Tech Support Forum - View Single Post

egotrippen · 09-25-2006, 07:05 PM

ok, this is after a reboot, a partial system scan at housecall.trendmicro.com, a crash, rebooting to safe mode, and running AVGfree, Spybot, Ad-Aware, and Combofix, in that order. combofix log:

Owner - 06-09-25 20:56:33.92 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

06-09-24 14:31 279 lsqor.dll.qoo
06-09-24 14:03 53 vlpnqb.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\system32\dxclib303562752.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\Duce6.exe
C:\Documents and Settings\Owner\Application Data\Install.dat
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\justin.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\Eim03.exe
C:\Program Files\Common Files\misc002
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{5C0359CB-0890-1033-1206-021025200001}
C:\Documents and Settings\All Users\Documents\Settings

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1\msconfig.exe
C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1\??sembly
C:\QooBox\Purity\Program Files\APPATC~1
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\APPATC~1\m?iexec.exe
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\m?iexec.exe

((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))

2006-09-25 11:01 126,976 --a------ C:\WINDOWS\system32\lekb.dll
2006-09-25 10:44 163,840 --a------ C:\WINDOWS\win320971543723462006.exe
2006-09-25 10:44 163,840 --a------ C:\WINDOWS\win32086715437234.exe
2006-09-25 10:44 163,840 --a------ C:\WINDOWS\sys1015437234672006.exe
2006-09-24 19:29 215,308 --a------ C:\WINDOWS\srvtcogesu.exe
2006-09-24 19:28 215,308 --a------ C:\WINDOWS\srvczpqlfm.exe
2006-09-24 19:23 215,308 --a------ C:\WINDOWS\srvotfewuo.exe
2006-09-24 14:04 4,096 -rah----- C:\WINDOWS\system32\svch05t.dll
2006-09-24 14:03 95,232 --a------ C:\WINDOWS\system32\ulhakjl.dll
2006-09-24 14:03 72,704 --a------ C:\WINDOWS\system32\nlkkmve.dll
2006-09-24 14:03 33,461 --a------ C:\WINDOWS\system32\hvdi32.dll
2006-09-24 14:03 131,072 --a------ C:\WINDOWS\system32\zyqm.dll
2006-09-24 14:02 32,768 --a------ C:\WINDOWS\1205.exe
2006-09-24 14:02 215,308 --a------ C:\WINDOWS\srvjfwxbdl.exe
2006-09-23 12:58 893 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-23 02:31 96,768 --------- C:\WINDOWS\system32\dxclib303562752.dll
2006-09-23 02:31 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-09-23 02:31 32,768 --a------ C:\WINDOWS\DXCecho.exe
2006-09-23 02:31 268,581 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-23 02:31 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-09-23 02:31 1,233 --a------ C:\WINDOWS\system32\pcucb187.sys
2006-09-23 02:25 19,456 --a------ C:\WINDOWS\system32\2000.exe
2006-09-22 15:19 19,456 --a------ C:\WINDOWS\system32\index.exe
2006-09-22 14:24 19,456 --a------ C:\WINDOWS\system32\500.exe
2006-09-22 13:19 19,456 --a------ C:\WINDOWS\system32\100.exe
2006-09-22 12:49 19,456 --a------ C:\WINDOWS\system32\pusk.exe
2006-09-22 10:38 53,248 --a------ C:\WINDOWS\109uninst.exe
2006-09-22 10:36 53,248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\win32097154372346.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\win32074671543723.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\sys015437234671.exe
2006-09-22 10:34 163,840 --a------ C:\WINDOWS\ms052346715437.exe
2006-09-22 07:33 19,456 --a------ C:\WINDOWS\system32\unload.exe
2006-09-21 13:16 4,096 -rah----- C:\WINDOWS\system32\svch10.dll
2006-09-21 13:16 10,101 -r-h----- C:\WINDOWS\system32\tmp_k.exe
2006-09-21 11:32 8,192 --a------ C:\jswudopx.exe
2006-09-07 20:37 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-09-06 15:52 127,208 --a------ C:\WINDOWS\system32\mucltui.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-09-25 20:57 -------- d-------- C:\Program Files\Common Files
2006-09-25 20:36 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-25 12:43 32179 ---hs---- C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe
2006-09-25 12:25 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2006-09-25 10:52 -------- d--h----- C:\Program Files\BHO Plugin
2006-09-25 10:46 -------- d-------- C:\Program Files\Symantec
2006-09-25 10:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-25 02:15 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-24 19:33 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-24 19:19 -------- d-------- C:\Program Files\Trillian
2006-09-24 19:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\foobar2000
2006-09-24 19:09 -------- d-------- C:\Program Files\Common Files\oqum
2006-09-24 14:21 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-24 14:21 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-09-24 14:21 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-09-24 14:21 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-09-24 14:21 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-09-24 14:21 -------- d-------- C:\Program Files\Grisoft
2006-09-23 16:47 -------- d-------- C:\Program Files\DeluxeCommunications
2006-09-23 16:35 -------- d-------- C:\Program Files\G6 U-DISK Manager
2006-09-23 14:21 -------- d-------- C:\Program Files\popupwithcast
2006-09-23 02:26 -------- d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2006-09-21 11:30 -------- d-------- C:\Program Files\WinPLOSION
2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\Real
2006-09-18 23:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-18 11:04 -------- d-------- C:\Program Files\WinRAR
2006-09-11 21:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2006-09-07 14:03 157184 ---hs---- C:\Program Files\Common Files\Yazzle1438OinAdmin.exe
2006-09-06 15:44 -------- d-------- C:\Program Files\Network Associates
2006-09-06 15:44 -------- d-------- C:\Program Files\Common Files\Cisco Systems
2006-09-06 15:43 -------- d-------- C:\Program Files\Common Files\Network Associates
2006-09-06 15:32 -------- d-------- C:\Program Files\Internet Explorer
2006-09-06 15:29 -------- d-------- C:\Program Files\Outlook Express
2006-09-06 15:29 -------- d-------- C:\Program Files\Messenger
2006-09-06 15:29 -------- d-------- C:\Program Files\Common Files\System
2006-08-25 21:38 -------- d-------- C:\Program Files\Movie Player
2006-08-24 03:07 -------- d-------- C:\Program Files\2BrightSparks
2006-08-23 22:36 -------- d-------- C:\Program Files\Azureus
2006-08-23 19:12 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-08-23 19:08 -------- d-------- C:\Program Files\PowerQuest
2006-08-22 13:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-08-21 13:09 873 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-08-21 13:09 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-08-21 13:09 -------- d-------- C:\Program Files\Adobe
2006-08-21 13:04 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-21 13:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-08-21 12:28 -------- d-------- C:\Program Files\DivX
2006-08-21 12:26 -------- d-------- C:\Program Files\ffdshow
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 02:53 167936 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-08-21 02:36 -------- d-------- C:\Program Files\Illustrate
2006-08-19 23:30 -------- d-------- C:\Program Files\illiminable
2006-08-19 20:41 -------- d-------- C:\Program Files\MsnMusic
2006-08-19 20:40 -------- d-------- C:\Program Files\Windows Media Player
2006-08-19 01:11 -------- d-------- C:\Program Files\Java
2006-08-19 01:08 -------- d-------- C:\Program Files\Common Files\Java
2006-08-14 20:52 78848 --a------ C:\WINDOWS\system32\nsr10.dll
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-03 22:00 -------- d-a------ C:\Program Files\snes9xw-1.5
2006-08-03 16:53 -------- d-------- C:\Program Files\oggenc
2006-08-03 16:47 -------- d-------- C:\Program Files\Exact Audio Copy
2006-07-30 12:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\ArcSoft
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 19:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-07-26 19:44 -------- d-------- C:\Program Files\Lavasoft
2006-07-26 12:16 -------- d-------- C:\Program Files\OpenOffice.org 2.0
2006-07-25 23:52 -------- d-------- C:\Program Files\Common Files\Ahead
2006-07-25 23:50 -------- d-------- C:\Program Files\Nero
2006-07-25 16:11 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 17:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 17:40 620180 --a------ C:\WINDOWS\system32\DivX.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"
"oqum"="C:\\PROGRA~1\\COMMON~1\\oqum\\oqumm.exe"
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"Notn"="\"C:\\DOCUME~1\\Owner\\MYDOCU~1\\SEMBLY~1\\msconfig.exe\" -vt yazb"
"Ypq"="C:\\Program Files\\A?pPatch\\m?iexec.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sachost"="C:\\WINDOWS\\sachostx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"win32097154372346"="C:\\WINDOWS\\win32097154372346.exe"
"ms052346715437"="C:\\WINDOWS\\ms052346715437.exe"
"win32074671543723"="C:\\WINDOWS\\win32074671543723.exe"
"ms047234671543"="C:\\WINDOWS\\ms047234671543.exe"
"Zero Knowledge Freedom"="C:\\Program Files\\Zero Knowledge\\Freedom\\AutoStarterR.exe"
"WinPLOSION"="\"C:\\Program Files\\WinPLOSION\\winplosion.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"pcucb187"="RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c"
"nwiz"="nwiz.exe /installquiet /keeploaded"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\""
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"BlockTracker"="c:\\hp\\bin\\BlockTracker.exe"
"BCNT"="C:\\PROGRA~1\\AWS\\WEATHE~1\\BCNT.EXE"
"AutoTBar"="C:\\hp\\bin\\autotbar.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"win32086715437234"="C:\\WINDOWS\\win32086715437234.exe"
"{35-59-9C-CB-ZN}"="C:\\windows\\system32\\ordsregs.exe ELT001"
"sys015437234671"="C:\\WINDOWS\\sys015437234671.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000b5
"NoRecentDocsMenu"=hex:01,00,00,00
"NoActiveDesktop"=hex:01,00,00,00
"NoDrives"=hex:00,00,00,00
"NoDriveAutoRun"=hex:fd,03,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5b,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 09/25/2006 21:02:27.98
ComboFix.txt

09-25-2006, 07:05 PM	#3 (permalink)
egotrippen Registered User Join Date: Sep 2006 Posts: 24 OS: XP	ok, this is after a reboot, a partial system scan at housecall.trendmicro.com, a crash, rebooting to safe mode, and running AVGfree, Spybot, Ad-Aware, and Combofix, in that order. combofix log: Owner - 06-09-25 20:56:33.92 Service Pack 2 ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Owner\Desktop" ((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))) * * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * * 06-09-24 14:31 279 lsqor.dll.qoo 06-09-24 14:03 53 vlpnqb.dat.qoo DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO ((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\dxclib303562752.dll C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll C:\Program Files\DeluxeCommunications\Dxc.exe C:\Program Files\DeluxeCommunications\DxcBho.dll C:\Program Files\DeluxeCommunications\DxcCore.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * C:\WINDOWS\system32\dxclib303562752.dll C:\Program Files\DeluxeCommunications\Dxc.exe C:\Program Files\DeluxeCommunications\DxcBho.dll C:\Program Files\DeluxeCommunications\DxcCore.dll (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\Duce6.exe C:\Documents and Settings\Owner\Application Data\Install.dat C:\WINDOWS\system32\aaa00000.sys C:\WINDOWS\system32\WinNB58.dll C:\WINDOWS\justin.exe C:\WINDOWS\offun.exe C:\WINDOWS\Eim03.exe C:\Program Files\Common Files\misc002 C:\WINDOWS\system32\crunner C:\Program Files\Common Files\{5C0359CB-0890-1033-1206-021025200001} C:\Documents and Settings\All Users\Documents\Settings ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1 C:\QooBox\Purity\Documents and Settings\Owner\My Documents\WNSXS~1 C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1\msconfig.exe C:\QooBox\Purity\Documents and Settings\Owner\My Documents\SEMBLY~1\??sembly C:\QooBox\Purity\Program Files\APPATC~1 C:\QooBox\Purity\Program Files\RACLE~1 C:\QooBox\Purity\Program Files\APPATC~1\m?iexec.exe C:\QooBox\Purity\Program Files\Common Files\FNTS~1 C:\QooBox\Purity\Program Files\Common Files\FNTS~1\m?iexec.exe ((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 )))))))))))))))))))))))))))))))))) 2006-09-25 11:01 126,976 --a------ C:\WINDOWS\system32\lekb.dll 2006-09-25 10:44 163,840 --a------ C:\WINDOWS\win320971543723462006.exe 2006-09-25 10:44 163,840 --a------ C:\WINDOWS\win32086715437234.exe 2006-09-25 10:44 163,840 --a------ C:\WINDOWS\sys1015437234672006.exe 2006-09-24 19:29 215,308 --a------ C:\WINDOWS\srvtcogesu.exe 2006-09-24 19:28 215,308 --a------ C:\WINDOWS\srvczpqlfm.exe 2006-09-24 19:23 215,308 --a------ C:\WINDOWS\srvotfewuo.exe 2006-09-24 14:04 4,096 -rah----- C:\WINDOWS\system32\svch05t.dll 2006-09-24 14:03 95,232 --a------ C:\WINDOWS\system32\ulhakjl.dll 2006-09-24 14:03 72,704 --a------ C:\WINDOWS\system32\nlkkmve.dll 2006-09-24 14:03 33,461 --a------ C:\WINDOWS\system32\hvdi32.dll 2006-09-24 14:03 131,072 --a------ C:\WINDOWS\system32\zyqm.dll 2006-09-24 14:02 32,768 --a------ C:\WINDOWS\1205.exe 2006-09-24 14:02 215,308 --a------ C:\WINDOWS\srvjfwxbdl.exe 2006-09-23 12:58 893 --a------ C:\WINDOWS\system32\winpfg32.sys 2006-09-23 02:31 96,768 --------- C:\WINDOWS\system32\dxclib303562752.dll 2006-09-23 02:31 45,065 --a------ C:\WINDOWS\TIELT001.exe 2006-09-23 02:31 32,768 --a------ C:\WINDOWS\DXCecho.exe 2006-09-23 02:31 268,581 --a------ C:\WINDOWS\popupwithcast.exe 2006-09-23 02:31 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe 2006-09-23 02:31 1,233 --a------ C:\WINDOWS\system32\pcucb187.sys 2006-09-23 02:25 19,456 --a------ C:\WINDOWS\system32\2000.exe 2006-09-22 15:19 19,456 --a------ C:\WINDOWS\system32\index.exe 2006-09-22 14:24 19,456 --a------ C:\WINDOWS\system32\500.exe 2006-09-22 13:19 19,456 --a------ C:\WINDOWS\system32\100.exe 2006-09-22 12:49 19,456 --a------ C:\WINDOWS\system32\pusk.exe 2006-09-22 10:38 53,248 --a------ C:\WINDOWS\109uninst.exe 2006-09-22 10:36 53,248 --a------ C:\WINDOWS\uni_7eh.exe 2006-09-22 10:34 163,840 --a------ C:\WINDOWS\win32097154372346.exe 2006-09-22 10:34 163,840 --a------ C:\WINDOWS\win32074671543723.exe 2006-09-22 10:34 163,840 --a------ C:\WINDOWS\sys015437234671.exe 2006-09-22 10:34 163,840 --a------ C:\WINDOWS\ms052346715437.exe 2006-09-22 07:33 19,456 --a------ C:\WINDOWS\system32\unload.exe 2006-09-21 13:16 4,096 -rah----- C:\WINDOWS\system32\svch10.dll 2006-09-21 13:16 10,101 -r-h----- C:\WINDOWS\system32\tmp_k.exe 2006-09-21 11:32 8,192 --a------ C:\jswudopx.exe 2006-09-07 20:37 159,744 --a------ C:\WINDOWS\system32\igfxres.dll 2006-09-06 15:52 127,208 --a------ C:\WINDOWS\system32\mucltui.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) Rootkit driver pe386 is present. A rootkit scan is required 2006-09-25 20:57 -------- d-------- C:\Program Files\Common Files 2006-09-25 20:36 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-25 12:43 32179 ---hs---- C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe 2006-09-25 12:25 -------- d-------- C:\Documents and Settings\Owner\Application Data\AVG7 2006-09-25 10:52 -------- d--h----- C:\Program Files\BHO Plugin 2006-09-25 10:46 -------- d-------- C:\Program Files\Symantec 2006-09-25 10:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared 2006-09-25 02:15 -------- d-------- C:\Program Files\Mozilla Thunderbird 2006-09-24 19:33 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2006-09-24 19:19 -------- d-------- C:\Program Files\Trillian 2006-09-24 19:18 -------- d-------- C:\Documents and Settings\Owner\Application Data\foobar2000 2006-09-24 19:09 -------- d-------- C:\Program Files\Common Files\oqum 2006-09-24 14:21 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2006-09-24 14:21 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys 2006-09-24 14:21 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2006-09-24 14:21 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2006-09-24 14:21 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys 2006-09-24 14:21 -------- d-------- C:\Program Files\Grisoft 2006-09-23 16:47 -------- d-------- C:\Program Files\DeluxeCommunications 2006-09-23 16:35 -------- d-------- C:\Program Files\G6 U-DISK Manager 2006-09-23 14:21 -------- d-------- C:\Program Files\popupwithcast 2006-09-23 02:26 -------- d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2 2006-09-21 11:30 -------- d-------- C:\Program Files\WinPLOSION 2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\xing shared 2006-09-18 23:50 -------- d-------- C:\Program Files\Common Files\Real 2006-09-18 23:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real 2006-09-18 11:04 -------- d-------- C:\Program Files\WinRAR 2006-09-11 21:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Azureus 2006-09-07 14:03 157184 ---hs---- C:\Program Files\Common Files\Yazzle1438OinAdmin.exe 2006-09-06 15:44 -------- d-------- C:\Program Files\Network Associates 2006-09-06 15:44 -------- d-------- C:\Program Files\Common Files\Cisco Systems 2006-09-06 15:43 -------- d-------- C:\Program Files\Common Files\Network Associates 2006-09-06 15:32 -------- d-------- C:\Program Files\Internet Explorer 2006-09-06 15:29 -------- d-------- C:\Program Files\Outlook Express 2006-09-06 15:29 -------- d-------- C:\Program Files\Messenger 2006-09-06 15:29 -------- d-------- C:\Program Files\Common Files\System 2006-08-25 21:38 -------- d-------- C:\Program Files\Movie Player 2006-08-24 03:07 -------- d-------- C:\Program Files\2BrightSparks 2006-08-23 22:36 -------- d-------- C:\Program Files\Azureus 2006-08-23 19:12 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help 2006-08-23 19:08 -------- d-------- C:\Program Files\PowerQuest 2006-08-22 13:40 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun 2006-08-21 13:09 873 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log 2006-08-21 13:09 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini 2006-08-21 13:09 -------- d-------- C:\Program Files\Adobe 2006-08-21 13:04 -------- d-------- C:\Program Files\Common Files\Adobe 2006-08-21 13:04 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe 2006-08-21 12:28 -------- d-------- C:\Program Files\DivX 2006-08-21 12:26 -------- d-------- C:\Program Files\ffdshow 2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-21 02:53 167936 --a------ C:\WINDOWS\system32\SpoonUninstall.exe 2006-08-21 02:36 -------- d-------- C:\Program Files\Illustrate 2006-08-19 23:30 -------- d-------- C:\Program Files\illiminable 2006-08-19 20:41 -------- d-------- C:\Program Files\MsnMusic 2006-08-19 20:40 -------- d-------- C:\Program Files\Windows Media Player 2006-08-19 01:11 -------- d-------- C:\Program Files\Java 2006-08-19 01:08 -------- d-------- C:\Program Files\Common Files\Java 2006-08-14 20:52 78848 --a------ C:\WINDOWS\system32\nsr10.dll 2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2006-08-03 22:00 -------- d-a------ C:\Program Files\snes9xw-1.5 2006-08-03 16:53 -------- d-------- C:\Program Files\oggenc 2006-08-03 16:47 -------- d-------- C:\Program Files\Exact Audio Copy 2006-07-30 12:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\ArcSoft 2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2006-07-26 19:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft 2006-07-26 19:44 -------- d-------- C:\Program Files\Lavasoft 2006-07-26 12:16 -------- d-------- C:\Program Files\OpenOffice.org 2.0 2006-07-25 23:52 -------- d-------- C:\Program Files\Common Files\Ahead 2006-07-25 23:50 -------- d-------- C:\Program Files\Nero 2006-07-25 16:11 -------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll 2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll 2006-07-03 17:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll 2006-07-03 17:40 620180 --a------ C:\WINDOWS\system32\DivX.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot" "oqum"="C:\\PROGRA~1\\COMMON~1\\oqum\\oqumm.exe" "NVIEW"="rundll32.exe nview.dll,nViewLoadHook" "MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background" "Notn"="\"C:\\DOCUME~1\\Owner\\MYDOCU~1\\SEMBLY~1\\msconfig.exe\" -vt yazb" "Ypq"="C:\\Program Files\\A?pPatch\\m?iexec.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "sachost"="C:\\WINDOWS\\sachostx.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "win32097154372346"="C:\\WINDOWS\\win32097154372346.exe" "ms052346715437"="C:\\WINDOWS\\ms052346715437.exe" "win32074671543723"="C:\\WINDOWS\\win32074671543723.exe" "ms047234671543"="C:\\WINDOWS\\ms047234671543.exe" "Zero Knowledge Freedom"="C:\\Program Files\\Zero Knowledge\\Freedom\\AutoStarterR.exe" "WinPLOSION"="\"C:\\Program Files\\WinPLOSION\\winplosion.exe\"" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r" "stonedrv"="c:\\windows\\system32\\stonedrv.exe" "Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe" "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "PS2"="C:\\WINDOWS\\system32\\ps2.exe" "pcucb187"="RUNDLL32.EXE w002935c.dll,n 004cb18300000005002935c" "nwiz"="nwiz.exe /installquiet /keeploaded" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "NAV CfgWiz"="C:\\PROGRA~1\\NORTON~1\\Cfgwiz.exe /R" "KBD"="C:\\HP\\KBD\\KBD.EXE" "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe" "EPSON Stylus C62 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P23 \"EPSON Stylus C62 Series\" /O6 \"USB001\" /M \"Stylus C62\"" "ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe" "ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe" "CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe" "BlockTracker"="c:\\hp\\bin\\BlockTracker.exe" "BCNT"="C:\\PROGRA~1\\AWS\\WEATHE~1\\BCNT.EXE" "AutoTBar"="C:\\hp\\bin\\autotbar.exe" "AlcxMonitor"="ALCXMNTR.EXE" "win32086715437234"="C:\\WINDOWS\\win32086715437234.exe" "{35-59-9C-CB-ZN}"="C:\\windows\\system32\\ordsregs.exe ELT001" "sys015437234671"="C:\\WINDOWS\\sys015437234671.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000004 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000004 "OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:000000b5 "NoRecentDocsMenu"=hex:01,00,00,00 "NoActiveDesktop"=hex:01,00,00,00 "NoDrives"=hex:00,00,00,00 "NoDriveAutoRun"=hex:fd,03,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] @="" "NoDriveTypeAutoRun"=hex:5b,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run] [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=hex:91,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=hex:91,00,00,00 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: Mon 09/25/2006 21:02:27.98 ComboFix.txt