: {5736C456-EA94-4AAC-BB08-9
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-D
O16 - DPF: {9BDF4724-10AA-43D5-BD15-A
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
--
End of file - 8013 bytes
ASKER
Also ran this again
ComboFix 07-10-12.4 - Dad 2007-10-16 6:58:35.18 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18. 94 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\Combo Fix.exe
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\alfylh jb.ini
C:\WINDOWS\system32\bhivgq eq.dll
C:\WINDOWS\system32\bjhlyf la.dll
C:\WINDOWS\system32\dclyxn yu.ini
C:\WINDOWS\system32\fhkmp. bak1
C:\WINDOWS\system32\fhkmp. bak1
C:\WINDOWS\system32\fhkmp. bak1
C:\WINDOWS\system32\fhkmp. bak2
C:\WINDOWS\system32\fhkmp. bak2
C:\WINDOWS\system32\fhkmp. bak2
C:\WINDOWS\system32\fhkmp. ini
C:\WINDOWS\system32\fhkmp. ini
C:\WINDOWS\system32\fhkmp. ini
C:\WINDOWS\system32\fhkmp. ini2
C:\WINDOWS\system32\fhkmp. ini2
C:\WINDOWS\system32\fhkmp. ini2
C:\WINDOWS\system32\fhkmp. tmp
C:\WINDOWS\system32\fhkmp. tmp
C:\WINDOWS\system32\fhkmp. tmp
C:\WINDOWS\system32\glsdjp jh.dll
C:\WINDOWS\system32\pmkhf. dll
C:\WINDOWS\system32\qeqgvi hb.ini
C:\WINDOWS\system32\uynxyl cd.dll
C:\WINDOWS\system32\yktvob vc.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))) )))))
.
2007-10-16 06:57 339,968 --a------ C:\WINDOWS\system32\jzorku sd.dll
2007-10-16 06:56 389,184 --a------ C:\WINDOWS\system32\mqvigc ru.exe
2007-10-16 06:34 389,184 --a------ C:\WINDOWS\system32\hhfled ew.exe
2007-10-16 06:34 339,968 --a------ C:\WINDOWS\system32\jrcnbd fy.dll
2007-10-16 06:24 339,968 --a------ C:\WINDOWS\system32\txenfh xp.dll
2007-10-16 06:23 389,184 --a------ C:\WINDOWS\system32\cfhulh fn.exe
2007-10-16 06:07 389,184 --a------ C:\WINDOWS\system32\omxglx xv.exe
2007-10-16 06:07 339,968 --a------ C:\WINDOWS\system32\uvaglv tb.dll
2007-10-16 03:44 389,184 --a------ C:\WINDOWS\system32\rppmfg kx.exe
2007-10-16 03:44 339,968 --a------ C:\WINDOWS\system32\kkwost el.dll
2007-10-15 14:54 <DIR> d-------- C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 14:13 34,304 --a------ C:\WINDOWS\system32\ddcdba x.dll
2007-10-15 12:42 <DIR> d-------- C:\WINDOWS\system32\Kasper sky Lab
2007-10-15 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk l.dll
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon n.dll
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb b.dll
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt r.dll
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk h.dll
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv s.dll
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy v.dll
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy v.dll.vir
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu ji.exe
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb ht.dll.vir
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver s\SYMEVENT .SYS
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN T1.DLL
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2007-10-15 19:12 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow nloadHelpe r.exe
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco mm.dll
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio n Data\acccore
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dl l
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi. dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuaucl t.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2. dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltu i.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb. dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuauen g.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.d ll
.
(((((((((((((((((((((((((( ((( snapshot@2007-10-13_ 9.51.16.20 )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF11.ex e
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF13.ex e
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF15.ex e
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver s\gmer.sys
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e xe
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e xe
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw. exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw. exe
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws .exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws .exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode s.dat
+ 2007-10-14 19:04:20 17,128 ----a-w C:\WINDOWS\system32\nvMode s.dat
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{A95B2816-1D7E-456 1-A202-68C 0DE02353A} ]
2007-10-16 06:57 339968 --a------ C:\WINDOWS\system32\jzorku sd.dll
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{BACEB7AF-8D88-456 E-82D0-7BE B9A4410FE} ]
2007-10-15 14:13 34304 --a------ C:\WINDOWS\system32\ddcdba x.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Interne t Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF- 45AF828255 83}"= C:\WINDOWS\system32\jzorku sd.dll [2007-10-16 06:57 339968]
[HKEY_CLASSES_ROOT\CLSID\{ 11A69AE4-F BED-4832-A 2BF-45AF82 825583}]
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Toolbar\WebBrowse r]
"{11A69AE4-FBED-4832-A2BF- 45AF828255 83}"= C:\WINDOWS\system32\jzorku sd.dll [2007-10-16 06:57 339968]
[HKEY_CLASSES_ROOT\CLSID\{ 11A69AE4-F BED-4832-A 2BF-45AF82 825583}]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\ system32\N vCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_03\bin \jusched.e xe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e xe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP 32.EXE]
"PrinTray"="C:\WINDOWS\Sys tem32\spoo l\DRIVERS\ W32X86\3\p rintray.ex e" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe " [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA NT~1\VPTra y.exe" [2006-03-17 06:34]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-04 03:56]
[HKEY_USERS\.default\softw are\micros oft\window s\currentv ersion\run ]
"DWQueuedReporting"="C:\PR OGRA~1\COM MON~1\MICR OS~1\DW\dw trig20.exe " -t
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55]
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Shell ExecuteHoo ks]
"{5AE067D3-9AFB-48E0-853A- EBB7F4A000 DA}"= C:\Program Files\SUPERAntiSpyware\SAS SEH.DLL [2006-12-20 13:55 77824]
"{BACEB7AF-8D88-456E-82D0- 7BEB9A4410 FE}"= C:\WINDOWS\system32\ddcdba x.dll [2007-10-15 14:13 34304]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\dd cdbax]
ddcdbax.dll 2007-10-15 14:13 34304 C:\WINDOWS\system32\ddcdba x.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\jz orkusd]
jzorkusd.dll 2007-10-16 06:57 339968 C:\WINDOWS\system32\jzorku sd.dll
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\c ontrol\lsa ]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkhf. dll
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\ DRIVERS\BC MSM.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-16 11:16:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32. job"
- C:\WINDOWS\twain_32
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 07:15:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 2007-10-16 7:18:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-15 15:39
C:\ComboFix3.txt ... 2007-10-15 10:56
.
--- E O F ---
ComboFix 07-10-12.4 - Dad 2007-10-16 6:58:35.18 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\Dad\Desktop\Combo
.
((((((((((((((((((((((((((
.
C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\alfylh
C:\WINDOWS\system32\bhivgq
C:\WINDOWS\system32\bjhlyf
C:\WINDOWS\system32\dclyxn
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\fhkmp.
C:\WINDOWS\system32\glsdjp
C:\WINDOWS\system32\pmkhf.
C:\WINDOWS\system32\qeqgvi
C:\WINDOWS\system32\uynxyl
C:\WINDOWS\system32\yktvob
.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 ))))))))))))))))))))))))))
.
2007-10-16 06:57 339,968 --a------ C:\WINDOWS\system32\jzorku
2007-10-16 06:56 389,184 --a------ C:\WINDOWS\system32\mqvigc
2007-10-16 06:34 389,184 --a------ C:\WINDOWS\system32\hhfled
2007-10-16 06:34 339,968 --a------ C:\WINDOWS\system32\jrcnbd
2007-10-16 06:24 339,968 --a------ C:\WINDOWS\system32\txenfh
2007-10-16 06:23 389,184 --a------ C:\WINDOWS\system32\cfhulh
2007-10-16 06:07 389,184 --a------ C:\WINDOWS\system32\omxglx
2007-10-16 06:07 339,968 --a------ C:\WINDOWS\system32\uvaglv
2007-10-16 03:44 389,184 --a------ C:\WINDOWS\system32\rppmfg
2007-10-16 03:44 339,968 --a------ C:\WINDOWS\system32\kkwost
2007-10-15 14:54 <DIR> d-------- C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 14:13 34,304 --a------ C:\WINDOWS\system32\ddcdba
2007-10-15 12:42 <DIR> d-------- C:\WINDOWS\system32\Kasper
2007-10-15 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
.
((((((((((((((((((((((((((
.
2007-10-15 19:12 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dl
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuaucl
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltu
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuauen
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.d
.
((((((((((((((((((((((((((
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw.
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kasper
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kasper
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kasper
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode
+ 2007-10-14 19:04:20 17,128 ----a-w C:\WINDOWS\system32\nvMode
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow
2007-10-16 06:57 339968 --a------ C:\WINDOWS\system32\jzorku
[HKEY_LOCAL_MACHINE\~\Brow
2007-10-15 14:13 34304 --a------ C:\WINDOWS\system32\ddcdba
[HKEY_LOCAL_MACHINE\SOFTWA
"{11A69AE4-FBED-4832-A2BF-
[HKEY_CLASSES_ROOT\CLSID\{
[HKEY_CURRENT_USER\Softwar
"{11A69AE4-FBED-4832-A2BF-
[HKEY_CLASSES_ROOT\CLSID\{
[HKEY_LOCAL_MACHINE\SOFTWA
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D
"SunJavaUpdateSched"="C:\P
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e
"PrinTray"="C:\WINDOWS\Sys
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe
"iTunesHelper"="C:\Program
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
[HKEY_USERS\.default\softw
"DWQueuedReporting"="C:\PR
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex
[HKEY_LOCAL_MACHINE\SOFTWA
"{5AE067D3-9AFB-48E0-853A-
"{BACEB7AF-8D88-456E-82D0-
[HKEY_LOCAL_MACHINE\softwa
ddcdbax.dll 2007-10-15 14:13 34304 C:\WINDOWS\system32\ddcdba
[HKEY_LOCAL_MACHINE\softwa
jzorkusd.dll 2007-10-16 06:57 339968 C:\WINDOWS\system32\jzorku
[HKEY_LOCAL_MACHINE\system
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkhf.
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\
.
Contents of the 'Scheduled Tasks' folder
"2007-10-16 11:16:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.
- C:\WINDOWS\twain_32
.
**************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 07:15:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 2007-10-16 7:18:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-15 15:39
C:\ComboFix3.txt ... 2007-10-15 10:56
.
--- E O F ---
The above Combofix log is not a CFScript run, that's just a normal Combofix scan, unless portion of the log is missing.
I really don't know why Combofix CFScript is not working here.
Bad files are still showing.
Let's try another tool.
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a
folder named WinPFind3u on your desktop.
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
* In the 'Files Created Within' group click 30 days
* In the 'Files Modified Within' group select 30 days
* In the 'File String Search' group select Non-Microsoft
* In the 'Drivers Services' group select Non-Microsoft
* In the 'Additional Scans' group select 'Desktop Components'
Now click the "Run Scan" button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked.
If it is, then click on it to uncheck it.
Please upload the log at EE-Stuff.com
I really don't know why Combofix CFScript is not working here.
Bad files are still showing.
Let's try another tool.
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a
folder named WinPFind3u on your desktop.
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
* In the 'Files Created Within' group click 30 days
* In the 'Files Modified Within' group select 30 days
* In the 'File String Search' group select Non-Microsoft
* In the 'Drivers Services' group select Non-Microsoft
* In the 'Additional Scans' group select 'Desktop Components'
Now click the "Run Scan" button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked.
If it is, then click on it to uncheck it.
Please upload the log at EE-Stuff.com
ASKER
I placed it up there!
ASKER
I ran the Combo fix with the script Here is the log:
ComboFix 07-10-12.4 - Dad 2007-10-16 16:56:52.20 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18. 130 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\Combo Fix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScr ipt.log
* Created a new restore point
FILE::
C:\WINDOWS\system32\aiqueh cq.exe
C:\WINDOWS\system32\awtspp q.dll
C:\WINDOWS\system32\byxwuu t.dll.vir
C:\WINDOWS\system32\cbxxyv u.dll.vir
C:\WINDOWS\system32\cbxyvs s.dll.vir
C:\WINDOWS\system32\cgsstd jy.exe
C:\WINDOWS\system32\dwlvoj av.dll
C:\WINDOWS\system32\ggddgl ax.exe
C:\WINDOWS\system32\hggday w.dll
C:\WINDOWS\system32\hggecd b.dll
C:\WINDOWS\system32\iifghg g.dll
C:\WINDOWS\system32\jkkhff g.dll
C:\WINDOWS\system32\jkkhgf f.dll
C:\WINDOWS\system32\jkkhhe f.dll
C:\WINDOWS\system32\khfded b.dll
C:\WINDOWS\system32\khfgfd b.dll
C:\WINDOWS\system32\kioxep rt.dll
C:\WINDOWS\system32\lgntur dw.dll
C:\WINDOWS\system32\mljgdc a.dll
C:\WINDOWS\system32\nnnmmj i.dll
C:\WINDOWS\system32\nnnonl k.dll
C:\WINDOWS\system32\opnolj g.dll
C:\WINDOWS\system32\pezugk jt.dll
C:\WINDOWS\system32\qgpwlh qr.dll
C:\WINDOWS\system32\rqrolm k.dll
C:\WINDOWS\system32\rqromk l.dll
C:\WINDOWS\system32\rqrpqn o.dll
C:\WINDOWS\system32\ssqqqq r.dll
C:\WINDOWS\system32\tuvtqq n.dll
C:\WINDOWS\system32\tuvtsq r.dll
C:\WINDOWS\system32\ubtqjp kg.exe
C:\WINDOWS\system32\urqqon l.dll
C:\WINDOWS\system32\urqrst t.dll
C:\WINDOWS\system32\vtuuss q.dll
C:\WINDOWS\system32\yayvwt q.dll
C:\WINDOWS\system32\yctcdp vf.exe
C:\WINDOWS\system32\yiuujo hm.exe
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\WINDOWS\system32\awvts. dll
C:\WINDOWS\system32\ppqss. bak1
C:\WINDOWS\system32\ppqss. ini
C:\WINDOWS\system32\stvwa. bak1
C:\WINDOWS\system32\stvwa. bak1
C:\WINDOWS\system32\stvwa. ini
C:\WINDOWS\system32\stvwa. ini
.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))) )))))
.
2007-10-16 06:56 389,184 --a------ C:\WINDOWS\system32\mqvigc ru.exe
2007-10-16 06:34 389,184 --a------ C:\WINDOWS\system32\hhfled ew.exe
2007-10-16 06:34 339,968 --a------ C:\WINDOWS\system32\jrcnbd fy.dll
2007-10-16 06:24 339,968 --a------ C:\WINDOWS\system32\txenfh xp.dll
2007-10-16 06:23 389,184 --a------ C:\WINDOWS\system32\cfhulh fn.exe
2007-10-16 06:07 389,184 --a------ C:\WINDOWS\system32\omxglx xv.exe
2007-10-16 06:07 339,968 --a------ C:\WINDOWS\system32\uvaglv tb.dll
2007-10-16 03:44 389,184 --a------ C:\WINDOWS\system32\rppmfg kx.exe
2007-10-16 03:44 339,968 --a------ C:\WINDOWS\system32\kkwost el.dll
2007-10-15 14:54 <DIR> d-------- C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 14:13 34,304 --a------ C:\WINDOWS\system32\ddcdba x.dll
2007-10-15 12:42 <DIR> d-------- C:\WINDOWS\system32\Kasper sky Lab
2007-10-15 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk l.dll
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon n.dll
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb b.dll
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt r.dll
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk h.dll
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv s.dll
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy v.dll
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy v.dll.vir
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu ji.exe
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb ht.dll.vir
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver s\SYMEVENT .SYS
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN T1.DLL
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2007-10-15 19:12 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow nloadHelpe r.exe
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco mm.dll
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio n Data\acccore
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dl l
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi. dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuaucl t.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2. dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltu i.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb. dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuauen g.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.d ll
.
(((((((((((((((((((((((((( ((( snapshot@2007-10-13_ 9.51.16.20 )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF11.ex e
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF13.ex e
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF15.ex e
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver s\gmer.sys
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e xe
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e xe
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw. exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw. exe
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws .exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws .exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode s.dat
+ 2007-10-14 19:04:20 17,128 ----a-w C:\WINDOWS\system32\nvMode s.dat
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{2D089509-246B-4B9 B-8B84-AA6 DA7CA61E4} ]
C:\WINDOWS\system32\ssqpp. dll
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{BACEB7AF-8D88-456 E-82D0-7BE B9A4410FE} ]
2007-10-15 14:13 34304 --a------ C:\WINDOWS\system32\ddcdba x.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\ system32\N vCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_03\bin \jusched.e xe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e xe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP 32.EXE]
"PrinTray"="C:\WINDOWS\Sys tem32\spoo l\DRIVERS\ W32X86\3\p rintray.ex e" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe " [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA NT~1\VPTra y.exe" [2006-03-17 06:34]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-04 03:56]
[HKEY_USERS\.default\softw are\micros oft\window s\currentv ersion\run ]
"DWQueuedReporting"="C:\PR OGRA~1\COM MON~1\MICR OS~1\DW\dw trig20.exe " -t
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55]
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Shell ExecuteHoo ks]
"{5AE067D3-9AFB-48E0-853A- EBB7F4A000 DA}"= C:\Program Files\SUPERAntiSpyware\SAS SEH.DLL [2006-12-20 13:55 77824]
"{BACEB7AF-8D88-456E-82D0- 7BEB9A4410 FE}"= C:\WINDOWS\system32\ddcdba x.dll [2007-10-15 14:13 34304]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\dd cdbax]
ddcdbax.dll 2007-10-15 14:13 34304 C:\WINDOWS\system32\ddcdba x.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\jz orkusd]
jzorkusd.dll
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\c ontrol\lsa ]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvts. dll
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\ DRIVERS\BC MSM.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-16 21:19:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32. job"
- C:\WINDOWS\twain_32
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 17:18:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 2007-10-16 17:21:00 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 08:03
C:\ComboFix3.txt ... 2007-10-16 07:18
.
--- E O F ---
ComboFix 07-10-12.4 - Dad 2007-10-16 16:56:52.20 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\Dad\Desktop\Combo
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScr
* Created a new restore point
FILE::
C:\WINDOWS\system32\aiqueh
C:\WINDOWS\system32\awtspp
C:\WINDOWS\system32\byxwuu
C:\WINDOWS\system32\cbxxyv
C:\WINDOWS\system32\cbxyvs
C:\WINDOWS\system32\cgsstd
C:\WINDOWS\system32\dwlvoj
C:\WINDOWS\system32\ggddgl
C:\WINDOWS\system32\hggday
C:\WINDOWS\system32\hggecd
C:\WINDOWS\system32\iifghg
C:\WINDOWS\system32\jkkhff
C:\WINDOWS\system32\jkkhgf
C:\WINDOWS\system32\jkkhhe
C:\WINDOWS\system32\khfded
C:\WINDOWS\system32\khfgfd
C:\WINDOWS\system32\kioxep
C:\WINDOWS\system32\lgntur
C:\WINDOWS\system32\mljgdc
C:\WINDOWS\system32\nnnmmj
C:\WINDOWS\system32\nnnonl
C:\WINDOWS\system32\opnolj
C:\WINDOWS\system32\pezugk
C:\WINDOWS\system32\qgpwlh
C:\WINDOWS\system32\rqrolm
C:\WINDOWS\system32\rqromk
C:\WINDOWS\system32\rqrpqn
C:\WINDOWS\system32\ssqqqq
C:\WINDOWS\system32\tuvtqq
C:\WINDOWS\system32\tuvtsq
C:\WINDOWS\system32\ubtqjp
C:\WINDOWS\system32\urqqon
C:\WINDOWS\system32\urqrst
C:\WINDOWS\system32\vtuuss
C:\WINDOWS\system32\yayvwt
C:\WINDOWS\system32\yctcdp
C:\WINDOWS\system32\yiuujo
.
((((((((((((((((((((((((((
.
C:\WINDOWS\system32\awvts.
C:\WINDOWS\system32\ppqss.
C:\WINDOWS\system32\ppqss.
C:\WINDOWS\system32\stvwa.
C:\WINDOWS\system32\stvwa.
C:\WINDOWS\system32\stvwa.
C:\WINDOWS\system32\stvwa.
.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 ))))))))))))))))))))))))))
.
2007-10-16 06:56 389,184 --a------ C:\WINDOWS\system32\mqvigc
2007-10-16 06:34 389,184 --a------ C:\WINDOWS\system32\hhfled
2007-10-16 06:34 339,968 --a------ C:\WINDOWS\system32\jrcnbd
2007-10-16 06:24 339,968 --a------ C:\WINDOWS\system32\txenfh
2007-10-16 06:23 389,184 --a------ C:\WINDOWS\system32\cfhulh
2007-10-16 06:07 389,184 --a------ C:\WINDOWS\system32\omxglx
2007-10-16 06:07 339,968 --a------ C:\WINDOWS\system32\uvaglv
2007-10-16 03:44 389,184 --a------ C:\WINDOWS\system32\rppmfg
2007-10-16 03:44 339,968 --a------ C:\WINDOWS\system32\kkwost
2007-10-15 14:54 <DIR> d-------- C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 14:13 34,304 --a------ C:\WINDOWS\system32\ddcdba
2007-10-15 12:42 <DIR> d-------- C:\WINDOWS\system32\Kasper
2007-10-15 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
.
((((((((((((((((((((((((((
.
2007-10-15 19:12 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dl
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuaucl
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltu
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuauen
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.d
.
((((((((((((((((((((((((((
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw.
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kasper
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kasper
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kasper
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode
+ 2007-10-14 19:04:20 17,128 ----a-w C:\WINDOWS\system32\nvMode
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow
C:\WINDOWS\system32\ssqpp.
[HKEY_LOCAL_MACHINE\~\Brow
2007-10-15 14:13 34304 --a------ C:\WINDOWS\system32\ddcdba
[HKEY_LOCAL_MACHINE\SOFTWA
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D
"SunJavaUpdateSched"="C:\P
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e
"PrinTray"="C:\WINDOWS\Sys
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe
"iTunesHelper"="C:\Program
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
[HKEY_USERS\.default\softw
"DWQueuedReporting"="C:\PR
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex
C:\Documents and Settings\Dad\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex
[HKEY_LOCAL_MACHINE\SOFTWA
"{5AE067D3-9AFB-48E0-853A-
"{BACEB7AF-8D88-456E-82D0-
[HKEY_LOCAL_MACHINE\softwa
ddcdbax.dll 2007-10-15 14:13 34304 C:\WINDOWS\system32\ddcdba
[HKEY_LOCAL_MACHINE\softwa
jzorkusd.dll
[HKEY_LOCAL_MACHINE\system
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvts.
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\
.
Contents of the 'Scheduled Tasks' folder
"2007-10-16 21:19:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.
- C:\WINDOWS\twain_32
.
**************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 17:18:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 2007-10-16 17:21:00 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 08:03
C:\ComboFix3.txt ... 2007-10-16 07:18
.
--- E O F ---
ASKER
Things looked good for a while. I started getting pop ups again. I ran the Combo fix with the script; SuperAntiSpyware, and PCRegistary cleaner. Here is the Latest Combo Fix log
ComboFix 07-10-12.4 - Dad 2007-10-17 7:46:43.21 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18. 362 [GMT -4:00]
Running from: C:\Documents and Settings\Dad\Desktop\Combo Fix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScr ipt_used_2 007-10-16@ 16.56.txt
FILE::
C:\WINDOWS\system32\aiqueh cq.exe
C:\WINDOWS\system32\awtspp q.dll
C:\WINDOWS\system32\byxwuu t.dll.vir
C:\WINDOWS\system32\cbxxyv u.dll.vir
C:\WINDOWS\system32\cbxyvs s.dll.vir
C:\WINDOWS\system32\cgsstd jy.exe
C:\WINDOWS\system32\dwlvoj av.dll
C:\WINDOWS\system32\ggddgl ax.exe
C:\WINDOWS\system32\hggday w.dll
C:\WINDOWS\system32\hggecd b.dll
C:\WINDOWS\system32\iifghg g.dll
C:\WINDOWS\system32\jkkhff g.dll
C:\WINDOWS\system32\jkkhgf f.dll
C:\WINDOWS\system32\jkkhhe f.dll
C:\WINDOWS\system32\khfded b.dll
C:\WINDOWS\system32\khfgfd b.dll
C:\WINDOWS\system32\kioxep rt.dll
C:\WINDOWS\system32\lgntur dw.dll
C:\WINDOWS\system32\mljgdc a.dll
C:\WINDOWS\system32\nnnmmj i.dll
C:\WINDOWS\system32\nnnonl k.dll
C:\WINDOWS\system32\opnolj g.dll
C:\WINDOWS\system32\pezugk jt.dll
C:\WINDOWS\system32\qgpwlh qr.dll
C:\WINDOWS\system32\rqrolm k.dll
C:\WINDOWS\system32\rqromk l.dll
C:\WINDOWS\system32\rqrpqn o.dll
C:\WINDOWS\system32\ssqqqq r.dll
C:\WINDOWS\system32\tuvtqq n.dll
C:\WINDOWS\system32\tuvtsq r.dll
C:\WINDOWS\system32\ubtqjp kg.exe
C:\WINDOWS\system32\urqqon l.dll
C:\WINDOWS\system32\urqrst t.dll
C:\WINDOWS\system32\vtuuss q.dll
C:\WINDOWS\system32\yayvwt q.dll
C:\WINDOWS\system32\yctcdp vf.exe
C:\WINDOWS\system32\yiuujo hm.exe
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cymnob og.dll
C:\WINDOWS\system32\fthgkk ts.dll
C:\WINDOWS\system32\gobonm yc.ini
C:\WINDOWS\system32\jjkkj. bak1
C:\WINDOWS\system32\jjkkj. bak1
C:\WINDOWS\system32\jjkkj. bak2
C:\WINDOWS\system32\jjkkj. bak2
C:\WINDOWS\system32\jjkkj. ini
C:\WINDOWS\system32\jjkkj. ini
C:\WINDOWS\system32\jkkjj. dll
C:\WINDOWS\system32\mllmm. dll
C:\WINDOWS\system32\mmllm. bak1
C:\WINDOWS\system32\mmllm. bak1
C:\WINDOWS\system32\mmllm. ini
C:\WINDOWS\system32\mmllm. ini
.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))) )))))
.
2007-10-17 05:27 339,968 --a------ C:\WINDOWS\system32\oawucw gq.dll
2007-10-17 05:26 389,184 --a------ C:\WINDOWS\system32\tkqwhf yp.exe
2007-10-16 06:56 389,184 --a------ C:\WINDOWS\system32\mqvigc ru.exe
2007-10-16 06:34 389,184 --a------ C:\WINDOWS\system32\hhfled ew.exe
2007-10-16 06:34 339,968 --a------ C:\WINDOWS\system32\jrcnbd fy.dll
2007-10-16 06:24 339,968 --a------ C:\WINDOWS\system32\txenfh xp.dll
2007-10-16 06:23 389,184 --a------ C:\WINDOWS\system32\cfhulh fn.exe
2007-10-16 06:07 389,184 --a------ C:\WINDOWS\system32\omxglx xv.exe
2007-10-16 06:07 339,968 --a------ C:\WINDOWS\system32\uvaglv tb.dll
2007-10-16 03:44 389,184 --a------ C:\WINDOWS\system32\rppmfg kx.exe
2007-10-16 03:44 339,968 --a------ C:\WINDOWS\system32\kkwost el.dll
2007-10-15 14:54 <DIR> d-------- C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 12:42 <DIR> d-------- C:\WINDOWS\system32\Kasper sky Lab
2007-10-15 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk l.dll
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon n.dll
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb b.dll
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt r.dll
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk h.dll
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv s.dll
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy v.dll
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy v.dll.vir
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu ji.exe
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb ht.dll.vir
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver s\SYMEVENT .SYS
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN T1.DLL
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2007-10-16 21:19 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow nloadHelpe r.exe
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio n Data\acccore
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
.
(((((((((((((((((((((((((( ((( snapshot@2007-10-13_ 9.51.16.20 )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF11.ex e
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF13.ex e
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC BBF1-2703- 46BC-938B- BCC81A1EEA AA}\IconCD DCBBF15.ex e
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver s\gmer.sys
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e xe
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e xe
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw. exe
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw. exe
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws .exe
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws .exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kasper sky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode s.dat
+ 2007-10-17 00:02:34 17,083 ----a-w C:\WINDOWS\system32\nvMode s.dat
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{2D089509-246B-4B9 B-8B84-AA6 DA7CA61E4} ]
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{A95B2816-1D7E-456 1-A202-68C 0DE02353A} ]
2007-10-17 05:27 339968 --a------ C:\WINDOWS\system32\oawucw gq.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Interne t Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF- 45AF828255 83}"= C:\WINDOWS\system32\oawucw gq.dll [2007-10-17 05:27 339968]
[HKEY_CLASSES_ROOT\CLSID\{ 11A69AE4-F BED-4832-A 2BF-45AF82 825583}]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\ system32\N vCpl.dll" [2004-10-26 12:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [2004-04-11 11:43]
"SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_03\bin \jusched.e xe" [2007-09-25 01:11]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e xe" [2001-10-21 15:12 C:\WINDOWS\system32\LXAMSP 32.EXE]
"PrinTray"="C:\WINDOWS\Sys tem32\spoo l\DRIVERS\ W32X86\3\p rintray.ex e" [2001-10-21 12:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe " [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [2007-07-10 09:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA NT~1\VPTra y.exe" [2006-03-17 06:34]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2004-08-04 03:56]
[HKEY_USERS\.default\softw are\micros oft\window s\currentv ersion\run ]
"DWQueuedReporting"="C:\PR OGRA~1\COM MON~1\MICR OS~1\DW\dw trig20.exe " -t
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Shell ExecuteHoo ks]
"{5AE067D3-9AFB-48E0-853A- EBB7F4A000 DA}"= C:\Program Files\SUPERAntiSpyware\SAS SEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\jz orkusd]
jzorkusd.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\oa wucwgq]
oawucwgq.dll 2007-10-17 05:27 339968 C:\WINDOWS\system32\oawucw gq.dll
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\c ontrol\lsa ]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjj. dll
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\ DRIVERS\BC MSM.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-17 11:46:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32. job"
- C:\WINDOWS\twain_32
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 07:53:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 2007-10-17 7:55:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 17:21
C:\ComboFix3.txt ... 2007-10-16 08:03
.
--- E O F ---
ComboFix 07-10-12.4 - Dad 2007-10-17 7:46:43.21 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.
Running from: C:\Documents and Settings\Dad\Desktop\Combo
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScr
FILE::
C:\WINDOWS\system32\aiqueh
C:\WINDOWS\system32\awtspp
C:\WINDOWS\system32\byxwuu
C:\WINDOWS\system32\cbxxyv
C:\WINDOWS\system32\cbxyvs
C:\WINDOWS\system32\cgsstd
C:\WINDOWS\system32\dwlvoj
C:\WINDOWS\system32\ggddgl
C:\WINDOWS\system32\hggday
C:\WINDOWS\system32\hggecd
C:\WINDOWS\system32\iifghg
C:\WINDOWS\system32\jkkhff
C:\WINDOWS\system32\jkkhgf
C:\WINDOWS\system32\jkkhhe
C:\WINDOWS\system32\khfded
C:\WINDOWS\system32\khfgfd
C:\WINDOWS\system32\kioxep
C:\WINDOWS\system32\lgntur
C:\WINDOWS\system32\mljgdc
C:\WINDOWS\system32\nnnmmj
C:\WINDOWS\system32\nnnonl
C:\WINDOWS\system32\opnolj
C:\WINDOWS\system32\pezugk
C:\WINDOWS\system32\qgpwlh
C:\WINDOWS\system32\rqrolm
C:\WINDOWS\system32\rqromk
C:\WINDOWS\system32\rqrpqn
C:\WINDOWS\system32\ssqqqq
C:\WINDOWS\system32\tuvtqq
C:\WINDOWS\system32\tuvtsq
C:\WINDOWS\system32\ubtqjp
C:\WINDOWS\system32\urqqon
C:\WINDOWS\system32\urqrst
C:\WINDOWS\system32\vtuuss
C:\WINDOWS\system32\yayvwt
C:\WINDOWS\system32\yctcdp
C:\WINDOWS\system32\yiuujo
.
((((((((((((((((((((((((((
.
C:\Program Files\Hammer.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cymnob
C:\WINDOWS\system32\fthgkk
C:\WINDOWS\system32\gobonm
C:\WINDOWS\system32\jjkkj.
C:\WINDOWS\system32\jjkkj.
C:\WINDOWS\system32\jjkkj.
C:\WINDOWS\system32\jjkkj.
C:\WINDOWS\system32\jjkkj.
C:\WINDOWS\system32\jjkkj.
C:\WINDOWS\system32\jkkjj.
C:\WINDOWS\system32\mllmm.
C:\WINDOWS\system32\mmllm.
C:\WINDOWS\system32\mmllm.
C:\WINDOWS\system32\mmllm.
C:\WINDOWS\system32\mmllm.
.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 ))))))))))))))))))))))))))
.
2007-10-17 05:27 339,968 --a------ C:\WINDOWS\system32\oawucw
2007-10-17 05:26 389,184 --a------ C:\WINDOWS\system32\tkqwhf
2007-10-16 06:56 389,184 --a------ C:\WINDOWS\system32\mqvigc
2007-10-16 06:34 389,184 --a------ C:\WINDOWS\system32\hhfled
2007-10-16 06:34 339,968 --a------ C:\WINDOWS\system32\jrcnbd
2007-10-16 06:24 339,968 --a------ C:\WINDOWS\system32\txenfh
2007-10-16 06:23 389,184 --a------ C:\WINDOWS\system32\cfhulh
2007-10-16 06:07 389,184 --a------ C:\WINDOWS\system32\omxglx
2007-10-16 06:07 339,968 --a------ C:\WINDOWS\system32\uvaglv
2007-10-16 03:44 389,184 --a------ C:\WINDOWS\system32\rppmfg
2007-10-16 03:44 339,968 --a------ C:\WINDOWS\system32\kkwost
2007-10-15 14:54 <DIR> d-------- C:\Documents and Settings\Dad\DoctorWeb
2007-10-15 12:42 <DIR> d-------- C:\WINDOWS\system32\Kasper
2007-10-15 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 23:24 34,304 --a------ C:\WINDOWS\system32\nnnnmk
2007-10-14 23:08 34,304 --a------ C:\WINDOWS\system32\rqroon
2007-10-14 21:04 34,304 --a------ C:\WINDOWS\system32\efcccb
2007-10-14 20:51 34,304 --a------ C:\WINDOWS\system32\xxywtt
2007-10-14 19:43 <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-10-14 18:37 34,304 --a------ C:\WINDOWS\system32\qomljk
2007-10-14 18:19 34,304 --a------ C:\WINDOWS\system32\tuvvvv
2007-10-14 15:44 34,304 --a------ C:\WINDOWS\system32\fccbyy
2007-10-14 10:47 34,304 --a------ C:\WINDOWS\system32\fccbcy
2007-10-14 09:56 389,184 --a------ C:\WINDOWS\system32\wqjmdu
2007-10-14 09:56 339,968 --a------ C:\WINDOWS\system32\avzzkb
2007-10-14 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-14 09:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-14 09:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-14 09:15 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2007-10-13 11:12 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-13 09:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-13 09:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-11 13:16 <DIR> d-------- C:\VundoFix Backups
2007-10-05 17:11 <DIR> d-------- C:\WINDOWS\pss
2007-10-04 17:49 107,696 --a------ C:\WINDOWS\system32\driver
2007-10-04 17:49 87,808 --a------ C:\WINDOWS\system32\S32EVN
2007-10-04 17:48 <DIR> d-------- C:\Program Files\Symantec AntiVirus
.
((((((((((((((((((((((((((
.
2007-10-16 21:19 --------- d-----w C:\Documents and Settings\Dad\Application Data\LimeWire
2007-10-13 15:59 --------- d-----w C:\Program Files\Google
2007-10-13 15:36 --------- d-----w C:\Program Files\Java
2007-10-04 21:52 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-04 21:51 --------- d-----w C:\Program Files\Symantec
2007-10-04 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-14 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-09-14 02:09 60,968 ----a-w C:\Documents and Settings\Dad\GoToAssistDow
2007-08-24 17:18 --------- d-----w C:\Program Files\Common Files\AOL
2007-08-24 17:18 --------- d-----w C:\Program Files\AIM
2007-08-18 03:56 --------- d-----w C:\Program Files\AIM6
2007-08-18 03:56 --------- d-----w C:\Documents and Settings\Nicole\Applicatio
2007-08-18 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-08-18 03:51 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-08-18 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
.
((((((((((((((((((((((((((
.
+ 2007-10-13 14:15:06 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 13:38:18 581,632 ----a-r C:\WINDOWS\gmer.exe
+ 2007-10-14 13:16:14 29,696 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:14 18,944 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-14 13:16:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDC
+ 2007-10-13 14:15:06 70,001 ----a-w C:\WINDOWS\system32\driver
- 2006-11-09 18:28:20 49,248 ----a-w C:\WINDOWS\system32\java.e
+ 2007-09-25 02:30:28 135,168 ----a-w C:\WINDOWS\system32\java.e
- 2006-11-09 18:28:30 53,346 ----a-w C:\WINDOWS\system32\javaw.
+ 2007-09-25 02:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.
- 2006-11-09 20:07:32 127,078 ----a-w C:\WINDOWS\system32\javaws
+ 2007-09-25 03:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kasper
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kasper
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kasper
- 2007-10-12 21:41:29 11,195 ----a-w C:\WINDOWS\system32\nvMode
+ 2007-10-17 00:02:34 17,083 ----a-w C:\WINDOWS\system32\nvMode
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow
[HKEY_LOCAL_MACHINE\~\Brow
2007-10-17 05:27 339968 --a------ C:\WINDOWS\system32\oawucw
[HKEY_LOCAL_MACHINE\SOFTWA
"{11A69AE4-FBED-4832-A2BF-
[HKEY_CLASSES_ROOT\CLSID\{
[HKEY_LOCAL_MACHINE\SOFTWA
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D
"SunJavaUpdateSched"="C:\P
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 15:02]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"lxamsp32.exe"="lxamsp32.e
"PrinTray"="C:\WINDOWS\Sys
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe
"iTunesHelper"="C:\Program
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMA
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
[HKEY_USERS\.default\softw
"DWQueuedReporting"="C:\PR
C:\Documents and Settings\Nicole\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex
[HKEY_LOCAL_MACHINE\SOFTWA
"{5AE067D3-9AFB-48E0-853A-
[HKEY_LOCAL_MACHINE\softwa
jzorkusd.dll
[HKEY_LOCAL_MACHINE\softwa
oawucwgq.dll 2007-10-17 05:27 339968 C:\WINDOWS\system32\oawucw
[HKEY_LOCAL_MACHINE\system
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjj.
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\
.
Contents of the 'Scheduled Tasks' folder
"2007-10-17 11:46:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-14 13:00:00 C:\WINDOWS\Tasks\twain_32.
- C:\WINDOWS\twain_32
.
**************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 07:53:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 2007-10-17 7:55:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-16 17:21
C:\ComboFix3.txt ... 2007-10-16 08:03
.
--- E O F ---
>>I placed it up there!<<
that one you uploaded is a screenshot of your group policy.
Have you scanned with WinPFind3u yet, it's the log of WinPFind3u that I'm asking.
that one you uploaded is a screenshot of your group policy.
Have you scanned with WinPFind3u yet, it's the log of WinPFind3u that I'm asking.
ASKER
I don't think you are looking at the right file. I checked the file I uploaded and it is the WinPFind3u.txt log created yesterday. I uploaded a second one today.
wildbill327,
At EE-Stuff.com, there is only one file uploaded for this question;
jpedit.JPG - 145.83 KB
File ID 1896
Tied with Question ID 22113148
Uploaded by Ryan_R
Upload Date Jan 5th 2007 9:32 PM
# Downloads 7
Filename gpedit.JPG
File size 145.83 KB
File Comment screen shot
At EE-Stuff.com, there is only one file uploaded for this question;
jpedit.JPG - 145.83 KB
File ID 1896
Tied with Question ID 22113148
Uploaded by Ryan_R
Upload Date Jan 5th 2007 9:32 PM
# Downloads 7
Filename gpedit.JPG
File size 145.83 KB
File Comment screen shot
ASKER
Sttrange because when I log into EE-Stuff.com here
https://filedb.experts-exchange.com/incoming/ee-stuff/5045-WinPFind3.Txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5062-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5128-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5068-result.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5069-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5071-kasperersky.txt
I see this.
Logout [wildbill327]
Home Expert Area
View Files - Question ID: 22891312
There are 2 files found uploaded for this question. They are displayed below, in order of their upload date. Click on the file name to view the file details and download the file.
Upload a new file
File Name Uploaded By Upload Date (PST) Comment # Downloads
WinPFind3.Txt wildbill327 Oct 17th 2007 1:07 PM This is the path of the file I uploaded C:\Docu... 0
WinPFind3.Txt wildbill327 Oct 16th 2007 1:44 PM For rpggamergirl: 1
Experts-Exchange Home | Experts Exchange logo and layout © 1995-2007 Experts Exchange LLC. Used by permission.
https://filedb.experts-exchange.com/incoming/ee-stuff/5045-WinPFind3.Txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5062-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5128-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5068-result.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5069-WinPFind3.Txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5071-kasperersky.txt
I see this.
Logout [wildbill327]
Home Expert Area
View Files - Question ID: 22891312
There are 2 files found uploaded for this question. They are displayed below, in order of their upload date. Click on the file name to view the file details and download the file.
Upload a new file
File Name Uploaded By Upload Date (PST) Comment # Downloads
WinPFind3.Txt wildbill327 Oct 17th 2007 1:07 PM This is the path of the file I uploaded C:\Docu... 0
WinPFind3.Txt wildbill327 Oct 16th 2007 1:44 PM For rpggamergirl: 1
Experts-Exchange Home | Experts Exchange logo and layout © 1995-2007 Experts Exchange LLC. Used by permission.
wildbill327,
I am very sorry, my mistake and I apologize. I somehow was looking at the wrong question ID.
Start WinPFind3U. Copy/Paste the information in the Quotebox below(all text inside the lines) into the pane where it says "Paste fix here" and then click the Run Fix button.
-------------------------- ---------- ---------- ---------- ---------- ---------- --------
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Winlogon \Notify\
YY -> ddcdbax -> %System32%\ddcdbax.dll
YN -> jzorkusd -> jzorkusd.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Explo rer\Browse r Helper Objects\
YN -> {2D089509-246B-4B9B-8B84-A A6DA7CA61E 4} [HKLM] -> %System32%\ssqpp.dll [Reg Data - Value does not exist]
YN -> {A95B2816-1D7E-4561-A202-6 8C0DE02353 A} [HKLM] -> %System32%\jzorkusd.dll [Reg Data - Value does not exist]
YY -> {BACEB7AF-8D88-456E-82D0-7 BEB9A4410F E} [HKLM] -> %System32%\ddcdbax.dll [Reg Data - Value does not exist]
YY -> {E35B6C88-E8E7-43D0-9169-4 E59B437AC9 C} [HKLM] -> %System32%\awvts.dll [Reg Data - Value does not exist]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Internet Explorer\ToolBar
YN -> {11A69AE4-FBED-4832-A2BF-4 5AF8282558 3} [HKLM] -> %System32%\jzorkusd.dll [Security Toolbar]
[Files/Folders - Created Within 30 days]
NY -> abfqbuel.ini -> %System32%\abfqbuel.ini
NY -> avzzkbht.dll.vir -> %System32%\avzzkbht.dll.vi r
NY -> avzzkbht.dllbox -> %System32%\avzzkbht.dllbox
NY -> awvts.dll -> %System32%\awvts.dll
NY -> ayadd.tmp -> %System32%\ayadd.tmp
NY -> bskidxbh.ini -> %System32%\bskidxbh.ini
NY -> cfhulhfn.exe -> %System32%\cfhulhfn.exe
NY -> ddcdbax.dll -> %System32%\ddcdbax.dll
NY -> ecioqvhy.ini -> %System32%\ecioqvhy.ini
NY -> efcccbb.dll -> %System32%\efcccbb.dll
NY -> fccbcyv.dll.vir -> %System32%\fccbcyv.dll.vir
NY -> fccbyyv.dll -> %System32%\fccbyyv.dll
NY -> grwekdho.ini -> %System32%\grwekdho.ini
NY -> hhfledew.exe -> %System32%\hhfledew.exe
NY -> hhhkj.tmp -> %System32%\hhhkj.tmp
NY -> hoxqbqko.ini -> %System32%\hoxqbqko.ini
NY -> ijjlm.tmp -> %System32%\ijjlm.tmp
NY -> jbtvyegb.ini -> %System32%\jbtvyegb.ini
NY -> jjwchdiv.ini -> %System32%\jjwchdiv.ini
NY -> jrcnbdfy.dll -> %System32%\jrcnbdfy.dll
NY -> jrcnbdfy.dllbox -> %System32%\jrcnbdfy.dllbox
NY -> jzorkusd.dllbox -> %System32%\jzorkusd.dllbox
NY -> kioxeprt.dllbox -> %System32%\kioxeprt.dllbox
NY -> kkwostel.dll -> %System32%\kkwostel.dll
NY -> kkwostel.dllbox -> %System32%\kkwostel.dllbox
NY -> ktgxecsy.ini -> %System32%\ktgxecsy.ini
NY -> lgnturdw.dllbox -> %System32%\lgnturdw.dllbox
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> mqvigcru.exe -> %System32%\mqvigcru.exe
NY -> nnnnmkl.dll -> %System32%\nnnnmkl.dll
NY -> ofmzpzuv.dllbox -> %System32%\ofmzpzuv.dllbox
NY -> omxglxxv.exe -> %System32%\omxglxxv.exe
NY -> orqss.tmp -> %System32%\orqss.tmp
NY -> otokoucm.ini -> %System32%\otokoucm.ini
NY -> peygtweb.ini -> %System32%\peygtweb.ini
NY -> pezugkjt.dllbox -> %System32%\pezugkjt.dllbox
NY -> pkcytahg.ini -> %System32%\pkcytahg.ini
NY -> ppqss.bak1 -> %System32%\ppqss.bak1
NY -> ppqss.ini -> %System32%\ppqss.ini
NY -> qgpwlhqr.dllbox -> %System32%\qgpwlhqr.dllbox
NY -> qomljkh.dll -> %System32%\qomljkh.dll
NY -> rkyxkqee.ini -> %System32%\rkyxkqee.ini
NY -> roetukvx.ini -> %System32%\roetukvx.ini
NY -> rppmfgkx.exe -> %System32%\rppmfgkx.exe
NY -> rqroonn.dll -> %System32%\rqroonn.dll
NY -> stvwa.bak1 -> %System32%\stvwa.bak1
NY -> stvwa.ini -> %System32%\stvwa.ini
NY -> tfdwbvim.ini -> %System32%\tfdwbvim.ini
NY -> tnhuepmu.tmp -> %System32%\tnhuepmu.tmp
NY -> tstwa.tmp -> %System32%\tstwa.tmp
NY -> tuvvvvs.dll -> %System32%\tuvvvvs.dll
NY -> txenfhxp.dll -> %System32%\txenfhxp.dll
NY -> txenfhxp.dllbox -> %System32%\txenfhxp.dllbox
NY -> uvaglvtb.dll -> %System32%\uvaglvtb.dll
NY -> uvaglvtb.dllbox -> %System32%\uvaglvtb.dllbox
NY -> wqjmduji.exe -> %System32%\wqjmduji.exe
NY -> xhvrluyn.ini -> %System32%\xhvrluyn.ini
NY -> xxywttr.dll -> %System32%\xxywttr.dll
[Files/Folders - Modified Within 30 days]
NY -> abfqbuel.ini -> %System32%\abfqbuel.ini
NY -> avzzkbht.dll.vir -> %System32%\avzzkbht.dll.vi r
NY -> avzzkbht.dllbox -> %System32%\avzzkbht.dllbox
NY -> awvts.dll -> %System32%\awvts.dll
NY -> ayadd.tmp -> %System32%\ayadd.tmp
NY -> bskidxbh.ini -> %System32%\bskidxbh.ini
NY -> cfhulhfn.exe -> %System32%\cfhulhfn.exe
NY -> ddcdbax.dll -> %System32%\ddcdbax.dll
NY -> ecioqvhy.ini -> %System32%\ecioqvhy.ini
NY -> efcccbb.dll -> %System32%\efcccbb.dll
NY -> fccbcyv.dll.vir -> %System32%\fccbcyv.dll.vir
NY -> fccbyyv.dll -> %System32%\fccbyyv.dll
NY -> grwekdho.ini -> %System32%\grwekdho.ini
NY -> hhfledew.exe -> %System32%\hhfledew.exe
NY -> hhhkj.tmp -> %System32%\hhhkj.tmp
NY -> hoxqbqko.ini -> %System32%\hoxqbqko.ini
NY -> ijjlm.tmp -> %System32%\ijjlm.tmp
NY -> jbtvyegb.ini -> %System32%\jbtvyegb.ini
NY -> jjwchdiv.ini -> %System32%\jjwchdiv.ini
NY -> jrcnbdfy.dll -> %System32%\jrcnbdfy.dll
NY -> jrcnbdfy.dllbox -> %System32%\jrcnbdfy.dllbox
NY -> jzorkusd.dllbox -> %System32%\jzorkusd.dllbox
NY -> kioxeprt.dllbox -> %System32%\kioxeprt.dllbox
NY -> kkwostel.dll -> %System32%\kkwostel.dll
NY -> kkwostel.dllbox -> %System32%\kkwostel.dllbox
NY -> ktgxecsy.ini -> %System32%\ktgxecsy.ini
NY -> lgnturdw.dllbox -> %System32%\lgnturdw.dllbox
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> mqvigcru.exe -> %System32%\mqvigcru.exe
NY -> nnnnmkl.dll -> %System32%\nnnnmkl.dll
NY -> ofmzpzuv.dllbox -> %System32%\ofmzpzuv.dllbox
NY -> omxglxxv.exe -> %System32%\omxglxxv.exe
NY -> orqss.tmp -> %System32%\orqss.tmp
NY -> otokoucm.ini -> %System32%\otokoucm.ini
NY -> peygtweb.ini -> %System32%\peygtweb.ini
NY -> pezugkjt.dllbox -> %System32%\pezugkjt.dllbox
NY -> pkcytahg.ini -> %System32%\pkcytahg.ini
NY -> ppqss.bak1 -> %System32%\ppqss.bak1
NY -> ppqss.ini -> %System32%\ppqss.ini
NY -> qgpwlhqr.dllbox -> %System32%\qgpwlhqr.dllbox
NY -> qomljkh.dll -> %System32%\qomljkh.dll
NY -> rkyxkqee.ini -> %System32%\rkyxkqee.ini
NY -> roetukvx.ini -> %System32%\roetukvx.ini
NY -> rppmfgkx.exe -> %System32%\rppmfgkx.exe
NY -> rqroonn.dll -> %System32%\rqroonn.dll
NY -> stvwa.bak1 -> %System32%\stvwa.bak1
NY -> stvwa.ini -> %System32%\stvwa.ini
NY -> tfdwbvim.ini -> %System32%\tfdwbvim.ini
NY -> tnhuepmu.tmp -> %System32%\tnhuepmu.tmp
NY -> tstwa.tmp -> %System32%\tstwa.tmp
NY -> tuvvvvs.dll -> %System32%\tuvvvvs.dll
NY -> txenfhxp.dll -> %System32%\txenfhxp.dll
NY -> txenfhxp.dllbox -> %System32%\txenfhxp.dllbox
NY -> uvaglvtb.dll -> %System32%\uvaglvtb.dll
NY -> uvaglvtb.dllbox -> %System32%\uvaglvtb.dllbox
NY -> wqjmduji.exe -> %System32%\wqjmduji.exe
NY -> xhvrluyn.ini -> %System32%\xhvrluyn.ini
NY -> xxywttr.dll -> %System32%\xxywttr.dll
[File String Scan - Non-Microsoft Only]
NY -> WSUD , -> %System32%\hhhkj.tmp
NY -> WSUD , -> %System32%\ijjlm.tmp
NY -> WSUD , -> %System32%\tstwa.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
-------------------------- ---------- ---------- ---------- ---------- ---------- ---
When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan .
I am very sorry, my mistake and I apologize. I somehow was looking at the wrong question ID.
Start WinPFind3U. Copy/Paste the information in the Quotebox below(all text inside the lines) into the pane where it says "Paste fix here" and then click the Run Fix button.
--------------------------
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWAR
YY -> ddcdbax -> %System32%\ddcdbax.dll
YN -> jzorkusd -> jzorkusd.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Softwar
YN -> {2D089509-246B-4B9B-8B84-A
YN -> {A95B2816-1D7E-4561-A202-6
YY -> {BACEB7AF-8D88-456E-82D0-7
YY -> {E35B6C88-E8E7-43D0-9169-4
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWAR
YN -> {11A69AE4-FBED-4832-A2BF-4
[Files/Folders - Created Within 30 days]
NY -> abfqbuel.ini -> %System32%\abfqbuel.ini
NY -> avzzkbht.dll.vir -> %System32%\avzzkbht.dll.vi
NY -> avzzkbht.dllbox -> %System32%\avzzkbht.dllbox
NY -> awvts.dll -> %System32%\awvts.dll
NY -> ayadd.tmp -> %System32%\ayadd.tmp
NY -> bskidxbh.ini -> %System32%\bskidxbh.ini
NY -> cfhulhfn.exe -> %System32%\cfhulhfn.exe
NY -> ddcdbax.dll -> %System32%\ddcdbax.dll
NY -> ecioqvhy.ini -> %System32%\ecioqvhy.ini
NY -> efcccbb.dll -> %System32%\efcccbb.dll
NY -> fccbcyv.dll.vir -> %System32%\fccbcyv.dll.vir
NY -> fccbyyv.dll -> %System32%\fccbyyv.dll
NY -> grwekdho.ini -> %System32%\grwekdho.ini
NY -> hhfledew.exe -> %System32%\hhfledew.exe
NY -> hhhkj.tmp -> %System32%\hhhkj.tmp
NY -> hoxqbqko.ini -> %System32%\hoxqbqko.ini
NY -> ijjlm.tmp -> %System32%\ijjlm.tmp
NY -> jbtvyegb.ini -> %System32%\jbtvyegb.ini
NY -> jjwchdiv.ini -> %System32%\jjwchdiv.ini
NY -> jrcnbdfy.dll -> %System32%\jrcnbdfy.dll
NY -> jrcnbdfy.dllbox -> %System32%\jrcnbdfy.dllbox
NY -> jzorkusd.dllbox -> %System32%\jzorkusd.dllbox
NY -> kioxeprt.dllbox -> %System32%\kioxeprt.dllbox
NY -> kkwostel.dll -> %System32%\kkwostel.dll
NY -> kkwostel.dllbox -> %System32%\kkwostel.dllbox
NY -> ktgxecsy.ini -> %System32%\ktgxecsy.ini
NY -> lgnturdw.dllbox -> %System32%\lgnturdw.dllbox
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> mqvigcru.exe -> %System32%\mqvigcru.exe
NY -> nnnnmkl.dll -> %System32%\nnnnmkl.dll
NY -> ofmzpzuv.dllbox -> %System32%\ofmzpzuv.dllbox
NY -> omxglxxv.exe -> %System32%\omxglxxv.exe
NY -> orqss.tmp -> %System32%\orqss.tmp
NY -> otokoucm.ini -> %System32%\otokoucm.ini
NY -> peygtweb.ini -> %System32%\peygtweb.ini
NY -> pezugkjt.dllbox -> %System32%\pezugkjt.dllbox
NY -> pkcytahg.ini -> %System32%\pkcytahg.ini
NY -> ppqss.bak1 -> %System32%\ppqss.bak1
NY -> ppqss.ini -> %System32%\ppqss.ini
NY -> qgpwlhqr.dllbox -> %System32%\qgpwlhqr.dllbox
NY -> qomljkh.dll -> %System32%\qomljkh.dll
NY -> rkyxkqee.ini -> %System32%\rkyxkqee.ini
NY -> roetukvx.ini -> %System32%\roetukvx.ini
NY -> rppmfgkx.exe -> %System32%\rppmfgkx.exe
NY -> rqroonn.dll -> %System32%\rqroonn.dll
NY -> stvwa.bak1 -> %System32%\stvwa.bak1
NY -> stvwa.ini -> %System32%\stvwa.ini
NY -> tfdwbvim.ini -> %System32%\tfdwbvim.ini
NY -> tnhuepmu.tmp -> %System32%\tnhuepmu.tmp
NY -> tstwa.tmp -> %System32%\tstwa.tmp
NY -> tuvvvvs.dll -> %System32%\tuvvvvs.dll
NY -> txenfhxp.dll -> %System32%\txenfhxp.dll
NY -> txenfhxp.dllbox -> %System32%\txenfhxp.dllbox
NY -> uvaglvtb.dll -> %System32%\uvaglvtb.dll
NY -> uvaglvtb.dllbox -> %System32%\uvaglvtb.dllbox
NY -> wqjmduji.exe -> %System32%\wqjmduji.exe
NY -> xhvrluyn.ini -> %System32%\xhvrluyn.ini
NY -> xxywttr.dll -> %System32%\xxywttr.dll
[Files/Folders - Modified Within 30 days]
NY -> abfqbuel.ini -> %System32%\abfqbuel.ini
NY -> avzzkbht.dll.vir -> %System32%\avzzkbht.dll.vi
NY -> avzzkbht.dllbox -> %System32%\avzzkbht.dllbox
NY -> awvts.dll -> %System32%\awvts.dll
NY -> ayadd.tmp -> %System32%\ayadd.tmp
NY -> bskidxbh.ini -> %System32%\bskidxbh.ini
NY -> cfhulhfn.exe -> %System32%\cfhulhfn.exe
NY -> ddcdbax.dll -> %System32%\ddcdbax.dll
NY -> ecioqvhy.ini -> %System32%\ecioqvhy.ini
NY -> efcccbb.dll -> %System32%\efcccbb.dll
NY -> fccbcyv.dll.vir -> %System32%\fccbcyv.dll.vir
NY -> fccbyyv.dll -> %System32%\fccbyyv.dll
NY -> grwekdho.ini -> %System32%\grwekdho.ini
NY -> hhfledew.exe -> %System32%\hhfledew.exe
NY -> hhhkj.tmp -> %System32%\hhhkj.tmp
NY -> hoxqbqko.ini -> %System32%\hoxqbqko.ini
NY -> ijjlm.tmp -> %System32%\ijjlm.tmp
NY -> jbtvyegb.ini -> %System32%\jbtvyegb.ini
NY -> jjwchdiv.ini -> %System32%\jjwchdiv.ini
NY -> jrcnbdfy.dll -> %System32%\jrcnbdfy.dll
NY -> jrcnbdfy.dllbox -> %System32%\jrcnbdfy.dllbox
NY -> jzorkusd.dllbox -> %System32%\jzorkusd.dllbox
NY -> kioxeprt.dllbox -> %System32%\kioxeprt.dllbox
NY -> kkwostel.dll -> %System32%\kkwostel.dll
NY -> kkwostel.dllbox -> %System32%\kkwostel.dllbox
NY -> ktgxecsy.ini -> %System32%\ktgxecsy.ini
NY -> lgnturdw.dllbox -> %System32%\lgnturdw.dllbox
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> mqvigcru.exe -> %System32%\mqvigcru.exe
NY -> nnnnmkl.dll -> %System32%\nnnnmkl.dll
NY -> ofmzpzuv.dllbox -> %System32%\ofmzpzuv.dllbox
NY -> omxglxxv.exe -> %System32%\omxglxxv.exe
NY -> orqss.tmp -> %System32%\orqss.tmp
NY -> otokoucm.ini -> %System32%\otokoucm.ini
NY -> peygtweb.ini -> %System32%\peygtweb.ini
NY -> pezugkjt.dllbox -> %System32%\pezugkjt.dllbox
NY -> pkcytahg.ini -> %System32%\pkcytahg.ini
NY -> ppqss.bak1 -> %System32%\ppqss.bak1
NY -> ppqss.ini -> %System32%\ppqss.ini
NY -> qgpwlhqr.dllbox -> %System32%\qgpwlhqr.dllbox
NY -> qomljkh.dll -> %System32%\qomljkh.dll
NY -> rkyxkqee.ini -> %System32%\rkyxkqee.ini
NY -> roetukvx.ini -> %System32%\roetukvx.ini
NY -> rppmfgkx.exe -> %System32%\rppmfgkx.exe
NY -> rqroonn.dll -> %System32%\rqroonn.dll
NY -> stvwa.bak1 -> %System32%\stvwa.bak1
NY -> stvwa.ini -> %System32%\stvwa.ini
NY -> tfdwbvim.ini -> %System32%\tfdwbvim.ini
NY -> tnhuepmu.tmp -> %System32%\tnhuepmu.tmp
NY -> tstwa.tmp -> %System32%\tstwa.tmp
NY -> tuvvvvs.dll -> %System32%\tuvvvvs.dll
NY -> txenfhxp.dll -> %System32%\txenfhxp.dll
NY -> txenfhxp.dllbox -> %System32%\txenfhxp.dllbox
NY -> uvaglvtb.dll -> %System32%\uvaglvtb.dll
NY -> uvaglvtb.dllbox -> %System32%\uvaglvtb.dllbox
NY -> wqjmduji.exe -> %System32%\wqjmduji.exe
NY -> xhvrluyn.ini -> %System32%\xhvrluyn.ini
NY -> xxywttr.dll -> %System32%\xxywttr.dll
[File String Scan - Non-Microsoft Only]
NY -> WSUD , -> %System32%\hhhkj.tmp
NY -> WSUD , -> %System32%\ijjlm.tmp
NY -> WSUD , -> %System32%\tstwa.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
--------------------------
When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan .
ASKER
I have uploaded the two requested files. The result of the script is result.txt
Start WinPFind3U again. Copy/Paste the information in the Quotebox below(all text inside the lines) into the pane where it says "Paste fix here" and then click the Run Fix button.
-------------------------- ---------- ---------- ---------- ---------- ---------- ----------
[Kill Explorer]
[Unregister Dlls]
[Files/Folders - Created Within 30 days]
NY -> adaway.lic -> %SystemRoot%\adaway.lic
NY -> oawucwgq.dll -> %System32%\oawucwgq.dll
NY -> oawucwgq.dllbox -> %System32%\oawucwgq.dllbox
NY -> tkqwhfyp.exe -> %System32%\tkqwhfyp.exe
[Files/Folders - Modified Within 30 days]
NY -> adaway.lic -> %SystemRoot%\adaway.lic
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> oawucwgq.dll -> %System32%\oawucwgq.dll
NY -> oawucwgq.dllbox -> %System32%\oawucwgq.dllbox
[Start Explorer]
[Reboot]
-------------------------- ---------- ---------- ---------- ---------- ---------- ----------
When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix.
And then run online scanners, see if they find any more nasties.
Kaspersky online scanner, it doesn't remove what it finds but you can save the report to show us.
http://www.kaspersky.com/virusscanner
OR: TrendMicro
http://housecall65.trendmicro.com/
Or: PandaActivescan
http://www.pandasoftware.com/activescan/activescan/ascan_2.asp
--------------------------
[Kill Explorer]
[Unregister Dlls]
[Files/Folders - Created Within 30 days]
NY -> adaway.lic -> %SystemRoot%\adaway.lic
NY -> oawucwgq.dll -> %System32%\oawucwgq.dll
NY -> oawucwgq.dllbox -> %System32%\oawucwgq.dllbox
NY -> tkqwhfyp.exe -> %System32%\tkqwhfyp.exe
[Files/Folders - Modified Within 30 days]
NY -> adaway.lic -> %SystemRoot%\adaway.lic
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> oawucwgq.dll -> %System32%\oawucwgq.dll
NY -> oawucwgq.dllbox -> %System32%\oawucwgq.dllbox
[Start Explorer]
[Reboot]
--------------------------
When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix.
And then run online scanners, see if they find any more nasties.
Kaspersky online scanner, it doesn't remove what it finds but you can save the report to show us.
http://www.kaspersky.com/virusscanner
OR: TrendMicro
http://housecall65.trendmicro.com/
Or: PandaActivescan
http://www.pandasoftware.com/activescan/activescan/ascan_2.asp
ASKER
I ran the kasperersky scan and have uploaded the results file
Even after running all the virus scanners available out there, you can't really be sure that your system's state is back to the way it was prior to the infection. It's really good that you're trying your best to resolve this without re-formatting your machine, but In my opinion, it would be best to take a backup of all your files and do a reinstall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I still get Netflex and American Express pop-ups. I have pop=up blocker enabled in IE.
Thank you.
Sorry was away for 2 days,
an American Express and Netflex popups?
Could we look at another WinPFind log? or have you resolved this question already since you closed it.
Sorry was away for 2 days,
an American Express and Netflex popups?
Could we look at another WinPFind log? or have you resolved this question already since you closed it.
ASKER
I'll send another WinPFind log if you don't mind. I uploaded it to EE-Stuff
I hope you can forgive me for missing to come back here. I apologize for my incompetence. It's been way too long I'm very sorry.
I've looked at the logs and I couldn't find anything suspicious or maybe I just missed. Kaspersky is the best scanner and I didn't spot the culprit there.
Do you have a screenshot of the popups?
Also try clearing your Trusted\restricted zones, sometimes some nasties list themselves there.
Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".
Again, I'm sorry for replying too late.
I've looked at the logs and I couldn't find anything suspicious or maybe I just missed. Kaspersky is the best scanner and I didn't spot the culprit there.
Do you have a screenshot of the popups?
Also try clearing your Trusted\restricted zones, sometimes some nasties list themselves there.
Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
rightclick on the file and select "Install".
Again, I'm sorry for replying too late.
ASKER
Scan saved at 10:39:10 AM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\LEXPPS
C:\WINDOWS\system32\spools
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\D
C:\Program Files\Java\jre1.5.0_10\bin
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lxamsp
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\spool\
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\system32\ctfmon
C:\Program Files\LexmarkX63\AcBtnMgr_
C:\Program Files\LexmarkX63\ACMonitor
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system\mgrsvc.e
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\Vie
C:\Program Files\iPod\bin\iPodService
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_10\bin
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICR
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O16 - DPF: {05D44720-58E3-49E6-BDF6-D
O16 - DPF: {3BB54395-5982-4788-8AF4-B
O16 - DPF: {5736C456-EA94-4AAC-BB08-9
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-D
O16 - DPF: {9BDF4724-10AA-43D5-BD15-A
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C
O20 - Winlogon Notify: awtsppq - C:\WINDOWS\SYSTEM32\awtspp
O20 - Winlogon Notify: mljgdca - C:\WINDOWS\SYSTEM32\mljgdc
O20 - Winlogon Notify: nnnmmji - C:\WINDOWS\SYSTEM32\nnnmmj
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Intel Input Service (IISLvc) - Unknown owner - C:\WINDOWS\system\mgrsvc.e
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
--
End of file - 8644 bytes