Tech Support Forum banner
Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
Here is my main.txt and extra.txt. Thank you so very much ahead of time for any and all assistance.

MAIN.TXT-

Deckard's System Scanner v20071014.68
Run by Steve on 2008-05-25 18:13:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
25: 2008-05-25 22:13:51 UTC - RP164 - Deckard's System Scanner Restore Point
24: 2008-05-25 21:07:06 UTC - RP163 - Installed McAfee VirusScan Enterprise
23: 2008-05-25 20:58:45 UTC - RP162 - Removed CodeZulu Bind Maker
22: 2008-05-25 16:43:48 UTC - RP161 - Software Distribution Service 3.0
21: 2008-05-25 15:39:31 UTC - RP160 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-23 23:15:09 UTC - RP140 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Steve.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:14: VIRUS ALERT!, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
E:\Motherboard Monitor 5\MBM5.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steve\Desktop\dss.exe
C:\DOCUME~1\Steve\Desktop\HIJACK~1\Steve.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 818646 helper - {54192079-8E8A-43D8-BCBC-3874916159AF} - (no file)
O2 - BHO: QXK Olive - {5AB14FEE-E161-455B-9A60-91AE848F8FA0} - C:\WINDOWS\nldfmtapefs.dll
O2 - BHO: (no name) - {613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF} - C:\WINDOWS\system32\ssqPggGy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: QXK Olive - {B33B96B9-E0C2-4648-9819-A38DDCAFA33C} - C:\WINDOWS\boqnrwdmstg.dll
O2 - BHO: (no name) - {B8912258-3C5F-4C39-AA7F-220239956126} - C:\WINDOWS\system32\wvUmMGAp.dll (file missing)
O2 - BHO: (no name) - {D1E9246F-438E-40B0-8BC1-DBB9FE47D745} - blank (file missing)
O2 - BHO: (no name) - {D6DABF5B-85A6-4A7F-8000-A7D70FEB9597} - C:\WINDOWS\system32\yayAQGvT.dll (file missing)
O2 - BHO: (no name) - {E06E930D-6949-4EB3-ACC7-68279A48892A} - C:\WINDOWS\system32\hgGXrrpQ.dll (file missing)
O2 - BHO: (no name) - {E3249750-AA1A-4A75-8FA5-272BF4C58EAE} - C:\WINDOWS\system32\xxyywxwU.dll (file missing)
O2 - BHO: (no name) - {E44CF5DF-A427-4AAF-A6A8-3AEC30F2EBBF} - C:\WINDOWS\system32\jkkHWQIY.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: gktxaspm - {2890C98D-5959-4A94-A6C2-C59E85462152} - blank (file missing)
O3 - Toolbar: atfxqogp - {9E6CD9DF-5EF9-40F4-84FA-C4842EB1F283} - C:\WINDOWS\atfxqogp.dll (file missing)
O4 - HKLM\..\Run: [MBM 5] "E:\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 2)" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [3c7c2cee] rundll32.exe "C:\WINDOWS\system32\cqorqovu.dll",b
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /M "Stylus CX5400" /EF "HKCU"
O4 - HKCU\..\Run: [WinSpywareProtect (ver. 5.1)] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://142.176.20.26/islandcam/AxisCamControl.ocx
O20 - Winlogon Notify: ssqPggGy - C:\WINDOWS\SYSTEM32\ssqPggGy.dll
O21 - SSODL: ComponentBoot - {2281dd5f-6f4b-4bde-822a-a237b1f49cb4} - C:\WINDOWS\Resources\ComponentBoot.dll
O21 - SSODL: vregfwlx - {F2C6D84C-76E7-412E-B235-97FFA040063D} - C:\WINDOWS\vregfwlx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8360 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 mbmiodrvr - c:\windows\system32\mbmiodrvr.sys <Not Verified; [email protected]; Windows (R) 2000 DDK driver>
R2 tcaicchg - c:\windows\system32\tcaicchg.sys <Not Verified; 3Com Corporation; 3Com Windows NT NIC Diagnostic/Configuration>
R2 TCAITDI (TCAITDI Protocol) - c:\windows\system32\drivers\tcaitdi.sys <Not Verified; 3Com Corporation; 3Com Windows NT NIC Diagnostic TDI Driver>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com Gigabit LOM (3C940)
Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\4&2E98101C&0&28F0
Manufacturer: 3Com
Name: 3Com Gigabit LOM (3C940)
PNP Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\4&2E98101C&0&28F0
Service: EL2000


-- Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 17:53:34 4884 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 17:53:10 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-25 17:53:10 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-25 17:53:10 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-25 17:53:10 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-25 17:53:10 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-25 17:53:09 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-25 17:53:09 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-25 17:53:09 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-25 17:08:20 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2008-05-25 17:08:20 0 d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-25 17:07:01 0 d-------- C:\Program Files\McAfee
2008-05-25 17:07:01 0 d-------- C:\Program Files\Common Files\McAfee
2008-05-25 12:45:14 90624 --a------ C:\WINDOWS\system32\cqorqovu.dll
2008-05-25 12:44:32 698141 --ahs---- C:\WINDOWS\system32\YIQWHkkj.ini2
2008-05-25 12:44:29 318336 --a------ C:\WINDOWS\system32\jkkHWQIY.dll
2008-05-25 11:47:24 693904 --ahs---- C:\WINDOWS\system32\pAGMmUvw.ini2
2008-05-25 10:37:44 694044 --ahs---- C:\WINDOWS\system32\Uwxwyyxx.ini2
2008-05-25 09:10:08 90624 --a------ C:\WINDOWS\system32\ycmtrdrq.dll
2008-05-25 09:09:51 323584 --a------ C:\WINDOWS\vregfwlx.dll
2008-05-25 09:09:50 94208 --a------ C:\WINDOWS\xmpstean.exe
2008-05-25 09:09:50 159744 --a------ C:\WINDOWS\edwf.exe
2008-05-25 09:09:50 266240 --a------ C:\WINDOWS\boqnrwdmstg.dll
2008-05-24 01:10:02 9728 --a------ C:\Program Files\tmp2.exe
2008-05-24 01:10:02 9728 --a------ C:\Program Files\tmp1.exe
2008-05-24 01:10:02 9728 --a------ C:\Program Files\tmp0.exe
2008-05-24 01:09:56 0 d-------- C:\WINDOWS\system32\818646
2008-05-24 00:39:07 90112 --a------ C:\WINDOWS\system32\mutisnwc.dll
2008-05-23 23:48:07 693428 --ahs---- C:\WINDOWS\system32\TvGQAyay.ini2
2008-05-23 22:25:26 1716 --ahs---- C:\WINDOWS\system32\QprrXGgh.ini2
2008-05-23 20:22:00 0 d-------- C:\Documents and Settings\Steve\Application Data\TmpRecentIcons
2008-05-23 20:10:01 62910 --a------ C:\Program Files\Uninstall.exe <Not Verified; $PROGRAMNAME; $PROGRAMNAME>
2008-05-23 20:10:01 0 --a------ C:\Program Files\uninstall.dat
2008-05-23 19:15:51 90112 --a------ C:\WINDOWS\system32\xtbkteks.dll
2008-05-23 19:14:59 1905 --ahs---- C:\WINDOWS\system32\nnTsYcdd.ini2
2008-05-23 19:10:51 29312 --a------ C:\WINDOWS\system32\vtUlKEtt.dll
2008-05-23 19:09:52 29312 --a------ C:\WINDOWS\system32\ssqPggGy.dll
2008-05-23 19:09:45 217088 --a------ C:\WINDOWS\nldfmtapefs.dll
2008-05-23 19:09:45 81920 --a------ C:\WINDOWS\mdtgkswr.exe
2008-05-23 19:09:45 176128 --a------ C:\WINDOWS\gnowmebk.dll
2008-05-23 19:09:45 94208 --a------ C:\WINDOWS\eope.exe


-- Find3M Report ---------------------------------------------------------------

2008-05-25 17:08:20 0 d-------- C:\Program Files\Common Files
2008-04-22 20:18:13 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-04-18 09:28:39 2547 --a------ C:\WINDOWS\unins000.dat
2008-04-18 09:27:18 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-29 11:56:47 0 d-------- C:\Program Files\Google
2008-03-28 14:11:53 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54192079-8E8A-43D8-BCBC-3874916159AF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AB14FEE-E161-455B-9A60-91AE848F8FA0}]
05/23/2008 14:50: VIRUS ALERT! 217088 --a------ C:\WINDOWS\nldfmtapefs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}]
05/23/2008 19:09: VIRUS ALERT! 29312 --a------ C:\WINDOWS\system32\ssqPggGy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}]
05/24/2008 11:19: VIRUS ALERT! 266240 --a------ C:\WINDOWS\boqnrwdmstg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8912258-3C5F-4C39-AA7F-220239956126}]
C:\WINDOWS\system32\wvUmMGAp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1E9246F-438E-40B0-8BC1-DBB9FE47D745}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6DABF5B-85A6-4A7F-8000-A7D70FEB9597}]
C:\WINDOWS\system32\yayAQGvT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E06E930D-6949-4EB3-ACC7-68279A48892A}]
C:\WINDOWS\system32\hgGXrrpQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3249750-AA1A-4A75-8FA5-272BF4C58EAE}]
C:\WINDOWS\system32\xxyywxwU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E44CF5DF-A427-4AAF-A6A8-3AEC30F2EBBF}]
05/25/2008 12:44: VIRUS ALERT! 318336 --a------ C:\WINDOWS\system32\jkkHWQIY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBM 5"="E:\Motherboard Monitor 5\MBM5.EXE" [06/12/2004 10:40: VIRUS ALERT!]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [07/13/2006 15:11: VIRUS ALERT!]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [11/04/2005 19:07: VIRUS ALERT!]
"CTHelper"="CTHELPER.EXE" [05/24/2006 00:20: VIRUS ALERT! C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [05/24/2006 00:20: VIRUS ALERT! C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 02:00: VIRUS ALERT!]
"TCASUTIEXE"="TCAUDIAG.exe" [02/12/2003 05:55: VIRUS ALERT! C:\WINDOWS\system32\TCAUDIAG.EXE]
"RegistryMechanic"="" []
"EPSON Stylus CX5400 (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [05/26/2003 20:00: VIRUS ALERT!]
"EPSON Stylus CX5400 (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [05/26/2003 20:00: VIRUS ALERT!]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [05/26/2003 20:00: VIRUS ALERT!]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 19:42: VIRUS ALERT!]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54: VIRUS ALERT!]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25: VIRUS ALERT!]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/10/2005 05:21: VIRUS ALERT!]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09: VIRUS ALERT!]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 20:51: VIRUS ALERT!]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 13:35: VIRUS ALERT!]
"3c7c2cee"="C:\WINDOWS\system32\cqorqovu.dll" [05/25/2008 12:45: VIRUS ALERT!]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/2006 08:50: VIRUS ALERT!]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 13:39: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [05/26/2003 20:00: VIRUS ALERT!]
"Steam"="" []
"WinSpywareProtect (ver. 5.1)"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - C:\WINDOWS\system32\cmd.exe [8/23/2001 8:00:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}"= C:\WINDOWS\system32\ssqPggGy.dll [05/23/2008 19:09: VIRUS ALERT! 29312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ComponentBoot"= {2281dd5f-6f4b-4bde-822a-a237b1f49cb4} - C:\WINDOWS\Resources\ComponentBoot.dll [05/24/2008 01:09: VIRUS ALERT! 14886]
"vregfwlx"= {F2C6D84C-76E7-412E-B235-97FFA040063D} - C:\WINDOWS\vregfwlx.dll [05/24/2008 11:19: VIRUS ALERT! 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPggGy]
ssqPggGy.dll 05/23/2008 19:09: VIRUS ALERT! 29312 C:\WINDOWS\system32\ssqPggGy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkHWQIY

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^MultiRes.lnk]
backup=C:\WINDOWS\pss\MultiRes.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37c2598e-8d40-11db-a7cc-000c6ecf411d}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PortableVaultAES.exe
Explore\command- explorer.exe /n,/e ,.
Launch\command- G:\portablevaultaes.exe

*Newly Created Service* - MCAFEEFRAMEWORK
*Newly Created Service* - MCSHIELD
*Newly Created Service* - MCTASKMANAGER
*Newly Created Service* - MFEAPFK
*Newly Created Service* - MFETDIK



-- End of Deckard's System Scanner: finished at 2008-05-25 18:16:43 ------------
 

Attachments

·
Registered
Joined
·
4,582 Posts
Hi, welcome to TSF!

1.) You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

2.) Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

3.) Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
___________

Please visit this webpage for download links, and instructions for running combofixl:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
 

·
Registered
Joined
·
3 Posts
Discussion Starter · #5 ·
My apologies for the delayed reply. Work has been very busy this week. :rolleyes:

_________________________

RAPPORT.TXT

SmitFraudFix v2.322

Scan done at 18:38:51.32, Fri 05/30/2008
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\Resources\ComponentBoot.dll deleted


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\tmp???????.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

_____________________________

COMBOFIX.TXT

ComboFix 08-05-29.1 - Steve 2008-05-30 19:02:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1649 [GMT -4:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\boqnrwdmstg.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\nldfmtapefs.dll
C:\WINDOWS\system32\818646
C:\WINDOWS\system32\818646\818646.dll
C:\WINDOWS\system32\cqorqovu.dll
C:\WINDOWS\system32\cwnsitum.ini
C:\WINDOWS\system32\dgivconm.ini
C:\WINDOWS\system32\hynlmyps.ini
C:\WINDOWS\system32\jkkHWQIY.dll
C:\WINDOWS\system32\ljulatyv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mutisnwc.dll
C:\WINDOWS\system32\nnTsYcdd.ini
C:\WINDOWS\system32\nnTsYcdd.ini2
C:\WINDOWS\system32\pAGMmUvw.ini
C:\WINDOWS\system32\pAGMmUvw.ini2
C:\WINDOWS\system32\QprrXGgh.ini
C:\WINDOWS\system32\QprrXGgh.ini2
C:\WINDOWS\system32\qrdrtmcy.ini
C:\WINDOWS\system32\sketkbtx.ini
C:\WINDOWS\system32\TvGQAyay.ini
C:\WINDOWS\system32\TvGQAyay.ini2
C:\WINDOWS\system32\uvoqroqc.ini
C:\WINDOWS\system32\Uwxwyyxx.ini
C:\WINDOWS\system32\Uwxwyyxx.ini2
C:\WINDOWS\system32\xtbkteks.dll
C:\WINDOWS\system32\ycmtrdrq.dll
C:\WINDOWS\system32\YIQWHkkj.ini
C:\WINDOWS\system32\YIQWHkkj.ini2
C:\WINDOWS\vregfwlx.dll
C:\WINDOWS\xmpstean.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 18:43 . 2008-05-30 18:43 <DIR> d-------- C:\WINDOWS\resources
2008-05-25 18:13 . 2008-05-25 18:13 <DIR> d-------- C:\Deckard
2008-05-25 17:53 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-25 17:53 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-25 17:53 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-25 17:53 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-25 17:53 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-25 17:53 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-25 17:53 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-25 17:53 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-25 17:53 . 2008-05-30 18:39 4,884 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 17:08 . 2008-05-25 17:08 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-25 17:08 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-25 09:09 . 2008-05-24 11:19 159,744 --a------ C:\WINDOWS\edwf.exe
2008-05-23 22:55 . 2008-05-24 00:37 354 --ahs---- C:\WINDOWS\system32\dqvvctmw.ini
2008-05-23 20:10 . 2008-05-23 20:10 62,910 --a------ C:\Program Files\Uninstall.exe
2008-05-23 20:10 . 2008-05-23 20:10 0 --a------ C:\Program Files\uninstall.dat
2008-05-23 19:10 . 2008-05-23 19:10 29,312 --a------ C:\WINDOWS\system32\vtUlKEtt.dll
2008-05-23 19:09 . 2008-05-23 14:50 94,208 --a------ C:\WINDOWS\eope.exe
2008-05-23 19:09 . 2008-05-23 14:51 81,920 --a------ C:\WINDOWS\mdtgkswr.exe
2008-05-23 19:09 . 2008-05-23 19:09 29,312 --a------ C:\WINDOWS\system32\ssqPggGy.dll
2008-04-22 20:18 . 2008-04-22 20:18 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-18 09:28 . 2008-04-18 09:27 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-18 09:28 . 2008-04-18 09:28 2,547 --a------ C:\WINDOWS\unins000.dat
2008-04-05 16:55 . 2008-05-23 18:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-05 16:55 . 2008-04-05 16:55 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-24 01:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-29 15:56 --------- d-----w C:\Program Files\Google
2008-03-28 18:11 --------- d-----w C:\Program Files\Java
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2003-04-17 08:16 447,616 -c--a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-04-17 08:15 147,328 -c--a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-04-17 08:15 147,200 -c--a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}]
2008-05-23 19:09 29312 --a------ C:\WINDOWS\system32\ssqPggGy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8912258-3C5F-4C39-AA7F-220239956126}]
C:\WINDOWS\system32\wvUmMGAp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1E9246F-438E-40B0-8BC1-DBB9FE47D745}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D6DABF5B-85A6-4A7F-8000-A7D70FEB9597}]
C:\WINDOWS\system32\yayAQGvT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E06E930D-6949-4EB3-ACC7-68279A48892A}]
C:\WINDOWS\system32\hgGXrrpQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3249750-AA1A-4A75-8FA5-272BF4C58EAE}]
C:\WINDOWS\system32\xxyywxwU.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9E6CD9DF-5EF9-40F4-84FA-C4842EB1F283}"= "C:\WINDOWS\atfxqogp.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{9e6cd9df-5ef9-40f4-84fa-c4842eb1f283}]
[HKEY_CLASSES_ROOT\atfxqogp.1]
[HKEY_CLASSES_ROOT\TypeLib\{1C2A0CBE-9C8B-49F3-9E56-BD989DB7E8C3}]
[HKEY_CLASSES_ROOT\atfxqogp]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 20:00 99840]
"Steam"="" []
"WinSpywareProtect (ver. 5.1)"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBM 5"="E:\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 10:40 594944]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 15:11 122880]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 19:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 00:20 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 00:20 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-02-12 05:55 1334784 C:\WINDOWS\system32\TCAUDIAG.EXE]
"RegistryMechanic"="" []
"EPSON Stylus CX5400 (Copy 2)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 20:00 99840]
"EPSON Stylus CX5400 (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 20:00 99840]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 20:00 99840]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 05:21 217088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}"= C:\WINDOWS\system32\ssqPggGy.dll [2008-05-23 19:09 29312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqPggGy]
ssqPggGy.dll 2008-05-23 19:09 29312 C:\WINDOWS\system32\ssqPggGy.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^MultiRes.lnk]
backup=C:\WINDOWS\pss\MultiRes.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a--c--- 2003-04-23 08:39 581632 C:\Program Files\Analog Devices\SoundMAX\smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2003-04-04 13:38 774144 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Steam\\SteamApps\\[email protected]\\counter-strike\\hl.exe"=
"D:\\Steam\\SteamApps\\roudebush\\condition zero\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Steam\\SteamApps\\[email protected]\\day of defeat\\hl.exe"=
"D:\\Steam\\SteamApps\\[email protected]\\condition zero\\hl.exe"=
"D:\\Steam\\SteamApps\\[email protected]\\counter-strike source\\hl2.exe"=
"D:\\Steam\\SteamApps\\roudebush\\counter-strike\\hl.exe"=

R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 14:08]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 07:22]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-23 23:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37c2598e-8d40-11db-a7cc-000c6ecf411d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL PortableVaultAES.exe
\Shell\Explore\command - explorer.exe /n,/e ,.
\Shell\Launch\command - G:\portablevaultaes.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 19:08:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ssqPggGy.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTXFISPI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\NetFx20SP1_x86.exe
E:\99826a448a731c9e6eef\Setup.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-05-30 19:11:01 - machine was rebooted [Steve]
ComboFix-quarantined-files.txt 2008-05-30 23:10:52

Pre-Run: 1,998,782,464 bytes free
Post-Run: 1,876,910,080 bytes free

199 --- E O F --- 2008-05-25 16:44:05
 

·
Registered
Joined
·
4,582 Posts
Hi,

You don't have Window's Recovery Console installed. Whilst it may not be needed at this time, current infections tend to patch a lot of critical system files now, these often result to multiple problems and sometimes, they can cause unbootable machines. Having Window's Recovery Console installed on your machine will help you and I in case something goes wrong while we are in the process of cleaning your machine.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'No'


  • When the tool is finished, it will produce a report for you.
Please post the report that the tool created along with a fresh hijackthis log
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top