Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page new notebook - spyware infestation
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 05-03-2007, 07:20 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


new notebook - spyware infestation
Hi
I just got a new gateway notebook, and it was chock full of preinstalled spyware. Pop up city, ie windows spawning "your system might be infected" ads, yadda yadda yadda. I've installed and run avg, spybot, spyrare blaster adaware, dss and hijackthis. They removed over a hundred things. wow.

I'm still getting popups and something called system commander that spybot can't remove.

Here are the scans:
thanx!

Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-03 at 20:10:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2007-05-04 02:10:28 UTC - RP18 - Deckard's System Scanner Restore Point
17: 2007-05-04 00:28:24 UTC - RP17 - Installed AVG 7.5
16: 2007-05-03 03:39:33 UTC - RP16 - Installed Adobe Premiere Pro 2.0
15: 2007-05-01 04:53:03 UTC - RP15 - Unsigned driver install
14: 2007-05-01 03:27:32 UTC - RP14 - Installed Ad-Aware SE Personal


-- First Restore Point --
1: 2007-04-28 03:38:30 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:12:52 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\Gtwatch.exe
C:\WINDOWS\gtwatch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\twain_32\L3U16\WATCH.exe
C:\WINDOWS\TEMP\win228.tmp.exe
C:\WINDOWS\system32\DOBE~1\msdtc.exe
C:\Documents and Settings\Owner.notebook\My Documents\F?nts\?xplorer.exe
C:\Documents and Settings\Owner.notebook\Desktop\dss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F2E261C-57B7-B31D-1628-04E59D79828A} - C:\WINDOWS\system32\bpqsrdi.dll
O2 - BHO: (no name) - {22D4A607-B97E-2EA8-0CA2-051A936DF118} - C:\WINDOWS\system32\rnsckan.dll (file missing)
O2 - BHO: (no name) - {524C2E36-0F4C-3B6C-799D-091CB79D050C} - C:\WINDOWS\system32\nhiiuxj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {689FF817-6AF1-1453-AB3B-69E33EE6AFCA} - C:\WINDOWS\system32\rzhjmkud.dll
O2 - BHO: (no name) - {713A7346-6EE8-4C5C-BD80-D9BBF6786012} - C:\WINDOWS\system32\yayywtu.dll
O2 - BHO: (no name) - {8842ED99-339A-40CE-ABAB-4682D2BC7FD8} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\mpcfancr.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [xfxqeul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xfxqeul.dll,zmalub
O4 - HKLM\..\Run: [] C:\WINDOWS\Gtwatch.exe
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\joyxugda.dll",realset
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [wozu] C:\PROGRA~1\COMMON~1\wozu\wozum.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\DOBE~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Idufba] "C:\Documents and Settings\Owner.notebook\My Documents\F?nts\?xplorer.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\L3U16\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: mljgd - C:\WINDOWS\system32\mljgd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll
O20 - Winlogon Notify: yayywtu - C:\WINDOWS\SYSTEM32\yayywtu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys <Not Verified; Roxio; Drag-to-Disc>
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; Drag-to-Disc>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 GT681x (%GrandTechICNameNT%) - c:\windows\system32\drivers\gt681x.sys <Not Verified; ; USB Scanner Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 cmdService (Command Service) - c:\windows\ia\command.exe

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Scheduled Tasks -------------------------------------------------------------

2007-04-27 21:38:16 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 3.job
2007-04-27 21:38:16 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job


-- Files created between 2007-04-03 and 2007-05-03 -----------------------------

2007-05-03 20:02:03 0 d-------- C:\Program Files\SpywareBlaster
2007-05-03 19:44:48 2 --a------ C:\WINDOWS\system32\wnstssv32.exe
2007-05-03 19:44:44 0 d-------- C:\Program Files\Outerinfo
2007-05-03 19:44:43 60928 --a------ C:\WINDOWS\system32\rzhjmkud.dll
2007-05-03 19:44:33 40183 ---hs---- C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
2007-05-03 19:44:31 0 d-------- C:\WINDOWS\system32\?dobe
2007-05-03 19:44:18 26678 --a------ C:\WINDOWS\system32\ssqqqqn.dll
2007-05-03 18:46:51 0 d-------- C:\Program Files\IrfanView
2007-05-03 18:30:39 0 dr-h----- C:\$VAULT$.AVG
2007-05-03 18:29:58 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\AVG7
2007-05-03 18:29:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-03 18:28:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-03 18:28:55 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-05-03 18:24:28 26678 --a------ C:\WINDOWS\system32\vtuutts.dll
2007-05-02 22:47:47 49204 --a------ C:\WINDOWS\system32\mpcfancr.dll
2007-05-02 22:47:37 132660 --a------ C:\WINDOWS\system32\joyxugda.dll
2007-05-02 22:47:31 76412 --a------ C:\WINDOWS\system32\jspvkdql.dll
2007-05-02 22:47:24 1396546 ---hs---- C:\WINDOWS\system32\dgjlm.bak1
2007-05-02 22:47:13 284244 ---hs---- C:\WINDOWS\system32\mljgd.dll
2007-05-02 22:41:52 26678 --a------ C:\WINDOWS\system32\qommmmj.dll
2007-05-02 22:41:49 86016 --a------ C:\WINDOWS\system32\jdzsnmj.dll
2007-05-02 22:41:49 63488 --a------ C:\WINDOWS\system32\bpqsrdi.dll
2007-05-02 22:41:45 11776 --a------ C:\WINDOWS\system32\v7.exe
2007-05-02 2234 0 d-------- C:\Program Files\Common Files\?asks
2007-05-02 2221 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\s?stem
2007-05-02 21:51:24 0 d-------- C:\Program Files\Common Files\wozu
2007-05-02 21:51:23 0 d-------- C:\WINDOWS\wozu
2007-05-02 21:43:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-05-02 21:43:34 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-02 21:36:23 0 d--hs---- C:\WINDOWS\IA
2007-05-01 09:35:12 146432 ---hs---- C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
2007-04-30 22:53:53 100 --a------ C:\WINDOWS\00 cutoff; m branch])
2007-04-30 22:32:12 0 d-------- C:\Program Files\ABBYY FineReader 4.0 Sprint
2007-04-30 22:30:24 0 d-------- C:\WINDOWS\Profiles
2007-04-30 22:28:32 35328 --a------ C:\WINDOWS\system\lttwn10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 297472 --a------ C:\WINDOWS\system\ltkrn10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 103424 --a------ C:\WINDOWS\system\ltfil10N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 221696 --a------ C:\WINDOWS\system\ltefx10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 228864 --a------ C:\WINDOWS\system\LTDIS10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 28160 --a------ C:\WINDOWS\system\lfwmf10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 122368 --a------ C:\WINDOWS\system\lftif10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 33280 --a------ C:\WINDOWS\system\lfpcx10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 31232 --a------ C:\WINDOWS\system\lflmb10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 35840 --a------ C:\WINDOWS\system\lflma10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 76800 --a------ C:\WINDOWS\system\lffax10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:31 266752 --a------ C:\WINDOWS\system\Lfcmp10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:31 34304 --a------ C:\WINDOWS\system\lfbmp10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:29 0 d-------- C:\WINDOWS\Crush'Em 2.0
2007-04-30 22:28:28 109578 --a------ C:\WINDOWS\system32\Xcdsfx32.bin <Not Verified; Xceed Software Inc. 1-450-442-2626 sfx@xceedsoft.com www.xceedsoft.com; The Xceed Zip Compression Library>
2007-04-30 22:28:28 25600 --a------ C:\WINDOWS\system\Lttwn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:28 81408 --a------ C:\WINDOWS\system\Ltimg70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:25 344064 --a------ C:\WINDOWS\system\MSVCRT40.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual C++>
2007-04-30 22:28:25 0 d-------- C:\WINDOWS\Puzzl'Em1.0Beta2
2007-04-30 22:28:20 57344 --a------ C:\WINDOWS\system\BPEnhan.dll
2007-04-30 22:28:18 53248 --a------ C:\WINDOWS\system32\A32usd.dll <Not Verified; Microsoft Corporation (Sample); Platform SDK Sample Code>
2007-04-30 22:28:18 45056 --a------ C:\WINDOWS\Gtwatch.exe
2007-04-30 22:28:17 18120 --a------ C:\WINDOWS\system32\drivers\gt681x.sys <Not Verified; ; USB Scanner Driver>
2007-04-30 22:28:10 81946 --a------ C:\WINDOWS\system32\vb5ko.dll <Not Verified; Microsoft Corporation; Visual Basic Environment>
2007-04-30 22:28:10 172032 --a------ C:\WINDOWS\system32\SpotSaver.scr <Not Verified; BearPaw; BearPaw ScreenSaver>
2007-04-30 22:28:10 176128 --a------ C:\WINDOWS\system32\PuzzSaver.scr <Not Verified; BearPaw; BearPaw ScreenSaver>
2007-04-30 22:28:10 135168 --a------ C:\WINDOWS\system32\ParaSaver.scr <Not Verified; ; ScreenSaver Application>
2007-04-30 22:28:08 212480 --a------ C:\WINDOWS\system\Pcdlib32.dll <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-04-30 22:28:08 20480 --a------ C:\WINDOWS\system\Lfwpg70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:08 81920 --a------ C:\WINDOWS\system\CAPI2032.DLL
2007-04-30 22:28:08 0 d-------- C:\Program Files\ScanExpress A3 USB
2007-04-30 22:28:07 18944 --a------ C:\WINDOWS\system\Lfwfx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 20992 --a------ C:\WINDOWS\system\Lftga70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 19456 --a------ C:\WINDOWS\system\Lfras70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 22016 --a------ C:\WINDOWS\system\Lfpsd70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 111104 --a------ C:\WINDOWS\system\Lfpng70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 24576 --a------ C:\WINDOWS\system\Lfpcx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 19456 --a------ C:\WINDOWS\system\Lfmsp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 32768 --a------ C:\WINDOWS\system\Lfgif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 24064 --a------ C:\WINDOWS\system\Lfeps70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 24064 --a------ C:\WINDOWS\system\Lfpct70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 19456 --a------ C:\WINDOWS\system\Lfpcd70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 18944 --a------ C:\WINDOWS\system\Lfmac70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 25088 --a------ C:\WINDOWS\system\Lflmb70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 28672 --a------ C:\WINDOWS\system\Lflma70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 95232 --a------ C:\WINDOWS\system\Lfkodak.dll
2007-04-30 22:28:05 20480 --a------ C:\WINDOWS\system\LFIMG70N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 26112 --a------ C:\WINDOWS\system\Lfica70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 35328 --a------ C:\WINDOWS\system\Lffpx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 306688 --a------ C:\WINDOWS\system\LFFPX7.DLL <Not Verified; ; Reference Implementation>
2007-04-30 22:28:05 24576 --a------ C:\WINDOWS\system\Lfbmp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 17920 --a------ C:\WINDOWS\system\Lfavi70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 350208 --a------ C:\WINDOWS\system\Ltkrn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 55296 --a------ C:\WINDOWS\system\Ltfil70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 93184 --a------ C:\WINDOWS\system\Lftif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 55808 --a------ C:\WINDOWS\system\Lffax70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 224768 --a------ C:\WINDOWS\system\Lfcmp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 19968 --a------ C:\WINDOWS\system\Lfcal70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:27:42 0 d-------- C:\Program Files\Temp
2007-04-30 22:18:45 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Template
2007-04-30 22:18:42 0 --a------ C:\Documents and Settings\Owner.notebook\Application Data\wklnhst.dat
2007-04-30 21:28:45 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Lavasoft
2007-04-30 21:27:33 0 d-------- C:\Program Files\Lavasoft
2007-04-30 21:26:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 20:09:11 26678 --a------ C:\WINDOWS\system32\mljkkkj.dll
2007-04-30 19:41:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-30 19:33:49 26678 --a------ C:\WINDOWS\system32\ssqqnmj.dll
2007-04-30 19:31:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-04-30 14:16:16 0 d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 13:01:44 71168 --ah----- C:\Program Files\Common Files\svchost.exe
2007-04-30 02:43:09 26678 --a------ C:\WINDOWS\system32\awtrsst.dll
2007-04-30 02:40:06 0 d-------- C:\Program Files\Common Files\W?nSxS
2007-04-30 02:40:02 45056 --a------ C:\WINDOWS\retadpu1000272.exe
2007-04-30 02:39:58 71168 --ah----- C:\WINDOWS\svchost.exe
2007-04-30 02:39:52 26678 --a------ C:\WINDOWS\system32\ssqqonk.dll
2007-04-30 02:39:50 63488 --a------ C:\WINDOWS\system32\nhiiuxj.dll
2007-04-30 02:39:49 86528 --a------ C:\WINDOWS\system32\eswyvfl.dll
2007-04-30 02:39:43 22016 --a------ C:\WINDOWS\system32\winbfi32.dll
2007-04-30 02:39:08 26678 --a------ C:\WINDOWS\system32\ssqronl.dll
2007-04-30 02:38:55 26678 --a------ C:\WINDOWS\system32\yayywtu.dll
2007-04-30 02:01:05 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-04-30 01:58:01 0 d-------- C:\Program Files\Bonjour
2007-04-30 01:57:42 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Adobe
2007-04-30 01:50:17 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-30 01:29:15 0 d-------- C:\WINDOWS\system32\Futuremark
2007-04-30 01:29:15 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-04-30 01:29:15 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-04-30 01:28:36 1156 --a------ C:\WINDOWS\mozver.dat
2007-04-30 01:28:04 0 d-------- C:\Program Files\Futuremark
2007-04-29 21:00:25 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Mozilla
2007-04-29 20:48:27 0 d-------- C:\Program Files\Common Files\Serious Magic
2007-04-29 20:31:40 0 d-------- C:\Program Files\Serious Magic
2007-04-29 20:28:10 0 d-------- C:\WINDOWS\system32\windows media
2007-04-29 20:28:02 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-04-29 20:27:57 0 d-------- C:\Program Files\Windows Media Components
2007-04-29 17:43:28 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Macromedia
2007-04-29 17:31:29 0 d-------- C:\Program Files\MSXML 4.0
2007-04-28 12:45:17 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\BitTorrent
2007-04-28 12:45:02 0 d-------- C:\Program Files\BitTorrent
2007-04-28 12:39:22 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-28 12:26:18 0 d-------- C:\WINDOWS\system32\PreInstall
2007-04-28 01:39:57 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Google
2007-04-28 01:38:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2007-04-28 01:37:41 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\McAfee.com Personal Firewall
2007-04-28 01:33:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-04-28 01:33:10 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 21:38:43 0 dr------- C:\Documents and Settings\Owner.notebook\Favorites
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Desktop
2007-04-27 21:38:43 0 d---s---- C:\Documents and Settings\Owner.notebook\Cookies
2007-04-27 21:38:43 0 dr-h----- C:\Documents and Settings\Owner.notebook\Application Data
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\You've Got Pictures Screensaver
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\SampleView
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Identities
2007-04-27 21:38:42 0 d-------- C:\Documents and Settings\Owner.notebook\WINDOWS
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\Templates
2007-04-27 21:38:42 0 dr------- C:\Documents and Settings\Owner.notebook\Start Menu
2007-04-27 21:38:42 0 dr-h----- C:\Documents and Settings\Owner.notebook\SendTo
2007-04-27 21:38:42 0 dr-h----- C:\Documents and Settings\Owner.notebook\Recent
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\PrintHood
2007-04-27 21:38:42 2097152 --ah----- C:\Documents and Settings\Owner.notebook\NTUSER.DAT
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\NetHood
2007-04-27 21:38:42 0 dr------- C:\Documents and Settings\Owner.notebook\My Documents
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\Local Settings
2007-04-27 21:38:10 0 d-------- C:\Documents and Settings\Default User\Application Data\You've Got Pictures Screensaver
2007-04-27 21:38:10 0 d-------- C:\Documents and Settings\Default User\Application Data\SampleView


-- Find3M Report ---------------------------------------------------------------

2007-05-02 21:49:05 0 d-------- C:\Program Files\?dobe
2007-05-02 21:47:41 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-30 14:22:02 0 d-------- C:\Program Files\WildTangent
2007-04-30 14:21:34 0 d-------- C:\Program Files\Gateway Games
2007-04-30 14:19:11 0 d-------- C:\Program Files\Common Files\InstallShield
2007-04-30 14:18:58 0 d-------- C:\Program Files\Napster
2007-04-30 13:57:23 0 d-------- C:\Program Files\BigFix
2007-04-30 13:21:29 0 d-------- C:\Program Files\Pure Networks
2007-04-30 13:18:14 0 d-------- C:\Program Files\Common Files\AOL
2007-04-30 13:02:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-29 20:24:42 0 d-------- C:\Program Files\Google
2007-03-21 20:54:16 69632 --a------ C:\WINDOWS\system32\TWUNK_32.EXE <Not Verified; Twain Working Group; Twain Thunker>
2007-03-21 20:54:16 48560 --a------ C:\WINDOWS\system32\TWUNK_16.EXE <Not Verified; Twain Working Group; Twain Thunker>
2007-03-21 20:54:16 77312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL <Not Verified; Twain Working Group; Twain_32 Source Manager>
2007-02-19 05:01:20 252356 --a------ C:\WINDOWS\b128.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{1F2E261C-57B7-B31D-1628-04E59D79828A} C:\WINDOWS\system32\bpqsrdi.dll
{22D4A607-B97E-2EA8-0CA2-051A936DF118} C:\WINDOWS\system32\rnsckan.dll [x]
{524C2E36-0F4C-3B6C-799D-091CB79D050C} C:\WINDOWS\system32\nhiiuxj.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{689FF817-6AF1-1453-AB3B-69E33EE6AFCA} C:\WINDOWS\system32\rzhjmkud.dll
{713A7346-6EE8-4C5C-BD80-D9BBF6786012} C:\WINDOWS\system32\yayywtu.dll
{8842ED99-339A-40CE-ABAB-4682D2BC7FD8} C:\WINDOWS\system32\mljgd.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\system32\mpcfancr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"runner1"="C:\\WINDOWS\\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310"
"xfxqeul.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\xfxqeul.dll,zmalub"
@="C:\\WINDOWS\\Gtwatch.exe"
"Gtwatch"="C:\\WINDOWS\\gtwatch.exe"
"VaCtrls"="v7"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\joyxugda.dll\",realset"
"SManager"="smanager.7.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"wozu"="C:\\PROGRA~1\\COMMON~1\\wozu\\wozum.exe"
"Ealb"="\"C:\\WINDOWS\\system32\\DOBE~1\\msdtc.exe\" -vt yazb"
"Idufba"="\"C:\\Documents and Settings\\Owner.notebook\\My Documents\\F?nts\\?xplorer.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autocheck"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{713A7346-6EE8-4C5C-BD80-D9BBF6786012}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywtu

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-03 at 20:13:52 ---------
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 05-03-2007, 07:54 PM   #2 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion(tm) 64 Mobile Technology ML-40
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 958.23 MiB / 550.36 MiB
Pagefile Memory (total/avail): 2312 MiB / 1975.05 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1965.86 MiB

C: is Fixed (NTFS) - 68.66 GiB total, 53.91 GiB free.
D: is Fixed (FAT32) - 5.85 GiB total, 3.85 GiB free.
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: v (McAfee) Disabled
AV: AVG 7.5.467 v7.5.467 (GRISOFT)
AV: v (McAfee) Disabled


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner.notebook\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NOTEBOOK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner.notebook
LOGONSERVER=\\NOTEBOOK
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\OWNER~1.NOT\LOCALS~1\Temp
TMP=C:\DOCUME~1\OWNER~1.NOT\LOCALS~1\Temp
USERDOMAIN=NOTEBOOK
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner.notebook
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner.notebook (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{57922B53-02D4-4DFC-AC24-A3519DC1F49A}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 4.0 Sprint --> C:\WINDOWS\bitdeins.exe C:\PROGRA~1\ABBYYF~1.0SP\bitdeins.ini
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge 1.0 --> MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Premiere Pro 2.0 --> msiexec /I {FA17A726-B229-4116-B793-A2AB1A4EAE2E}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Broadcom 802.11 Network Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta0300a.INF
Crush'Em 2.0 --> C:\WINDOWS\Crush'Em 2.0\UNWISE.EXE C:\WINDOWS\Crush'Em 2.0\install.log
DVD Solution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Outerinfo --> "C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe"
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Puzzl'Em 1.0 Beta2 --> C:\WINDOWS\Puzzl'Em1.0Beta2\UNWISE.EXE C:\WINDOWS\Puzzl'Em1.0Beta2\install.log
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
ScanExpress A3 USB v1.4 --> C:\WINDOWS\twain_32\L3U16\UNINST.EXE
Security Update for Step By Step Interactive Training (KB898458) -->
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_0300107B\HXFSETUP.EXE -U -Iqta0300m.inf
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Visual Communicator Bin Files --> MsiExec.exe /I{64887FC8-F0AD-42B5-B052-3E52D64CA4B3}
Visual Communicator Studio --> MsiExec.exe /I{7F8D4C4E-EC31-4B5A-9DB6-1D74AD1209DA}
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_6FE44FCD212D4A086C7BC0C98B9A619782073FB7\amdk8.inf
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows XP Media Center Edition 2005 KB914548 --> "C:\WINDOWS\$NtUninstallKB914548$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- End of Deckard's System Scanner: finished at 2007-05-03 at 20:13:52 ---------
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 05:32 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
48 hour bump. Thanx for finding this and helping.
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 10:54 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
  1. Download combofix.exe to your desktop.
  2. Double click on combofix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-05-2007, 11:46 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
"Owner" - 2007-05-06 0:32:55 Service Pack 2
ComboFix 07-05.06.1.V - Running from: "C:\Documents and Settings\Owner.notebook\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awtrsst.dll
C:\WINDOWS\system32\evjfiaom.dll
C:\WINDOWS\system32\jgepcvhb.dll
C:\WINDOWS\system32\mljkkkj.dll
C:\WINDOWS\system32\mpcfancr.dll
C:\WINDOWS\system32\qommmmj.dll
C:\WINDOWS\system32\ssqqnmj.dll
C:\WINDOWS\system32\ssqqonk.dll
C:\WINDOWS\system32\ssqqqqn.dll
C:\WINDOWS\system32\ssqronl.dll
C:\WINDOWS\system32\vtuutts.dll
C:\WINDOWS\system32\bhvcpegj.ini
C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\yayywtu.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\asappsrv.dll
C:\Program Files\outerinfo\Terms.rtf
C:\DOCUME~1\OWNER~1.NOT\Desktop\internet.lnk
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1\SSTEM~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1\?xplorer.exe
C:\qoobox\purity\C\Program Files\DOBE~1
C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\C\WINDOWS\FNTS~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))


2007-05-06 00:38 49,204 --a------ C:\WINDOWS\system32\luyhsser.dll
2007-05-06 00:38 132,660 --a------ C:\WINDOWS\system32\jnhbbfuk.dll
2007-05-05 21:17 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-05 21:17 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-05 21:17 <DIR> d-------- C:\Program Files\Xvid
2007-05-05 17:31 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-05-05 17:26 <DIR> d-------- C:\Program Files\Serious Magic
2007-05-05 16:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-05 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-05-04 00:28 <DIR> d-------- C:\roms
2007-05-03 20:09 <DIR> d-------- C:\Deckard
2007-05-03 20:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-03 19:44 60,928 --a------ C:\WINDOWS\system32\rzhjmkud.dll
2007-05-03 19:44 2 --a------ C:\WINDOWS\system32\wnstssv32.exe
2007-05-03 19:44 <DIR> d-------- C:\WINDOWS\system32\àdobe
2007-05-03 18:46 <DIR> d-------- C:\Program Files\IrfanView
2007-05-02 23:53 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-02 23:53 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-02 23:53 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-02 23:53 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-02 23:53 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-02 23:53 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-02 23:53 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-02 23:52 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-02 23:52 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-02 23:52 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-05-02 23:52 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-05-02 22:47 76,412 --a------ C:\WINDOWS\system32\jspvkdql.dll
2007-05-02 22:41 86,016 --a------ C:\WINDOWS\system32\jdzsnmj.dll
2007-05-02 22:41 63,488 --a------ C:\WINDOWS\system32\bpqsrdi.dll
2007-05-02 22:06 <DIR> d-------- C:\Program Files\Common Files\çasks
2007-05-02 21:51 <DIR> d-------- C:\WINDOWS\wozu
2007-05-02 21:51 <DIR> d-------- C:\Program Files\Common Files\wozu
2007-05-02 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-02 21:36 <DIR> d--hs---- C:\WINDOWS\IA
2007-04-30 22:51 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-04-30 22:32 <DIR> d-------- C:\Program Files\ABBYY FineReader 4.0 Sprint
2007-04-30 22:30 <DIR> d-------- C:\WINDOWS\Profiles
2007-04-30 22:28 995,383 --a------ C:\WINDOWS\system\MFC42.DLL
2007-04-30 22:28 95,232 --a------ C:\WINDOWS\system\Lfkodak.dll
2007-04-30 22:28 933,888 --a------ C:\WINDOWS\system\MFC40.DLL
2007-04-30 22:28 93,184 --a------ C:\WINDOWS\system\Lftif70n.dll
2007-04-30 22:28 81,946 --a------ C:\WINDOWS\system32\vb5ko.dll
2007-04-30 22:28 81,920 --a------ C:\WINDOWS\system\CAPI2032.DLL
2007-04-30 22:28 81,408 --a------ C:\WINDOWS\system\Ltimg70n.dll
2007-04-30 22:28 76,800 --a------ C:\WINDOWS\system\lffax10N.dll
2007-04-30 22:28 70,656 --a------ C:\WINDOWS\system\MSVCIRT.DLL
2007-04-30 22:28 57,344 --a------ C:\WINDOWS\system\BPEnhan.dll
2007-04-30 22:28 55,808 --a------ C:\WINDOWS\system\Lffax70n.dll
2007-04-30 22:28 55,296 --a------ C:\WINDOWS\system\Ltfil70n.dll
2007-04-30 22:28 53,248 --a------ C:\WINDOWS\system32\A32usd.dll
2007-04-30 22:28 45,056 --a------ C:\WINDOWS\Gtwatch.exe
2007-04-30 22:28 350,208 --a------ C:\WINDOWS\system\Ltkrn70n.dll
2007-04-30 22:28 35,840 --a------ C:\WINDOWS\system\lflma10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\lttwn10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\Lffpx70n.dll
2007-04-30 22:28 344,064 --a------ C:\WINDOWS\system\MSVCRT40.DLL
2007-04-30 22:28 34,304 --a------ C:\WINDOWS\system\lfbmp10N.dll
2007-04-30 22:28 33,280 --a------ C:\WINDOWS\system\lfpcx10N.dll
2007-04-30 22:28 32,768 --a------ C:\WINDOWS\system\Lfgif70n.dll
2007-04-30 22:28 31,232 --a------ C:\WINDOWS\system\lflmb10N.dll
2007-04-30 22:28 306,688 --a------ C:\WINDOWS\system\LFFPX7.DLL
2007-04-30 22:28 297,472 --a------ C:\WINDOWS\system\ltkrn10N.dll
2007-04-30 22:28 28,672 --a------ C:\WINDOWS\system\Lflma70n.dll
2007-04-30 22:28 28,160 --a------ C:\WINDOWS\system\lfwmf10N.dll
2007-04-30 22:28 266,752 --a------ C:\WINDOWS\system\Lfcmp10n.dll
2007-04-30 22:28 266,293 --a------ C:\WINDOWS\system\MSVCRT.DLL
2007-04-30 22:28 26,112 --a------ C:\WINDOWS\system\Lfica70n.dll
2007-04-30 22:28 25,600 --a------ C:\WINDOWS\system\Lttwn70n.dll
2007-04-30 22:28 25,088 --a------ C:\WINDOWS\system\Lflmb70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfpcx70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfbmp70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfpct70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfeps70n.dll
2007-04-30 22:28 228,864 --a------ C:\WINDOWS\system\LTDIS10N.dll
2007-04-30 22:28 224,768 --a------ C:\WINDOWS\system\Lfcmp70n.dll
2007-04-30 22:28 221,696 --a------ C:\WINDOWS\system\ltefx10N.dll
2007-04-30 22:28 22,016 --a------ C:\WINDOWS\system\Lfpsd70n.dll
2007-04-30 22:28 212,480 --a------ C:\WINDOWS\system\Pcdlib32.dll
2007-04-30 22:28 20,992 --a------ C:\WINDOWS\system\Lftga70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\Lfwpg70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\LFIMG70N.DLL
2007-04-30 22:28 19,968 --a------ C:\WINDOWS\system\Lfcal70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfras70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfpcd70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfmsp70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfwfx70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfmac70n.dll
2007-04-30 22:28 18,120 --a------ C:\WINDOWS\system32\drivers\gt681x.sys
2007-04-30 22:28 176,128 --a------ C:\WINDOWS\system32\PuzzSaver.scr
2007-04-30 22:28 172,032 --a------ C:\WINDOWS\system32\SpotSaver.scr
2007-04-30 22:28 17,920 --a------ C:\WINDOWS\system\Lfavi70n.dll
2007-04-30 22:28 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-30 22:28 135,168 --a------ C:\WINDOWS\system32\ParaSaver.scr
2007-04-30 22:28 122,368 --a------ C:\WINDOWS\system\lftif10N.dll
2007-04-30 22:28 111,104 --a------ C:\WINDOWS\system\Lfpng70n.dll
2007-04-30 22:28 109,578 --a------ C:\WINDOWS\system32\Xcdsfx32.bin
2007-04-30 22:28 103,424 --a------ C:\WINDOWS\system\ltfil10N.DLL
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Puzzl'Em1.0Beta2
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Crush'Em 2.0
2007-04-30 22:28 <DIR> d-------- C:\Program Files\ScanExpress A3 USB
2007-04-30 22:27 <DIR> d-------- C:\Program Files\Temp
2007-04-30 22:18 0 --a------ C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\wklnhst.dat
2007-04-30 22:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Template
2007-04-30 21:28 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Lavasoft
2007-04-30 21:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 19:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-30 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-30 14:16 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 02:39 86,528 --a------ C:\WINDOWS\system32\eswyvfl.dll
2007-04-30 02:39 63,488 --a------ C:\WINDOWS\system32\nhiiuxj.dll
2007-04-30 02:39 22,016 --a------ C:\WINDOWS\system32\winbfi32.dll
2007-04-30 02:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-30 01:58 <DIR> d-------- C:\Program Files\Bonjour
2007-04-30 01:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-30 01:29 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-04-30 01:29 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2007-04-30 01:29 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-04-30 01:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-04-30 01:28 <DIR> d-------- C:\Program Files\Futuremark
2007-04-29 20:48 <DIR> d-------- C:\Program Files\Common Files\Serious Magic
2007-04-29 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-04-29 20:28 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-04-29 20:27 <DIR> d-------- C:\Program Files\Windows Media Components
2007-04-29 17:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-28 12:45 <DIR> d-------- C:\Program Files\BitTorrent
2007-04-28 12:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\BitTorrent
2007-04-28 12:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-28 12:26 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-28 01:39 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Google
2007-04-28 01:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:37 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:33 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 01:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-27 21:38 2,621,440 --ah----- C:\DOCUME~1\OWNER~1.NOT\NTUSER.DAT
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\WINDOWS
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\SampleView
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 22:41:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 22:38:16 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-04 00:37:11 -------- d-----w C:\Program Files\Common Files\?asks
2007-05-01 04:18:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Template
2007-05-01 04:18:42 0 ----a-w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\wklnhst.dat
2007-05-01 03:28:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Lavasoft
2007-05-01 02:10:42 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-30 20:22:02 -------- d-----w C:\Program Files\WildTangent
2007-04-30 20:21:34 -------- d-----w C:\Program Files\Gateway Games
2007-04-30 20:18:58 -------- d-----w C:\Program Files\Napster
2007-04-30 19:57:23 -------- d-----w C:\Program Files\BigFix
2007-04-30 19:21:29 -------- d-----w C:\Program Files\Pure Networks
2007-04-30 19:18:14 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-30 02:24:42 -------- d-----w C:\Program Files\Google
2007-04-29 23:28:18 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\BitTorrent
2007-04-28 18:26:35 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Google
2007-04-28 07:37:41 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\McAfee.com Personal Firewall
2007-03-22 02:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 02:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 02:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-19 11:01:20 252,356 ----a-w C:\WINDOWS\b128.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{1F2E261C-57B7-B31D-1628-04E59D79828A}"="C:\WINDOWS\system32\bpqsrdi.dll"
"{22D4A607-B97E-2EA8-0CA2-051A936DF118}"="C:\WINDOWS\system32\rnsckan.dll" [x]
"{524C2E36-0F4C-3B6C-799D-091CB79D050C}"="C:\WINDOWS\system32\nhiiuxj.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{689FF817-6AF1-1453-AB3B-69E33EE6AFCA}"="C:\WINDOWS\system32\rzhjmkud.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"xfxqeul.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\xfxqeul.dll,zmalub"
@="C:\\WINDOWS\\Gtwatch.exe"
"Gtwatch"="C:\\WINDOWS\\gtwatch.exe"
"SManager"="smanager.7.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"wozu"="C:\\PROGRA~1\\COMMON~1\\wozu\\wozum.exe"
"Ealb"="\"C:\\WINDOWS\\system32\\DOBE~1\\msdtc.exe\" -vt yazb"
"Idufba"="\"C:\\Documents and Settings\\Owner.notebook\\My Documents\\F?nts\\?xplorer.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbfi32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*





Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 00:41:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-06 0:42:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-06 00:42

==========================

Logfile of HijackThis v1.99.1
Scan saved at 12:47:03 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Gtwatch.exe
C:\WINDOWS\gtwatch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\DOBE~1\msdtc.exe
C:\WINDOWS\twain_32\L3U16\WATCH.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\??mbols\l?gonui.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F2E261C-57B7-B31D-1628-04E59D79828A} - C:\WINDOWS\system32\bpqsrdi.dll
O2 - BHO: (no name) - {22D4A607-B97E-2EA8-0CA2-051A936DF118} - C:\WINDOWS\system32\rnsckan.dll (file missing)
O2 - BHO: (no name) - {3795A24A-67F1-1455-F23B-69E33EE6ADCE} - C:\WINDOWS\system32\ypcos.dll
O2 - BHO: (no name) - {524C2E36-0F4C-3B6C-799D-091CB79D050C} - C:\WINDOWS\system32\nhiiuxj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [xfxqeul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xfxqeul.dll,zmalub
O4 - HKLM\..\Run: [] C:\WINDOWS\Gtwatch.exe
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [wozu] C:\PROGRA~1\COMMON~1\wozu\wozum.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\DOBE~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Idufba] "C:\Documents and Settings\Owner.notebook\My Documents\F?nts\?xplorer.exe"
O4 - HKCU\..\Run: [Xunqxlo] "C:\Program Files\??mbols\l?gonui.exe"
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\L3U16\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: vtuvtts - C:\WINDOWS\SYSTEM32\vtuvtts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-06-2007, 08:45 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Before doing any fixing....

Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:
C:\WINDOWS\system32\bpqsrdi.dll
C:\WINDOWS\system32\eswyvfl.dll
C:\WINDOWS\system32\jdzsnmj.dll
C:\WINDOWS\system32\jnhbbfuk.dll
C:\WINDOWS\system32\jspvkdql.dll
C:\WINDOWS\system32\luyhsser.dll
C:\WINDOWS\system32\nhiiuxj.dll
C:\WINDOWS\system32\rzhjmkud.dll
C:\WINDOWS\system32\winbfi32.dll
Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

You should receive notice that the file was successfully submitted. Once it has been, you can delete the cab file created.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {22D4A607-B97E-2EA8-0CA2-051A936DF118} - C:\WINDOWS\system32\rnsckan.dll (file missing)
O4 - HKLM\..\Run: [xfxqeul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\xfxqeul.dll,zmalub
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [wozu] C:\PROGRA~1\COMMON~1\wozu\wozum.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\DOBE~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Idufba] "C:\Documents and Settings\Owner.notebook\My Documents\F?nts\?xplorer.exe"
O4 - HKCU\..\Run: [Xunqxlo] "C:\Program Files\??mbols\l?gonui.exe"



Close HijackThis now.

---------------------------------------------------------------------------------------------

Run ComboFix again using these instructions:


Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\combofix.exe" /v winbfi32 vtuvtts xfxqeul nhiiuxj ypcos bpqsrdi eswyvfl jdzsnmj jnhbbfuk jspvkdql luyhsser rzhjmkud
When finished, it shall produce a log for you, which will again be named C:\ComboFix/txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the main Status screen, under Your Computer's Security, click Resident Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following Files and Folders if they exist:

C:\Program Files\Common Files\?asks<<<Created on 2007-05-04 Check properties. May appear as Tasks
C:\Program Files\Common Files\çasks<<<Created on 2007-05-02 Check properties. May appear as Tasks
C:\Program Files\Common Files\wozu
C:\WINDOWS\system32\àdobe<<<Created on 2007-05-03 Check Properties
smanager.7.exe<<<Search for this via Start>Search>All Files and Folders
C:\WINDOWS\system32\wnstssv32.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\wozu

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

ComboFix (C:\ComboFix.txt)
AVG Anti-Spyware
Panda online scan
HJT
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 12:45 AM   #7 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
ok. 12 hours later I have the logs. Geez it takes forever just to find out what was on here. I've only had the machine a week, and only been using the net a total of 2 hrs except for going through this process. boo on that.

I was still getting ad popups all through this process, including the last scan.

"Owner" - 2007-05-06 19:22:54 Service Pack 2
ComboFix 07-05.06.1.V - Running from: "C:\Documents and Settings\Owner.notebook\Desktop\"
Command switches used :: "/v winbfi32 vtuvtts xfxqeul nhiiuxj ypcos bpqsrdi eswyvfl jdzsnmj jnhbbfuk jspvkdql luyhsser rzhjmkud"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winbfi32.dll
C:\WINDOWS\system32\nhiiuxj.dll
C:\WINDOWS\system32\ypcos.dll
C:\WINDOWS\system32\bpqsrdi.dll
C:\WINDOWS\system32\eswyvfl.dll
C:\WINDOWS\system32\jdzsnmj.dll
C:\WINDOWS\system32\jnhbbfuk.dll
C:\WINDOWS\system32\jspvkdql.dll
C:\WINDOWS\system32\luyhsser.dll
C:\WINDOWS\system32\khhvvmmu.dll
C:\WINDOWS\system32\pbkhejey.dll
C:\WINDOWS\system32\kufbbhnj.ini
C:\WINDOWS\system32\ummvvhhk.ini
C:\WINDOWS\system32\vtuvtts.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1\SSTEM~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1\?xplorer.exe
C:\qoobox\purity\C\Program Files\DOBE~1
C:\qoobox\purity\C\Program Files\MBOLS~1
C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\C\WINDOWS\FNTS~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-06 to 2007-05-06 ))))))))))))))))))))))))))))))))))


2007-05-06 18:49 1,493,437 ---hs---- C:\WINDOWS\system32\orqss.bak2
2007-05-06 01:00 <DIR> d-------- C:\Program Files\Game Editor
2007-05-06 00:52 284,756 ---hs---- C:\WINDOWS\system32\ssqro.dll
2007-05-06 00:52 1,491,280 ---hs---- C:\WINDOWS\system32\orqss.bak1
2007-05-06 00:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-05 21:17 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-05 21:17 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-05 21:17 <DIR> d-------- C:\Program Files\Xvid
2007-05-05 17:26 <DIR> d-------- C:\Program Files\Serious Magic
2007-05-05 16:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-05 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-05-04 00:28 <DIR> d-------- C:\roms
2007-05-03 20:09 <DIR> d-------- C:\Deckard
2007-05-03 20:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-03 19:44 2 --a------ C:\WINDOWS\system32\wnstssv32.exe
2007-05-03 19:44 <DIR> d-------- C:\WINDOWS\system32\àdobe
2007-05-03 18:46 <DIR> d-------- C:\Program Files\IrfanView
2007-05-02 23:53 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-02 23:53 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-02 23:53 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-02 23:53 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-02 23:53 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-02 23:53 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-02 23:53 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-02 23:52 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-02 23:52 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-02 23:52 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-05-02 23:52 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-05-02 22:06 <DIR> d-------- C:\Program Files\Common Files\çasks
2007-05-02 21:51 <DIR> d-------- C:\WINDOWS\wozu
2007-05-02 21:51 <DIR> d-------- C:\Program Files\Common Files\wozu
2007-05-02 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-02 21:36 <DIR> d--hs---- C:\WINDOWS\IA
2007-04-30 22:51 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-04-30 22:32 <DIR> d-------- C:\Program Files\ABBYY FineReader 4.0 Sprint
2007-04-30 22:30 <DIR> d-------- C:\WINDOWS\Profiles
2007-04-30 22:28 995,383 --a------ C:\WINDOWS\system\MFC42.DLL
2007-04-30 22:28 95,232 --a------ C:\WINDOWS\system\Lfkodak.dll
2007-04-30 22:28 933,888 --a------ C:\WINDOWS\system\MFC40.DLL
2007-04-30 22:28 93,184 --a------ C:\WINDOWS\system\Lftif70n.dll
2007-04-30 22:28 81,946 --a------ C:\WINDOWS\system32\vb5ko.dll
2007-04-30 22:28 81,920 --a------ C:\WINDOWS\system\CAPI2032.DLL
2007-04-30 22:28 81,408 --a------ C:\WINDOWS\system\Ltimg70n.dll
2007-04-30 22:28 76,800 --a------ C:\WINDOWS\system\lffax10N.dll
2007-04-30 22:28 70,656 --a------ C:\WINDOWS\system\MSVCIRT.DLL
2007-04-30 22:28 57,344 --a------ C:\WINDOWS\system\BPEnhan.dll
2007-04-30 22:28 55,808 --a------ C:\WINDOWS\system\Lffax70n.dll
2007-04-30 22:28 55,296 --a------ C:\WINDOWS\system\Ltfil70n.dll
2007-04-30 22:28 53,248 --a------ C:\WINDOWS\system32\A32usd.dll
2007-04-30 22:28 45,056 --a------ C:\WINDOWS\Gtwatch.exe
2007-04-30 22:28 350,208 --a------ C:\WINDOWS\system\Ltkrn70n.dll
2007-04-30 22:28 35,840 --a------ C:\WINDOWS\system\lflma10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\lttwn10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\Lffpx70n.dll
2007-04-30 22:28 344,064 --a------ C:\WINDOWS\system\MSVCRT40.DLL
2007-04-30 22:28 34,304 --a------ C:\WINDOWS\system\lfbmp10N.dll
2007-04-30 22:28 33,280 --a------ C:\WINDOWS\system\lfpcx10N.dll
2007-04-30 22:28 32,768 --a------ C:\WINDOWS\system\Lfgif70n.dll
2007-04-30 22:28 31,232 --a------ C:\WINDOWS\system\lflmb10N.dll
2007-04-30 22:28 306,688 --a------ C:\WINDOWS\system\LFFPX7.DLL
2007-04-30 22:28 297,472 --a------ C:\WINDOWS\system\ltkrn10N.dll
2007-04-30 22:28 28,672 --a------ C:\WINDOWS\system\Lflma70n.dll
2007-04-30 22:28 28,160 --a------ C:\WINDOWS\system\lfwmf10N.dll
2007-04-30 22:28 266,752 --a------ C:\WINDOWS\system\Lfcmp10n.dll
2007-04-30 22:28 266,293 --a------ C:\WINDOWS\system\MSVCRT.DLL
2007-04-30 22:28 26,112 --a------ C:\WINDOWS\system\Lfica70n.dll
2007-04-30 22:28 25,600 --a------ C:\WINDOWS\system\Lttwn70n.dll
2007-04-30 22:28 25,088 --a------ C:\WINDOWS\system\Lflmb70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfpcx70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfbmp70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfpct70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfeps70n.dll
2007-04-30 22:28 228,864 --a------ C:\WINDOWS\system\LTDIS10N.dll
2007-04-30 22:28 224,768 --a------ C:\WINDOWS\system\Lfcmp70n.dll
2007-04-30 22:28 221,696 --a------ C:\WINDOWS\system\ltefx10N.dll
2007-04-30 22:28 22,016 --a------ C:\WINDOWS\system\Lfpsd70n.dll
2007-04-30 22:28 212,480 --a------ C:\WINDOWS\system\Pcdlib32.dll
2007-04-30 22:28 20,992 --a------ C:\WINDOWS\system\Lftga70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\Lfwpg70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\LFIMG70N.DLL
2007-04-30 22:28 19,968 --a------ C:\WINDOWS\system\Lfcal70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfras70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfpcd70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfmsp70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfwfx70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfmac70n.dll
2007-04-30 22:28 18,120 --a------ C:\WINDOWS\system32\drivers\gt681x.sys
2007-04-30 22:28 176,128 --a------ C:\WINDOWS\system32\PuzzSaver.scr
2007-04-30 22:28 172,032 --a------ C:\WINDOWS\system32\SpotSaver.scr
2007-04-30 22:28 17,920 --a------ C:\WINDOWS\system\Lfavi70n.dll
2007-04-30 22:28 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-30 22:28 135,168 --a------ C:\WINDOWS\system32\ParaSaver.scr
2007-04-30 22:28 122,368 --a------ C:\WINDOWS\system\lftif10N.dll
2007-04-30 22:28 111,104 --a------ C:\WINDOWS\system\Lfpng70n.dll
2007-04-30 22:28 109,578 --a------ C:\WINDOWS\system32\Xcdsfx32.bin
2007-04-30 22:28 103,424 --a------ C:\WINDOWS\system\ltfil10N.DLL
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Puzzl'Em1.0Beta2
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Crush'Em 2.0
2007-04-30 22:28 <DIR> d-------- C:\Program Files\ScanExpress A3 USB
2007-04-30 22:27 <DIR> d-------- C:\Program Files\Temp
2007-04-30 22:18 0 --a------ C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\wklnhst.dat
2007-04-30 22:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Template
2007-04-30 21:28 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Lavasoft
2007-04-30 21:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 19:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-30 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-30 14:16 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 02:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-30 01:58 <DIR> d-------- C:\Program Files\Bonjour
2007-04-30 01:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-30 01:29 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-04-30 01:29 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2007-04-30 01:29 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-04-30 01:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-04-30 01:28 <DIR> d-------- C:\Program Files\Futuremark
2007-04-29 20:48 <DIR> d-------- C:\Program Files\Common Files\Serious Magic
2007-04-29 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-04-29 20:28 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-04-29 20:27 <DIR> d-------- C:\Program Files\Windows Media Components
2007-04-29 17:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-28 12:45 <DIR> d-------- C:\Program Files\BitTorrent
2007-04-28 12:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\BitTorrent
2007-04-28 12:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-28 12:26 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-28 01:39 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Google
2007-04-28 01:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:37 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:33 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 01:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-27 21:38 2,621,440 --ah----- C:\DOCUME~1\OWNER~1.NOT\NTUSER.DAT
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\WINDOWS
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\SampleView
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 22:41:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 22:38:16 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-04 00:37:11 -------- d-----w C:\Program Files\Common Files\?asks
2007-05-01 04:18:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Template
2007-05-01 04:18:42 0 ----a-w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\wklnhst.dat
2007-05-01 03:28:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Lavasoft
2007-05-01 02:10:42 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-30 20:22:02 -------- d-----w C:\Program Files\WildTangent
2007-04-30 20:21:34 -------- d-----w C:\Program Files\Gateway Games
2007-04-30 20:18:58 -------- d-----w C:\Program Files\Napster
2007-04-30 19:57:23 -------- d-----w C:\Program Files\BigFix
2007-04-30 19:21:29 -------- d-----w C:\Program Files\Pure Networks
2007-04-30 19:18:14 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-30 02:24:42 -------- d-----w C:\Program Files\Google
2007-04-29 23:28:18 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\BitTorrent
2007-04-28 18:26:35 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Google
2007-04-28 07:37:41 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\McAfee.com Personal Firewall
2007-03-22 02:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 02:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 02:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-19 11:01:20 252,356 ----a-w C:\WINDOWS\b128.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{0FE4CE2A-A989-43D4-9555-FE80CB097FB9}"="C:\WINDOWS\system32\inqkkegs.dll" [x]
"{22D4A607-B97E-2EA8-0CA2-051A936DF118}"="C:\WINDOWS\system32\rnsckan.dll" [x]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{67CED405-DE98-4ED8-9CFA-319B4C317435}"="C:\WINDOWS\system32\ssqro.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
@="C:\\WINDOWS\\Gtwatch.exe"
"Gtwatch"="C:\\WINDOWS\\gtwatch.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqro

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*





Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-06 19:28:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-06 19:29:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-06 19:29
C:\ComboFix2.txt ... 2007-05-06 00:42
------------------------------------------------------------
combofix quarantined files
Code:
2005-08-02 16:46      187904    --a------    C:\Qoobox\Quarantine\C\WINDOWS\IA\asappsrv.dll.vir
2005-08-02 16:58      293888    --a------    C:\Qoobox\Quarantine\C\WINDOWS\IA\command.exe.vir
2007-01-12 14:00      18031    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
2007-03-19 12:30      60928    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ypcos.dll.vir
2007-03-19 12:31      228864    --a------    C:\Qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1\?xplorer.exe
2007-04-29 20:06      104    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\OWNER~1.NOT\Desktop\Internet.lnk.vir
2007-04-30 02:38      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yayywtu.dll.vir
2007-04-30 02:39      22016    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winbfi32.dll.vir
2007-04-30 02:39      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqqonk.dll.vir
2007-04-30 02:39      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqronl.dll.vir
2007-04-30 02:39      63488    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\nhiiuxj.dll.vir
2007-04-30 02:39      86528    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\eswyvfl.dll.vir
2007-04-30 02:43      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\awtrsst.dll.vir
2007-04-30 19:33      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqqnmj.dll.vir
2007-04-30 20:09      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mljkkkj.dll.vir
2007-05-01 09:35      146432    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1162OinAdmin.exe.vir
2007-05-02 22:41      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\qommmmj.dll.vir
2007-05-02 22:41      63488    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bpqsrdi.dll.vir
2007-05-02 22:41      86016    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jdzsnmj.dll.vir
2007-05-02 22:47      1396546    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dgjlm.bak1.vir
2007-05-02 22:47      284244    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mljgd.dll.vir
2007-05-02 22:47      49204    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\mpcfancr.dll.vir
2007-05-02 22:47      76412    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jspvkdql.dll.vir
2007-05-03 18:24      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vtuutts.dll.vir
2007-05-03 19:44      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqqqqn.dll.vir
2007-05-04 23:22      132660    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jgepcvhb.dll.vir
2007-05-05 14:03      687592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir
2007-05-05 14:03      687592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir
2007-05-05 23:06      131604    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\evjfiaom.dll.vir
2007-05-05 23:06      1496335    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dgjlm.bak2.vir
2007-05-06 00:32      1463544    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bhvcpegj.ini.vir
2007-05-06 00:37      1493238    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dgjlm.ini.vir
2007-05-06 00:38      132660    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jnhbbfuk.dll.vir
2007-05-06 00:38      49204    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\luyhsser.dll.vir
2007-05-06 00:39      1463604    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kufbbhnj.ini.vir
2007-05-06 00:44      26678    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vtuvtts.dll.vir
2007-05-06 00:44      40183    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir
2007-05-06 00:52      49204    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pbkhejey.dll.vir
2007-05-06 00:55      132660    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\khhvvmmu.dll.vir
2007-05-06 19:22      1463187    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ummvvhhk.ini.vir


Folder PATH listing
Volume serial number is A4A0-F2FA
C:\QOOBOX
+---purity
|   \---C
|       +---DOCUME~1
|       |   \---OWNER~1.NOT
|       |       +---APPLIC~1
|       |       |   \---SSTEM~1
|       |       \---MYDOCU~1
|       |           \---FNTS~1
|       |                   ?xplorer.exe
|       |                   
|       +---Program Files
|       |   +---Common Files
|       |   |   \---WNSXS~1
|       |   +---DOBE~1
|       |   \---MBOLS~1
|       \---WINDOWS
|           \---FNTS~1
\---Quarantine
    \---C
        +---DOCUME~1
        |   \---OWNER~1.NOT
        |       \---Desktop
        |               Internet.lnk.vir
        |               
        +---Program Files
        |   +---Common Files
        |   |       Yazzle1162OinAdmin.exe.vir
        |   |       Yazzle1162OinUninstaller.exe.vir
        |   |       
        |   \---Outerinfo
        |           Terms.rtf.vir
        |           
        \---WINDOWS
            +---IA
            |       asappsrv.dll.vir
            |       command.exe.vir
            |       
            \---system32
                    atmtd.dll.vir
                    atmtd.dll._.vir
                    awtrsst.dll.vir
                    bhvcpegj.ini.vir
                    bpqsrdi.dll.vir
                    dgjlm.bak1.vir
                    dgjlm.bak2.vir
                    dgjlm.ini.vir
                    eswyvfl.dll.vir
                    evjfiaom.dll.vir
                    jdzsnmj.dll.vir
                    jgepcvhb.dll.vir
                    jnhbbfuk.dll.vir
                    jspvkdql.dll.vir
                    khhvvmmu.dll.vir
                    kufbbhnj.ini.vir
                    luyhsser.dll.vir
                    mljgd.dll.vir
                    mljkkkj.dll.vir
                    mpcfancr.dll.vir
                    nhiiuxj.dll.vir
                    pbkhejey.dll.vir
                    qommmmj.dll.vir
                    ssqqnmj.dll.vir
                    ssqqonk.dll.vir
                    ssqqqqn.dll.vir
                    ssqronl.dll.vir
                    ummvvhhk.ini.vir
                    vtuutts.dll.vir
                    vtuvtts.dll.vir
                    winbfi32.dll.vir
                    yayywtu.dll.vir
                    ypcos.dll.vir
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:01:40 AM 5/7/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\evjfiaom.dll.vir -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007279.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007435.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007561.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\IA\asappsrv.dll.vir -> Adware.CommAd : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\IA\command.exe.vir -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003529.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007275.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007276.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007353.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\ypcos.dll.vir -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\QooBox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1\еxplorer.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP11\A0003038.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP12\A0003219.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP12\A0003220.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003271.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003282.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003283.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003498.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003499.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003504.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007306.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007339.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007457.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007476.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003331.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007541.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\awtrsst.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\mljkkkj.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\qommmmj.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqqnmj.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqqonk.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqqqqn.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqronl.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\vtuutts.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\vtuvtts.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\yayywtu.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003236.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003255.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003434.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007278.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007281.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007283.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007284.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007285.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007286.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007287.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007288.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007294.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007471.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003258.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003436.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003478.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003552.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004556.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004579.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004583.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004587.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004589.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004592.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007439.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003335.exe -> Downloader.Agent.bnc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003549.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004577.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004580.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004590.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007436.exe -> Downloader.Alphabet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003329.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP11\A0003037.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003272.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003273.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003491.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinAdmin.exe.vir -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003480.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003506.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007272.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007441.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003508.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007543.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003381.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\b104.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003489.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003486.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003488.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\WINDOWS\b103.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003487.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003474.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004557.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004581.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003327.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003330.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003334.exe -> Hijacker.Agent.jc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP12\A0003225.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003248.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003257.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003268.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003287.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003435.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003477.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003492.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003551.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0003568.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0003569.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004578.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004582.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004586.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004593.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007438.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP9\A0002228.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003532.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003328.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003332.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003333.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003476.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003490.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003494.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003554.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003555.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004558.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004584.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004591.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007437.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007440.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003260.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003261.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003437.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003438.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003493.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004588.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003433.exe -> Trojan.Obfuscated.ev : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0004585.exe -> Trojan.Obfuscated.ev : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003324.dll -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003325.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0003326.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP11\A0003039.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003262.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0003276.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0003432.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003500.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP17\A0003531.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007342.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP25\A0007542.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\IA\KE.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



------------------------------------------------
Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner.notebook\Desktop\Click to Find and Fix Errors.url
Adware:adware/sqwire Not disinfected Windows Registry
Adware:Adware/SuperSpider Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\OWNER~1.NOT\LOCALS~1\Temp\mst44B.tmp
Adware:Adware/Yazzle Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\win1DE.tmp.exe[¦++\Yazzle1162OinAdmin.exe]
Adware:Adware/Yazzle Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\win235.tmp.exe[¦++\Yazzle1162OinAdmin.exe]
Adware:Adware/Yazzle Not disinfected C:\Deckard\System Scanner\backup\WINDOWS\temp\win48E.tmp.exe[¦++\Yazzle1162OinAdmin.exe]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner.notebook\Cookies\owner@mediaplex[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner.notebook\Cookies\owner@trafficmp[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner.notebook\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir
Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll.vir
Adware:Adware/DollarRevenue Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\atmtd.dll._.vir
Adware:Adware/WinAntivirus2006 Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\jspvkdql.dll.vir
Adware:Adware/SuperSpider Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\winbfi32.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

--------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:37:30 AM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\Gtwatch.exe
C:\WINDOWS\gtwatch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\twain_32\L3U16\WATCH.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [] C:\WINDOWS\Gtwatch.exe
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\flgrrcaf.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\L3U16\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 07:41 AM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
It only takes a few seconds visiting the wrong site to get infected.

You appear to still have an active Vundo infection. It may be hiding from HJT.

Run ComboFix again, using these instructions:
  • Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
    "%userprofile%\desktop\combofix.exe" /v ssqro flgrrcaf
  • When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\flgrrcaf.dll",realset

Close HijackThis now.

---------------------------------------------------------------------------------------------
Please run DSS again, and post it's main.txt
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 01:01 PM   #9 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
I didn't find
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\flgrrcaf.dll",realset

in the Hijackthis thing.

here are the logs:
===============================
"Owner" - 2007-05-07 13:09:17 Service Pack 2
ComboFix 07-05.06.1.V - Running from: "C:\Documents and Settings\Owner.notebook\Desktop\"
Command switches used :: "/v ssqro flgrrcaf"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\flgrrcaf.dll
C:\WINDOWS\system32\wwhdvyii.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\facrrglf.ini
C:\WINDOWS\system32\ssqro.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\APPLIC~1\SSTEM~1
C:\qoobox\purity\C\DOCUME~1\OWNER~1.NOT\MYDOCU~1\FNTS~1
C:\qoobox\purity\C\Program Files\DOBE~1
C:\qoobox\purity\C\Program Files\MBOLS~1
C:\qoobox\purity\C\Program Files\Common Files\WNSXS~1
C:\qoobox\purity\C\WINDOWS\FNTS~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-07 to 2007-05-07 ))))))))))))))))))))))))))))))))))


2007-05-07 00:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-06 19:33 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-06 01:00 <DIR> d-------- C:\Program Files\Game Editor
2007-05-06 00:42 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-05 21:17 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-05 21:17 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-05 21:17 <DIR> d-------- C:\Program Files\Xvid
2007-05-05 17:26 <DIR> d-------- C:\Program Files\Serious Magic
2007-05-05 16:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-05 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-05-04 00:28 <DIR> d-------- C:\roms
2007-05-03 20:09 <DIR> d-------- C:\Deckard
2007-05-03 20:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-03 19:44 <DIR> d-------- C:\WINDOWS\system32\àdobe
2007-05-03 18:46 <DIR> d-------- C:\Program Files\IrfanView
2007-05-02 23:53 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-02 23:53 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-02 23:53 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-02 23:53 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-02 23:53 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-02 23:53 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-02 23:53 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-02 23:52 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-02 23:52 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-02 23:52 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-05-02 23:52 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-05-02 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-02 21:36 <DIR> d--hs---- C:\WINDOWS\IA
2007-04-30 22:51 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-04-30 22:32 <DIR> d-------- C:\Program Files\ABBYY FineReader 4.0 Sprint
2007-04-30 22:30 <DIR> d-------- C:\WINDOWS\Profiles
2007-04-30 22:28 995,383 --a------ C:\WINDOWS\system\MFC42.DLL
2007-04-30 22:28 95,232 --a------ C:\WINDOWS\system\Lfkodak.dll
2007-04-30 22:28 933,888 --a------ C:\WINDOWS\system\MFC40.DLL
2007-04-30 22:28 93,184 --a------ C:\WINDOWS\system\Lftif70n.dll
2007-04-30 22:28 81,946 --a------ C:\WINDOWS\system32\vb5ko.dll
2007-04-30 22:28 81,920 --a------ C:\WINDOWS\system\CAPI2032.DLL
2007-04-30 22:28 81,408 --a------ C:\WINDOWS\system\Ltimg70n.dll
2007-04-30 22:28 76,800 --a------ C:\WINDOWS\system\lffax10N.dll
2007-04-30 22:28 70,656 --a------ C:\WINDOWS\system\MSVCIRT.DLL
2007-04-30 22:28 57,344 --a------ C:\WINDOWS\system\BPEnhan.dll
2007-04-30 22:28 55,808 --a------ C:\WINDOWS\system\Lffax70n.dll
2007-04-30 22:28 55,296 --a------ C:\WINDOWS\system\Ltfil70n.dll
2007-04-30 22:28 53,248 --a------ C:\WINDOWS\system32\A32usd.dll
2007-04-30 22:28 45,056 --a------ C:\WINDOWS\Gtwatch.exe
2007-04-30 22:28 350,208 --a------ C:\WINDOWS\system\Ltkrn70n.dll
2007-04-30 22:28 35,840 --a------ C:\WINDOWS\system\lflma10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\lttwn10N.dll
2007-04-30 22:28 35,328 --a------ C:\WINDOWS\system\Lffpx70n.dll
2007-04-30 22:28 344,064 --a------ C:\WINDOWS\system\MSVCRT40.DLL
2007-04-30 22:28 34,304 --a------ C:\WINDOWS\system\lfbmp10N.dll
2007-04-30 22:28 33,280 --a------ C:\WINDOWS\system\lfpcx10N.dll
2007-04-30 22:28 32,768 --a------ C:\WINDOWS\system\Lfgif70n.dll
2007-04-30 22:28 31,232 --a------ C:\WINDOWS\system\lflmb10N.dll
2007-04-30 22:28 306,688 --a------ C:\WINDOWS\system\LFFPX7.DLL
2007-04-30 22:28 297,472 --a------ C:\WINDOWS\system\ltkrn10N.dll
2007-04-30 22:28 28,672 --a------ C:\WINDOWS\system\Lflma70n.dll
2007-04-30 22:28 28,160 --a------ C:\WINDOWS\system\lfwmf10N.dll
2007-04-30 22:28 266,752 --a------ C:\WINDOWS\system\Lfcmp10n.dll
2007-04-30 22:28 266,293 --a------ C:\WINDOWS\system\MSVCRT.DLL
2007-04-30 22:28 26,112 --a------ C:\WINDOWS\system\Lfica70n.dll
2007-04-30 22:28 25,600 --a------ C:\WINDOWS\system\Lttwn70n.dll
2007-04-30 22:28 25,088 --a------ C:\WINDOWS\system\Lflmb70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfpcx70n.dll
2007-04-30 22:28 24,576 --a------ C:\WINDOWS\system\Lfbmp70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfpct70n.dll
2007-04-30 22:28 24,064 --a------ C:\WINDOWS\system\Lfeps70n.dll
2007-04-30 22:28 228,864 --a------ C:\WINDOWS\system\LTDIS10N.dll
2007-04-30 22:28 224,768 --a------ C:\WINDOWS\system\Lfcmp70n.dll
2007-04-30 22:28 221,696 --a------ C:\WINDOWS\system\ltefx10N.dll
2007-04-30 22:28 22,016 --a------ C:\WINDOWS\system\Lfpsd70n.dll
2007-04-30 22:28 212,480 --a------ C:\WINDOWS\system\Pcdlib32.dll
2007-04-30 22:28 20,992 --a------ C:\WINDOWS\system\Lftga70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\Lfwpg70n.dll
2007-04-30 22:28 20,480 --a------ C:\WINDOWS\system\LFIMG70N.DLL
2007-04-30 22:28 19,968 --a------ C:\WINDOWS\system\Lfcal70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfras70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfpcd70n.dll
2007-04-30 22:28 19,456 --a------ C:\WINDOWS\system\Lfmsp70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfwfx70n.dll
2007-04-30 22:28 18,944 --a------ C:\WINDOWS\system\Lfmac70n.dll
2007-04-30 22:28 18,120 --a------ C:\WINDOWS\system32\drivers\gt681x.sys
2007-04-30 22:28 176,128 --a------ C:\WINDOWS\system32\PuzzSaver.scr
2007-04-30 22:28 172,032 --a------ C:\WINDOWS\system32\SpotSaver.scr
2007-04-30 22:28 17,920 --a------ C:\WINDOWS\system\Lfavi70n.dll
2007-04-30 22:28 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-30 22:28 135,168 --a------ C:\WINDOWS\system32\ParaSaver.scr
2007-04-30 22:28 122,368 --a------ C:\WINDOWS\system\lftif10N.dll
2007-04-30 22:28 111,104 --a------ C:\WINDOWS\system\Lfpng70n.dll
2007-04-30 22:28 109,578 --a------ C:\WINDOWS\system32\Xcdsfx32.bin
2007-04-30 22:28 103,424 --a------ C:\WINDOWS\system\ltfil10N.DLL
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Puzzl'Em1.0Beta2
2007-04-30 22:28 <DIR> d-------- C:\WINDOWS\Crush'Em 2.0
2007-04-30 22:28 <DIR> d-------- C:\Program Files\ScanExpress A3 USB
2007-04-30 22:27 <DIR> d-------- C:\Program Files\Temp
2007-04-30 22:18 0 --a------ C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\wklnhst.dat
2007-04-30 22:18 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Template
2007-04-30 21:28 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Lavasoft
2007-04-30 21:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 21:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 19:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-30 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-30 14:16 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 02:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-30 01:58 <DIR> d-------- C:\Program Files\Bonjour
2007-04-30 01:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-30 01:29 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-04-30 01:29 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2007-04-30 01:29 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-04-30 01:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-04-30 01:28 <DIR> d-------- C:\Program Files\Futuremark
2007-04-29 20:48 <DIR> d-------- C:\Program Files\Common Files\Serious Magic
2007-04-29 20:28 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-04-29 20:28 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-04-29 20:27 <DIR> d-------- C:\Program Files\Windows Media Components
2007-04-29 17:31 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-28 12:45 <DIR> d-------- C:\Program Files\BitTorrent
2007-04-28 12:45 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\BitTorrent
2007-04-28 12:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-28 12:26 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-28 01:39 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\Google
2007-04-28 01:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:37 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\McAfee.com Personal Firewall
2007-04-28 01:33 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 01:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-27 21:38 2,883,584 --ah----- C:\DOCUME~1\OWNER~1.NOT\NTUSER.DAT
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\WINDOWS
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\OWNER~1.NOT\APPLIC~1\SampleView
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\You've Got Pictures Screensaver
2007-04-27 21:38 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 22:41:41 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-05 22:38:16 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-01 04:18:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Template
2007-05-01 04:18:42 0 ----a-w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\wklnhst.dat
2007-05-01 03:28:45 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Lavasoft
2007-05-01 02:10:42 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-30 20:22:02 -------- d-----w C:\Program Files\WildTangent
2007-04-30 20:21:34 -------- d-----w C:\Program Files\Gateway Games
2007-04-30 20:18:58 -------- d-----w C:\Program Files\Napster
2007-04-30 19:57:23 -------- d-----w C:\Program Files\BigFix
2007-04-30 19:21:29 -------- d-----w C:\Program Files\Pure Networks
2007-04-30 19:18:14 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-30 02:24:42 -------- d-----w C:\Program Files\Google
2007-04-29 23:28:18 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\BitTorrent
2007-04-28 18:26:35 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\Google
2007-04-28 07:37:41 -------- d-----w C:\DOCUME~1\OWNER~1.NOT\APPLIC~1.\McAfee.com Personal Firewall
2007-03-22 02:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 02:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 02:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{0FE4CE2A-A989-43D4-9555-FE80CB097FB9}"="C:\WINDOWS\system32\inqkkegs.dll" [x]
"{22D4A607-B97E-2EA8-0CA2-051A936DF118}"="C:\WINDOWS\system32\rnsckan.dll" [x]
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
@="C:\\WINDOWS\\Gtwatch.exe"
"Gtwatch"="C:\\WINDOWS\\gtwatch.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*




[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-07 13:14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-07 13:16:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-07 13:16
C:\ComboFix2.txt ... 2007-05-06 19:29
C:\ComboFix3.txt ... 2007-05-06 00:42
-----------------------------------------------------
Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-07 at 13:39:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:39:52 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\Gtwatch.exe
C:\WINDOWS\gtwatch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\twain_32\L3U16\WATCH.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.notebook\Desktop\Spyware programs\dss.exe
C:\PROGRA~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FE4CE2A-A989-43D4-9555-FE80CB097FB9} - C:\WINDOWS\system32\inqkkegs.dll (file missing)
O2 - BHO: (no name) - {22D4A607-B97E-2EA8-0CA2-051A936DF118} - C:\WINDOWS\system32\rnsckan.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [] C:\WINDOWS\Gtwatch.exe
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\L3U16\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


-- Files created between 2007-04-07 and 2007-05-07 -----------------------------

2007-05-07 00:10:53 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-06 01:00:23 0 d-------- C:\Program Files\Game Editor
2007-05-05 21:17:06 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-05 21:17:06 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-05 21:17:06 0 d-------- C:\Program Files\Xvid
2007-05-05 17:26:32 0 d-------- C:\Program Files\Serious Magic
2007-05-05 16:44:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2007-05-05 16:44:32 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-05-04 00:28:14 0 d-------- C:\roms
2007-05-03 20:02:03 0 d-------- C:\Program Files\SpywareBlaster
2007-05-03 19:44:31 0 d-------- C:\WINDOWS\system32\?dobe
2007-05-03 18:46:51 0 d-------- C:\Program Files\IrfanView
2007-05-03 18:30:39 0 dr-h----- C:\$VAULT$.AVG
2007-05-03 18:29:58 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\AVG7
2007-05-03 18:29:22 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-03 18:28:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-03 18:28:55 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-05-02 21:43:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-05-02 21:36:23 0 d--hs---- C:\WINDOWS\IA
2007-04-30 22:53:53 100 --a------ C:\WINDOWS\00 cutoff; m branch])
2007-04-30 22:32:12 0 d-------- C:\Program Files\ABBYY FineReader 4.0 Sprint
2007-04-30 22:30:24 0 d-------- C:\WINDOWS\Profiles
2007-04-30 22:28:32 35328 --a------ C:\WINDOWS\system\lttwn10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 297472 --a------ C:\WINDOWS\system\ltkrn10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 103424 --a------ C:\WINDOWS\system\ltfil10N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 221696 --a------ C:\WINDOWS\system\ltefx10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 228864 --a------ C:\WINDOWS\system\LTDIS10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 28160 --a------ C:\WINDOWS\system\lfwmf10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 122368 --a------ C:\WINDOWS\system\lftif10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 33280 --a------ C:\WINDOWS\system\lfpcx10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 31232 --a------ C:\WINDOWS\system\lflmb10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 35840 --a------ C:\WINDOWS\system\lflma10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:32 76800 --a------ C:\WINDOWS\system\lffax10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:31 266752 --a------ C:\WINDOWS\system\Lfcmp10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:31 34304 --a------ C:\WINDOWS\system\lfbmp10N.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:29 0 d-------- C:\WINDOWS\Crush'Em 2.0
2007-04-30 22:28:28 109578 --a------ C:\WINDOWS\system32\Xcdsfx32.bin <Not Verified; Xceed Software Inc. 1-450-442-2626 sfx@xceedsoft.com www.xceedsoft.com; The Xceed Zip Compression Library>
2007-04-30 22:28:28 25600 --a------ C:\WINDOWS\system\Lttwn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:28 81408 --a------ C:\WINDOWS\system\Ltimg70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:25 344064 --a------ C:\WINDOWS\system\MSVCRT40.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual C++>
2007-04-30 22:28:25 0 d-------- C:\WINDOWS\Puzzl'Em1.0Beta2
2007-04-30 22:28:20 57344 --a------ C:\WINDOWS\system\BPEnhan.dll
2007-04-30 22:28:18 53248 --a------ C:\WINDOWS\system32\A32usd.dll <Not Verified; Microsoft Corporation (Sample); Platform SDK Sample Code>
2007-04-30 22:28:18 45056 --a------ C:\WINDOWS\Gtwatch.exe
2007-04-30 22:28:17 18120 --a------ C:\WINDOWS\system32\drivers\gt681x.sys <Not Verified; ; USB Scanner Driver>
2007-04-30 22:28:10 81946 --a------ C:\WINDOWS\system32\vb5ko.dll <Not Verified; Microsoft Corporation; Visual Basic Environment>
2007-04-30 22:28:10 172032 --a------ C:\WINDOWS\system32\SpotSaver.scr <Not Verified; BearPaw; BearPaw ScreenSaver>
2007-04-30 22:28:10 176128 --a------ C:\WINDOWS\system32\PuzzSaver.scr <Not Verified; BearPaw; BearPaw ScreenSaver>
2007-04-30 22:28:10 135168 --a------ C:\WINDOWS\system32\ParaSaver.scr <Not Verified; ; ScreenSaver Application>
2007-04-30 22:28:08 212480 --a------ C:\WINDOWS\system\Pcdlib32.dll <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2007-04-30 22:28:08 20480 --a------ C:\WINDOWS\system\Lfwpg70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:08 81920 --a------ C:\WINDOWS\system\CAPI2032.DLL
2007-04-30 22:28:08 0 d-------- C:\Program Files\ScanExpress A3 USB
2007-04-30 22:28:07 18944 --a------ C:\WINDOWS\system\Lfwfx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 20992 --a------ C:\WINDOWS\system\Lftga70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 19456 --a------ C:\WINDOWS\system\Lfras70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 22016 --a------ C:\WINDOWS\system\Lfpsd70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 111104 --a------ C:\WINDOWS\system\Lfpng70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 24576 --a------ C:\WINDOWS\system\Lfpcx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 19456 --a------ C:\WINDOWS\system\Lfmsp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 32768 --a------ C:\WINDOWS\system\Lfgif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:07 24064 --a------ C:\WINDOWS\system\Lfeps70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 24064 --a------ C:\WINDOWS\system\Lfpct70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 19456 --a------ C:\WINDOWS\system\Lfpcd70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 18944 --a------ C:\WINDOWS\system\Lfmac70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 25088 --a------ C:\WINDOWS\system\Lflmb70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 28672 --a------ C:\WINDOWS\system\Lflma70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 95232 --a------ C:\WINDOWS\system\Lfkodak.dll
2007-04-30 22:28:05 20480 --a------ C:\WINDOWS\system\LFIMG70N.DLL <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 26112 --a------ C:\WINDOWS\system\Lfica70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 35328 --a------ C:\WINDOWS\system\Lffpx70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 306688 --a------ C:\WINDOWS\system\LFFPX7.DLL <Not Verified; ; Reference Implementation>
2007-04-30 22:28:05 24576 --a------ C:\WINDOWS\system\Lfbmp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:05 17920 --a------ C:\WINDOWS\system\Lfavi70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 350208 --a------ C:\WINDOWS\system\Ltkrn70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 55296 --a------ C:\WINDOWS\system\Ltfil70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 93184 --a------ C:\WINDOWS\system\Lftif70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 55808 --a------ C:\WINDOWS\system\Lffax70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 224768 --a------ C:\WINDOWS\system\Lfcmp70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:28:04 19968 --a------ C:\WINDOWS\system\Lfcal70n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2007-04-30 22:27:42 0 d-------- C:\Program Files\Temp
2007-04-30 22:18:45 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Template
2007-04-30 22:18:42 0 --a------ C:\Documents and Settings\Owner.notebook\Application Data\wklnhst.dat
2007-04-30 21:28:45 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Lavasoft
2007-04-30 21:27:33 0 d-------- C:\Program Files\Lavasoft
2007-04-30 21:26:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 19:41:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-30 19:31:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-04-30 14:16:16 0 d-------- C:\WINDOWS\system32\appmgmt
2007-04-30 02:01:05 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-04-30 01:58:01 0 d-------- C:\Program Files\Bonjour
2007-04-30 01:57:42 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Adobe
2007-04-30 01:50:17 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-30 01:29:15 0 d-------- C:\WINDOWS\system32\Futuremark
2007-04-30 01:29:15 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-04-30 01:29:15 21664 --a------ C:\WINDOWS\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-04-30 01:28:36 1156 --a------ C:\WINDOWS\mozver.dat
2007-04-30 01:28:04 0 d-------- C:\Program Files\Futuremark
2007-04-29 21:00:25 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Mozilla
2007-04-29 20:48:27 0 d-------- C:\Program Files\Common Files\Serious Magic
2007-04-29 20:28:10 0 d-------- C:\WINDOWS\system32\windows media
2007-04-29 20:28:02 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-04-29 20:27:57 0 d-------- C:\Program Files\Windows Media Components
2007-04-29 17:43:28 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Macromedia
2007-04-29 17:31:29 0 d-------- C:\Program Files\MSXML 4.0
2007-04-28 12:45:17 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\BitTorrent
2007-04-28 12:45:02 0 d-------- C:\Program Files\BitTorrent
2007-04-28 12:39:22 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-28 12:26:18 0 d-------- C:\WINDOWS\system32\PreInstall
2007-04-28 01:39:57 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Google
2007-04-28 01:38:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2007-04-28 01:37:41 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\McAfee.com Personal Firewall
2007-04-28 01:33:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-04-28 01:33:10 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-27 21:38:43 0 dr------- C:\Documents and Settings\Owner.notebook\Favorites
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Desktop
2007-04-27 21:38:43 0 d---s---- C:\Documents and Settings\Owner.notebook\Cookies
2007-04-27 21:38:43 0 dr-h----- C:\Documents and Settings\Owner.notebook\Application Data
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\You've Got Pictures Screensaver
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\SampleView
2007-04-27 21:38:43 0 d-------- C:\Documents and Settings\Owner.notebook\Application Data\Identities
2007-04-27 21:38:42 0 d-------- C:\Documents and Settings\Owner.notebook\WINDOWS
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\Templates
2007-04-27 21:38:42 0 dr------- C:\Documents and Settings\Owner.notebook\Start Menu
2007-04-27 21:38:42 0 dr-h----- C:\Documents and Settings\Owner.notebook\SendTo
2007-04-27 21:38:42 0 dr-h----- C:\Documents and Settings\Owner.notebook\Recent
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\PrintHood
2007-04-27 21:38:42 2883584 --ah----- C:\Documents and Settings\Owner.notebook\NTUSER.DAT
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\NetHood
2007-04-27 21:38:42 0 dr------- C:\Documents and Settings\Owner.notebook\My Documents
2007-04-27 21:38:42 0 d--h----- C:\Documents and Settings\Owner.notebook\Local Settings
2007-04-27 21:38:10 0 d-------- C:\Documents and Settings\Default User\Application Data\You've Got Pictures Screensaver
2007-04-27 21:38:10 0 d-------- C:\Documents and Settings\Default User\Application Data\SampleView


-- Find3M Report ---------------------------------------------------------------

2007-05-05 16:41:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-05 16:38:16 0 d-------- C:\Program Files\Common Files\InstallShield
2007-05-05 15:30:38 0 d-------- C:\Program Files\Common Files\Adobe
2007-04-30 14:22:02 0 d-------- C:\Program Files\WildTangent
2007-04-30 14:21:34 0 d-------- C:\Program Files\Gateway Games
2007-04-30 14:18:58 0 d-------- C:\Program Files\Napster
2007-04-30 13:57:23 0 d-------- C:\Program Files\BigFix
2007-04-30 13:21:29 0 d-------- C:\Program Files\Pure Networks
2007-04-30 13:18:14 0 d-------- C:\Program Files\Common Files\AOL
2007-04-29 20:24:42 0 d-------- C:\Program Files\Google
2007-03-21 20:54:16 69632 --a------ C:\WINDOWS\system32\TWUNK_32.EXE <Not Verified; Twain Working Group; Twain Thunker>
2007-03-21 20:54:16 48560 --a------ C:\WINDOWS\system32\TWUNK_16.EXE <Not Verified; Twain Working Group; Twain Thunker>
2007-03-21 20:54:16 77312 --a------ C:\WINDOWS\system32\TWAIN_32.DLL <Not Verified; Twain Working Group; Twain_32 Source Manager>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{0FE4CE2A-A989-43D4-9555-FE80CB097FB9} C:\WINDOWS\system32\inqkkegs.dll [x]
{22D4A607-B97E-2EA8-0CA2-051A936DF118} C:\WINDOWS\system32\rnsckan.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Reminder"=hex(2):25,57,49,4e,44,49,52,25,5c,43,72,65,61,74,6f,72,5c,52,65,6d,\
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
@="C:\\WINDOWS\\Gtwatch.exe"
"Gtwatch"="C:\\WINDOWS\\gtwatch.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"="NA"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


-- End of Deckard's System Scanner: finished at 2007-05-07 at 13:40:25 ---------
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 01:40 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
That looks much better.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {0FE4CE2A-A989-43D4-9555-FE80CB097FB9} - C:\WINDOWS\system32\inqkkegs.dll (file missing)
O2 - BHO: (no name) - {22D4A607-B97E-2EA8-0CA2-051A936DF118} - C:\WINDOWS\system32\rnsckan.dll (file missing)

Close HijackThis now.

---------------------------------------------------------------------------------------------

This folder still need to be deleted:

C:\WINDOWS\system32\?dobe<<<May appear as Adobe, created on 2007-05-03 Right click, check properties to be sure.

---------------------------------------------------------------------------------------------

Please run this online scan:

Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Leave the scanning options at default and press "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and post it in your next reply.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Popups stopped now?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 02:22 PM   #11 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
Are you sure it won't screw up all of my adobe programs to remove the adobe folder? I use photoshop, premiere, and after effects on a daily basis...
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 02:36 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
That folder is part of the Purity Scan infection...no legit Adobe Folder should be in system32.

The ? in the folder name indicates a different type of character code has been used to emulate the english a , and therefore try to hide itself as something legit.

It's why I want you to look at the folder's properties...to be sure.

Also have a peek inside, and let me know what's there, if anything.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 05:56 PM   #13 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
Bit defender still says my system is infected. I'm attaching the html log thing, since it won't output tab delimited text like it says it will. It says "disinfection failed" on a bunch of things, but it says it deleted them, so why does it say "Your system is still infected!"?

here's the hijack this log:
==============================
Logfile of HijackThis v1.99.1
Scan saved at 6:56:22 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\Gtwatch.exe
C:\WINDOWS\gtwatch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\twain_32\L3U16\WATCH.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Premiere Pro 1.5\Adobe Premiere Pro.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\OWNER~1.NOT\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=PTB&M=MX6426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [] C:\WINDOWS\Gtwatch.exe
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\L3U16\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 06:32 PM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
I don't see the log.

Don't worry if it's html code, just post it and I'll translate it.

Quote:
It says "disinfection failed" on a bunch of things, but it says it deleted them, so why does it say "Your system is still infected!"?
Too many "it"s...not sure what you mean...let me view the BD log, and I'll help you figure things out.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 06:56 PM   #15 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
Translated, and attached
Attached Files
File Type: doc BitDefender Online Scanner.doc (175.0 KB, 2 views)
Last edited by tetonbob; 05-07-2007 at 07:00 PM.
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 06:59 PM   #16 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
BitDefender Online Scanner - Real Time Virus Report

Generated at: Mon, May 07, 2007 - 19:57:03

Scan Info

Scanned Files 536333

Infected Files 36

Virus Detected
Trojan.Downloader.Tsupdate.N
2

Trojan.Obfus.Gen
14

MemScan:Trojan.Vundo.DLR
2

Trojan.Vundo.DLP
8

Trojan.Spy.VBStat.B
1

MemScan:Trojan.Vundo.AJ
4

Trojan.Downloader.TSUpdate.Q
3

Trojan.Downloader.TSUpdate.D
1

Trojan.Downloader.Small.BUY
1

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 07:03 PM   #17 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
All infected files which were identified, were deleted. They were all in archives, or System Restore points.

Your logs appear clean.

Is something telling you you're still infected?

Were you able to locate the questionable ?dobe folder and see what it contained?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 07:49 PM   #18 (permalink)
Registered User
 
Join Date: Jan 2005
Posts: 41
OS: xp


Re: new notebook - spyware infestation
When the bitdefender scan completed it said "your computer is still infected" at the top of it's results window. Why would it say that when it deleted everything it found? Kinda confusing.

I just removed the adobe folder.
Berighteous is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-07-2007, 08:22 PM   #19 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,574
OS: 2000 Pro; XP Pro; XP Home


Re: new notebook - spyware infestation
I guess that would be confusing....not sure why it would say that. Did you save a screenshot of that message? I don't think you're infected still.

Your logs appear clean.You should be good to go. We still have a few items to address.

Delete

ComboFix.exe
DSS.exe
C:\Qoobox
C:\Deckard

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version.
  • After the install is complete, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
    • Downloaded Applications
    • Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Clear & Reset System Restore's Cache
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK


Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:
  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • SpywareGuard to catch and block spyware before it can execute.
  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

  • IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • Download IE-SpyAD - Extract the contents to a new folder
      From within the folder, double-click install.bat
      Select Option #2 - Install the new IE-SPYAD list.
      Then return to the main menu.
      Select option #4 - Add the old porn sites domain


  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.


  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
    See this link for a listing of some online antivirus scanners:

    Anti-Spyware Tutorial
  • FIREWALL
    If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

    Do not install more than one firewall program because they will conflict with each other.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:34 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84