kwyss0711

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-30 12:30:13
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\classes\protocols\name-space handler\res
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\protocols\name-space handler\res
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{974C5B70-8C05-419F-84D7-A06C18C8FF69}\RP1091\A0065166.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{974C5B70-8C05-419F-84D7-A06C18C8FF69}\RP1091\A0065077.EXE
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{974C5B70-8C05-419F-84D7-A06C18C8FF69}\RP1091\A0065167.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{974C5B70-8C05-419F-84D7-A06C18C8FF69}\RP1091\A0065065.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Deckard's System Scanner v20071014.68
Run by Koni Wyss on 2008-06-30 12:57:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Koni Wyss.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:02 PM, on 6/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dlbacoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell AIO Printer A940\dlbamon.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Koni Wyss\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\KONIWY~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7F8E1523-254B-4994-9AC7-201A724CA76C} - C:\WINDOWS\system32\ssqOEXrP.dll (file missing)
O2 - BHO: {f7d31cf7-ff9f-943a-8604-b0577e1faa49} - {94aaf1e7-750b-4068-a349-f9ff7fc13d7f} - C:\WINDOWS\system32\ixmqsxlu.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows LSSS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\FAMILYCOMPUTER\svchost.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dlbamon.exe] "C:\Program Files\Dell AIO Printer A940\dlbamon.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: PASPortal.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1211782913500
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: urqOHASK - urqOHASK.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0153501214824608) (0153501214824608mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\015350~1.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlba_device - - C:\WINDOWS\system32\dlbacoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 9685 bytes

-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 06:16:26 0 d-------- C:\WINDOWS\LastGood
2008-06-28 20:45:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2008-06-28 20:39:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-06-28 20:37:21 0 d-------- C:\Program Files\Common Files\Acronis
2008-06-28 20:37:21 0 d-------- C:\Program Files\Acronis
2008-06-27 22:29:25 0 d-------- C:\Program Files\Dell AIO Printer A940
2008-06-27 22:29:02 274432 --a------ C:\WINDOWS\system32\DLBAinst.dll
2008-06-27 22:29:01 323584 --a------ C:\WINDOWS\system32\DLBAhcp.dll <Not Verified; ; Printer Communication System>
2008-06-26 11:55:31 68096 --a------ C:\WINDOWS\zip.exe
2008-06-26 11:55:31 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-26 11:55:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-26 11:55:31 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-26 11:55:31 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-26 11:55:31 98816 --a------ C:\WINDOWS\sed.exe
2008-06-26 11:55:31 80412 --a------ C:\WINDOWS\grep.exe
2008-06-26 11:55:31 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-26 11:36:50 0 d-------- C:\Program Files\ACW
2008-06-26 01:33:20 0 d-------- C:\Program Files\Common Files\Java
2008-06-26 00:11:16 0 d-------- C:\Documents and Settings\Koni Wyss\Application Data\DeepBurner Pro
2008-06-26 00:04:08 0 d-------- C:\v2d
2008-06-26 00:03:45 0 d-------- C:\Program Files\Total Video2DVD Author
2008-06-25 23:36:57 2970 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-24 23:48:07 0 d-------- C:\Program Files\Panda Security
2008-06-24 19:30:30 0 d-------- C:\Program Files\Windows Defender
2008-06-24 16:36:49 0 d-------- C:\VundoFix Backups
2008-06-24 15:27:31 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-06-24 15:27:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-24 15:25:46 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-06-24 15:22:36 0 d-------- C:\Program Files\McAfee.com
2008-06-24 15:22:13 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-24 15:21:42 0 d-------- C:\Program Files\McAfee
2008-06-24 14:43:54 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-24 14:33:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-17 20:09:19 0 d-------- C:\Documents and Settings\Koni Wyss\Application Data\WinRAR
2008-06-17 20:05:20 0 d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-14 13:18:55 0 d-------- C:\Program Files\Roxio
2008-06-14 13:17:48 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2008-06-12 01:08:24 0 d-------- C:\Program Files\SpywareBlaster
2008-06-12 00:20:34 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-12 00:20:28 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-11 23:53:07 0 d-------- C:\WINDOWS\Internet Logs
2008-06-10 15:29:37 0 d-------- C:\Program Files\FileInnovations
2008-06-10 01:56:08 0 d-------- C:\Program Files\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-06-28 20:37:21 0 d-------- C:\Program Files\Common Files
2008-06-26 13:34:02 0 d-------- C:\Program Files\Lavasoft
2008-06-26 01:34:20 0 d-------- C:\Program Files\Java
2008-06-25 02:55:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 15:48:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-26 01:52:29 0 d-------- C:\Program Files\EA SPORTS
2008-05-24 19:18:22 0 d-------- C:\Program Files\Windows Resource Kits
2008-05-24 17:11:01 0 d-------- C:\Program Files\Dell
2008-05-23 23:30:54 0 d-------- C:\Program Files\Windows Sidebar
2008-05-23 23:16:14 0 d-------- C:\Program Files\Messenger
2008-05-23 23:15:46 0 d-------- C:\Program Files\Movie Maker
2008-05-23 23:12:03 0 d-------- C:\Program Files\Windows NT
2008-05-23 12:47:55 0 d-------- C:\Program Files\Apple Software Update
2008-05-23 12:02:46 0 d-------- C:\Program Files\iTunes
2008-05-23 12:02:20 0 d-------- C:\Program Files\iPod
2008-05-23 12:00:06 0 d-------- C:\Program Files\QuickTime
2008-05-23 03:09:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-23 03:08:19 0 d-------- C:\Documents and Settings\Koni Wyss\Application Data\AdobeUM
2008-05-23 02:55:58 0 d-------- C:\Documents and Settings\Koni Wyss\Application Data\U3


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
11/26/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F8E1523-254B-4994-9AC7-201A724CA76C}]
C:\WINDOWS\system32\ssqOEXrP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94aaf1e7-750b-4068-a349-f9ff7fc13d7f}]
C:\WINDOWS\system32\ixmqsxlu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" []
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" []
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 07:59 AM C:\WINDOWS\BCMSMMSG.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [11/30/2007 05:42 AM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [03/14/2003 05:59 PM]
"Windows LSSS Service"="C:\Program Files\Common Files\Microsoft Shared\DAO\FAMILYCOMPUTER\svchost.exe" []
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"dlbamon.exe"="C:\Program Files\Dell AIO Printer A940\dlbamon.exe" [03/05/2007 04:57 PM]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [10/30/2007 08:06 PM]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [10/30/2007 08:11 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [10/30/2007 08:07 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqOHASK]
urqOHASK.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SmileboxTray"="C:\Documents and Settings\Jill Wyss\Application Data\Smilebox\SmileboxTray.exe"
"Steam"="C:\Program Files\Steam\Steam.exe" -silent
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"08963db4"=rundll32.exe "C:\WINDOWS\system32\vhapiodr.dll",b
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"BM0ba50e28"=Rundll32.exe "C:\WINDOWS\system32\gwkhxrgf.dll",s
"dvd43"=C:\Program Files\dvd43\dvd43_tray.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
"MSConfig"=C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6433767c-5835-11dc-b305-0012175a8e9d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6433767d-5835-11dc-b305-0012175a8e9d}]
AutoRun\command- G:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-06-30 13:00:30 ------------

Attached Files

extra.txt (18.3 KB, 0 views)

greyknight17

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {7F8E1523-254B-4994-9AC7-201A724CA76C} - C:\WINDOWS\system32\ssqOEXrP.dll (file missing)
O2 - BHO: {f7d31cf7-ff9f-943a-8604-b0577e1faa49} - {94aaf1e7-750b-4068-a349-f9ff7fc13d7f} - C:\WINDOWS\system32\ixmqsxlu.dll (file missing)
O4 - HKLM\..\Run: [Windows LSSS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\FAMILYCOMPUTER\svchost.exe
O20 - Winlogon Notify: urqOHASK - urqOHASK.dll (file missing)

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\Common Files\Microsoft Shared\DAO\FAMILYCOMPUTER\svchost.exe

Go to http://www.bleepingcomputer.com/comb...o-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools

kwyss0711

ComboFix 08-06-20.4 - Koni Wyss 2008-06-30 21:57:12.3 - NTFSx86
Running from: C:\Documents and Settings\Koni Wyss\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-28 20:45 . 2008-06-28 20:45 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2008-06-28 20:39 . 2008-06-28 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-06-28 20:39 . 2008-06-28 20:39 441,760 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-06-28 20:39 . 2008-06-28 20:39 129,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-06-28 20:39 . 2008-06-28 20:39 44,384 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-06-28 20:38 . 2008-06-28 20:38 368,544 --a------ C:\WINDOWS\system32\drivers\tdrpman.sys
2008-06-28 20:37 . 2008-06-28 20:38 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-06-28 20:37 . 2008-06-28 20:37 <DIR> d-------- C:\Program Files\Acronis
2008-06-27 22:30 . 2003-02-17 17:00 49,152 --a------ C:\WINDOWS\system32\dlbacoin.dll
2008-06-27 22:30 . 2005-12-16 15:15 40,960 --a------ C:\WINDOWS\system32\dlbavs.dll
2008-06-27 22:29 . 2008-06-27 22:32 <DIR> d-------- C:\Program Files\Dell AIO Printer A940
2008-06-27 22:28 . 2007-02-07 10:20 983,101 --a------ C:\WINDOWS\system32\dlbagf.dll
2008-06-26 11:36 . 2008-06-26 11:37 <DIR> d-------- C:\Program Files\ACW
2008-06-26 01:34 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-26 01:33 . 2008-06-26 01:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-26 00:11 . 2008-06-26 00:11 <DIR> d-------- C:\Documents and Settings\Koni Wyss\Application Data\DeepBurner Pro
2008-06-26 00:08 . 2008-06-26 00:42 28 --a------ C:\WINDOWS\v2d.INI
2008-06-26 00:03 . 2008-06-26 00:43 <DIR> d-------- C:\Program Files\Total Video2DVD Author
2008-06-25 23:46 . 2008-06-25 23:46 <DIR> d-------- C:\Deckard
2008-06-25 23:36 . 2008-06-25 23:36 2,970 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-24 23:48 . 2008-06-24 23:48 <DIR> d-------- C:\Program Files\Panda Security
2008-06-24 19:30 . 2008-06-24 19:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-24 15:28 . 2008-06-30 22:02 12,337 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-24 15:27 . 2008-06-26 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-24 15:25 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-06-24 15:23 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-24 15:23 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-24 15:23 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-24 15:23 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-24 15:23 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-24 15:23 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-24 15:22 . 2008-06-24 15:22 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-24 15:22 . 2008-06-24 15:23 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-24 15:21 . 2008-06-29 09:03 <DIR> d-------- C:\Program Files\McAfee
2008-06-24 14:43 . 2008-06-24 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-24 14:33 . 2008-06-24 14:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-17 20:06 . 2008-06-17 20:06 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-06-17 20:06 . 2008-06-17 20:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
2008-06-17 20:06 . 2008-06-17 20:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-06-17 20:06 . 2008-06-17 20:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-06-17 20:06 . 2008-06-17 20:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-06-17 20:05 . 2008-06-17 20:05 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-06-17 20:05 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-06-17 20:05 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motport.sys
2008-06-17 20:05 . 2007-06-18 14:18 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-06-17 20:05 . 2007-11-02 14:36 18,176 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-06-17 20:05 . 2007-01-23 19:03 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-06-17 20:05 . 2007-11-02 14:51 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-06-14 13:18 . 2008-06-14 13:19 <DIR> d-------- C:\Program Files\Roxio
2008-06-14 13:17 . 2008-06-14 13:19 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2008-06-12 01:08 . 2008-06-30 13:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-12 00:20 . 2008-06-12 00:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-12 00:20 . 2008-06-12 00:22 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-11 23:53 . 2008-06-14 14:21 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-06-10 16:35 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 16:32 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 15:29 . 2008-06-10 15:29 <DIR> d-------- C:\Program Files\FileInnovations
2008-06-10 01:56 . 2008-06-10 01:56 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 02:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-30 18:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 18:34 --------- d-----w C:\Program Files\Lavasoft
2008-06-26 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 06:34 --------- d-----w C:\Program Files\Java
2008-06-26 04:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-06-25 07:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-14 18:19 30,630 ----a-w C:\WINDOWS\system32\drivers\Mmc_2k.sys
2008-06-14 18:19 25,898 ----a-w C:\WINDOWS\system32\drivers\Dvd_2k.sys
2008-06-14 18:19 206,464 ----a-w C:\WINDOWS\system32\drivers\udfreadr_xp.sys
2008-06-14 18:19 143,834 ----a-w C:\WINDOWS\system32\drivers\pwd_2K.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 20:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-26 06:52 --------- d-----w C:\Program Files\EA SPORTS
2008-05-25 00:18 --------- d-----w C:\Program Files\Windows Resource Kits
2008-05-24 22:11 --------- d-----w C:\Program Files\Dell
2008-05-24 04:32 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-24 04:32 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-24 04:30 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-23 17:47 --------- d-----w C:\Program Files\Apple Software Update
2008-05-23 17:02 --------- d-----w C:\Program Files\iTunes
2008-05-23 17:02 --------- d-----w C:\Program Files\iPod
2008-05-23 17:00 --------- d-----w C:\Program Files\QuickTime
2008-05-23 08:08 --------- d-----w C:\Documents and Settings\Koni Wyss\Application Data\AdobeUM
2008-05-23 07:55 --------- d-----w C:\Documents and Settings\Koni Wyss\Application Data\U3
2008-05-17 21:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-16 16:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 10:42 11,264 ------w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:35 24,064 ----a-w C:\WINDOWS\system32\pidgen.dll
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ------w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ------w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2008-01-04 00:33 7,873 -c--a-w C:\Program Files\hijackthis.log
2005-03-07 07:16 218,112 ----a-w C:\Program Files\HijackThis.exe
2005-02-22 07:14 183,169 ----a-w C:\Program Files\HijackThis.zip
.

((((((((((((((((((((((((((((( snapshot_2008-06-30_21.52.23.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 02:40:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 03:01:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 132,496 2007-09-25 07:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe

-c--a-w 204,800 2004-06-03 08:50:07 C:\Program Files\Microsoft IntelliPoint\bak\point32.exe

-c--a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [ ]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [ ]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 07:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-14 17:59 4493312]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"dlbamon.exe"="C:\Program Files\Dell AIO Printer A940\dlbamon.exe" [2007-03-05 16:57 435696]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 20:06 2595616]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 20:11 909208]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 20:07 140568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.IV41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SmileboxTray"="C:\Documents and Settings\Jill Wyss\Application Data\Smilebox\SmileboxTray.exe"
"Steam"="C:\Program Files\Steam\Steam.exe" -silent
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"08963db4"=rundll32.exe "C:\WINDOWS\system32\vhapiodr.dll",b
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"BM0ba50e28"=Rundll32.exe "C:\WINDOWS\system32\gwkhxrgf.dll",s
"dvd43"=C:\Program Files\dvd43\dvd43_tray.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
"MSConfig"=C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dlbacoms.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1234:TCP"= 1234:TCP:192.168.1.101/255.255.255.255:Enabled:Printer Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6433767c-5835-11dc-b305-0012175a8e9d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6433767d-5835-11dc-b305-0012175a8e9d}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-27 14:41:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-24 20:23:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-24 20:22:59 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-07-01 03:07:04 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 22:02:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\dlbacoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-06-30 22:13:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 03:12:59
ComboFix2.txt 2008-07-01 02:53:00

Pre-Run: 40,895,840,256 bytes free
Post-Run: 40,870,404,096 bytes free

285 --- E O F --- 2008-06-20 08:03:28

kwyss0711

for some reason the recovery didn't do anything whenever i would click and drag it over the combofix.exe icon, and i did download the sp2 version since i had sp3

greyknight17

Which version of SP2 did you download? Try the XP Professional SP2 if you haven't already.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools

kwyss0711

sorry i can't click and drag anything into ComboFix.exe, I don't know what is wrong here because I can click and drop a file into a folder, but not with this

greyknight17

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. Then go back to the link where you downloaded combofix and get it again. Try saving it as CFkwyss0711 instead. Save it to your desktop and see if you can drag/drop the CFScript into it now.

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools

kwyss0711

ok i did all that fine, but it still doesn't work. When i drag something over it, i can see a little plus sign and then i let go and it does nothing. If i go too highor too low, then the auto grid line pops up and it thinks i want to place the file before or after the combofix.exe/cfkwyss0711 icon. I took auto grid and auto arrange off and litterally had the file overlapping the combofix icon and it just sat there where i dropped it like thats where i wanted to put it or something. Any more ideas what could be the problem? thanks and sorry for the inconvienence

greyknight17

Rename it back to Combofix.exe. Go to Start->Run and copy & paste the below in and hit OK:

"%userprofile%\Desktop\Combofix /CFScript.txt"

See if that will run it.

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools