Thread: [SOLVED] VUNDO worm infection
View Single Post
Old 06-12-2008, 11:14 PM   #3 (permalink)
Disko_Stu
Registered User
 
Disko_Stu's Avatar
 
Join Date: May 2007
Location: Australia
Posts: 46
OS: Windows XP and Vista


Re: VUNDO worm infection
Hi Katana, Thanks for the help!

Here is the log for ComboFix and a new DSS log:

-------------------------------------------------

ComboFix 08-06-11.3 - Jeff 2008-06-13 14:55:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT 10:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5332d193.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mfdjsgwn.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\vvDKkUtv.ini
C:\WINDOWS\system32\vvDKkUtv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-12 21:12 . 2008-06-12 21:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 21:12 . 2008-06-12 21:12 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-06-12 21:12 . 2008-06-12 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 21:12 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-12 21:12 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-12 21:07 . 2008-06-12 21:07 <DIR> d-------- C:\VundoFix Backups
2008-06-12 20:52 . 2008-06-12 20:52 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-10 12:18 . 2008-06-10 12:18 <DIR> d-------- C:\Deckard
2008-06-10 12:04 . 2008-06-10 12:06 <DIR> d-------- C:\Program Files\Panda Security
2008-06-01 20:11 . 2008-06-01 20:11 <DIR> dr-h----- C:\Documents and Settings\Jeff\Application Data\SecuROM
2008-05-13 13:08 . 2008-05-13 13:08 268 --ah----- C:\sqmdata02.sqm
2008-05-13 13:08 . 2008-05-13 13:08 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 04:47 --------- d-----w C:\Documents and Settings\Jeff\Application Data\SiteAdvisor
2008-06-13 04:38 --------- d-----w C:\Program Files\Lx_cats
2008-06-12 10:40 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AVG7
2008-06-12 04:45 --------- d-----w C:\Program Files\Notepad++
2008-06-10 02:19 --------- d-----w C:\Program Files\HJT
2008-06-01 10:11 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-27 13:25 --------- d-----w C:\Documents and Settings\Jeff\Application Data\OpenOffice.org2
2008-05-09 02:57 --------- d-----w C:\Documents and Settings\Jeff\Application Data\MozillaControl
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-07-20 08:37 13,142 ----a-w C:\Documents and Settings\Jeff\ZGUICFGW.DAT
2007-06-14 13:36 36,568 ----a-w C:\Documents and Settings\Jeff\Application Data\GDIPFONTCACHEV1.DAT
2007-05-18 02:52 5,632 --sha-w C:\Program Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31F758F1-5DF4-495D-BBC3-1A41466F92E3}]
C:\WINDOWS\system32\vtUkKDvv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E25EE903-37EB-467B-B1F0-F71063F6B8C8}]
C:\WINDOWS\system32\ljJYQJDv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:56 15360]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-10-09 01:25 497152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-29 11:41 1245184]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 19:41 57344 C:\WINDOWS\SOUNDMAN.EXE]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 16:08 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2005-10-06 12:31 335872]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-07 16:45 155648]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 16:07 200704]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 22:05 94208]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 23:36 299008]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 09:12 90112]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 07:55 61440]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 10:54 579584]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-21 03:48 73728]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 21:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 10:39 219136]

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-07 00:36:15 113664]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-15 19:44:24 1183744]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
SATARaid.lnk - C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe [2005-08-16 20:08:19 1019961]
Startup.lnk - C:\Documents and Settings\Jeff\My Documents\Startup.bat [2008-04-14 08:24:18 398]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E25EE903-37EB-467B-B1F0-F71063F6B8C8}"= C:\WINDOWS\system32\ljJYQJDv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQJDv]
ljJYQJDv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= JpegCode.dll
"VIDC.MJPG"= JpegCode.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\THQ\\RedFaction\\rf.exe"=
"C:\\Program Files\\Bit Lord 1.1\\BitLord.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\si3112r.sys [2003-02-24 13:21]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 03:17]
S1 i386p;i386p;C:\WINDOWS\system32\drivers\i386p.sys []
S3 ewdmaudn;ewdmaudn;C:\DOCUME~1\Jeff\LOCALS~1\Temp\ewdmaudn.sys []
S3 PentaxUsb;PENTAX Optio 60 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-03-17 06:59]
S3 PentaxVc;PENTAX Optio 60 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2004-03-17 07:00]

.
Contents of the 'Scheduled Tasks' folder
"2005-12-25 04:27:38 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 15:02:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-06-13 15:07:15 - machine was rebooted [Jeff]
ComboFix-quarantined-files.txt 2008-06-13 05:07:11

Pre-Run: 16,612,397,056 bytes free
Post-Run: 16,632,213,504 bytes free

163 --- E O F --- 2008-06-13 04:41:25



--------------------------------------------------------------
--------------------------------------------------------------
--------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Jeff on 2008-06-13 15:10:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 15.51 GiB (less than 15%) free.


-- HijackThis (run as Jeff.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:10:10 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jeff\Desktop\Fix\dss.exe
C:\PROGRA~1\HJT\Jeff.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31F758F1-5DF4-495D-BBC3-1A41466F92E3} - C:\WINDOWS\system32\vtUkKDvv.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E25EE903-37EB-467B-B1F0-F71063F6B8C8} - C:\WINDOWS\system32\ljJYQJDv.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Startup.lnk = C:\Documents and Settings\Jeff\My Documents\Startup.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file://D:\components\wmvhdrating.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ljJYQJDv - ljJYQJDv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-13 14:50:51 0 d-------- C:\cmdcons
2008-06-13 14:48:15 68096 --a------ C:\WINDOWS\zip.exe
2008-06-13 14:48:15 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-13 14:48:15 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-13 14:48:15 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-13 14:48:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-13 14:48:15 98816 --a------ C:\WINDOWS\sed.exe
2008-06-13 14:48:15 80412 --a------ C:\WINDOWS\grep.exe
2008-06-13 14:48:15 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-12 21:12:39 0 d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-06-12 21:12:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 21:12:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-12 21:07:10 0 d-------- C:\VundoFix Backups
2008-06-10 12:04:54 0 d-------- C:\Program Files\Panda Security
2008-06-01 20:11:38 0 dr-h----- C:\Documents and Settings\Jeff\Application Data\SecuROM


-- Find3M Report ---------------------------------------------------------------

2008-06-13 15:10:09 0 d-------- C:\Program Files\HJT
2008-06-13 14:47:54 0 d-------- C:\Documents and Settings\Jeff\Application Data\SiteAdvisor
2008-06-13 14:38:19 0 d-------- C:\Program Files\Lx_cats
2008-06-12 20:45:43 3284 --a------ C:\WINDOWS\system32\ANIWZCS{35B19030-CC69-43FC-BBBF-27067B1131F6}
2008-06-12 20:40:29 0 d-------- C:\Documents and Settings\Jeff\Application Data\AVG7
2008-06-12 16:45:53 0 d-------- C:\Documents and Settings\Jeff\Application Data\Adobe
2008-06-12 14:45:43 0 d-------- C:\Program Files\Notepad++
2008-05-27 23:25:43 0 d-------- C:\Documents and Settings\Jeff\Application Data\OpenOffice.org2
2008-05-09 12:57:47 0 d-------- C:\Documents and Settings\Jeff\Application Data\MozillaControl
2008-03-18 13:22:21 6051 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31F758F1-5DF4-495D-BBC3-1A41466F92E3}]
C:\WINDOWS\system32\vtUkKDvv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E25EE903-37EB-467B-B1F0-F71063F6B8C8}]
C:\WINDOWS\system32\ljJYQJDv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [03/29/2005 11:41 AM]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [12/16/2004 05:49 PM]
"SoundMan"="SOUNDMAN.EXE" [10/08/2003 07:41 PM C:\WINDOWS\SOUNDMAN.EXE]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [08/06/2003 04:08 PM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 02:56 PM C:\WINDOWS\system32\bthprops.cpl]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [10/06/2005 12:31 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/18/2005 10:58 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/07/2005 04:45 PM]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [07/21/2005 04:07 PM]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [08/01/2005 10:05 PM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [07/12/2005 11:36 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [05/10/2006 09:12 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [09/14/2006 07:55 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/16/2008 10:54 AM]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [07/21/2005 03:48 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 09:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 PM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [10/09/2006 01:25 AM]

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/7/2006 12:36:15 AM]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [3/15/2006 7:44:24 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
SATARaid.lnk - C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe [8/16/2005 8:08:19 PM]
Startup.lnk - C:\Documents and Settings\Jeff\My Documents\Startup.bat [4/14/2008 8:24:18 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E25EE903-37EB-467B-B1F0-F71063F6B8C8}"= C:\WINDOWS\system32\ljJYQJDv.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQJDv]
ljJYQJDv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-06-13 15:10:32 ------------
Disko_Stu is offline