PDA

View Full Version : no pics in browser, computer freezes, regenerating files.


joshwg
2009-03-18, 23:49
Computer #2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:13 PM, on 3/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57336c30-5a80-4e16-a92c-210e73324b16} - (no file)
O2 - BHO: (no name) - {5f60a1b6-2ca1-4a3a-8b7c-6719bde2cd2e} - (no file)
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {DDA28099-DACF-415D-A5A8-BB134FCA3D6A} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [rayihepuzu] Rundll32.exe "C:\WINDOWS\system32\sirivepe.dll",s
O4 - HKLM\..\Run: [CPM655c9a27] Rundll32.exe "c:\windows\system32\vapodilu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-20\..\Run: [rayihepuzu] Rundll32.exe "C:\WINDOWS\system32\sirivepe.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: vdcgjd.dll auvhte.dll aijkvc.dll jwaqmp.dll bpxjfj.dll c:\windows\system32\ wriimy.dll c:\windows\system32\ c:\windows\system32\juriyuyi.dll c:\windows\system32\rigebevu.dll yizrhc.dll ,
O21 - SSODL: ydCwtx - {666FA915-CCC5-03BF-F638-DD3A7CCDD75C} - (no file)
O21 - SSODL: qadovnel - {3DB9943C-0185-4954-B2B1-22C33B10C4DA} - (no file)
O21 - SSODL: bdkpfxqw - {4AC94519-4650-469A-8279-D1E074018AD1} - (no file)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 5426 bytes
Blade81
2009-03-21, 10:58
Hi


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
joshwg
2009-03-24, 23:03
thanks in advance for the help!

ComboFix 09-03-23.01 - Administrator 2009-03-24 17:23:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.284 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\404Fix.exe
c:\windows\system32\aradowag.ini
c:\windows\system32\bndqlv.dll
c:\windows\system32\bpxjfj.dll
c:\windows\system32\depohowi.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\eLnqrBeg.ini
c:\windows\system32\eLnqrBeg.ini2
c:\windows\system32\fagotipo.dll
c:\windows\system32\fiddiecu.ini
c:\windows\system32\gazafasi.dll
c:\windows\system32\ibmooxjm.ini
c:\windows\system32\IEDFix.exe
c:\windows\system32\juoktjst.ini
c:\windows\system32\jvjaxakc.ini
c:\windows\system32\kakufuga.dll
c:\windows\system32\komckwju.ini
c:\windows\system32\lopivasa.dll
c:\windows\system32\lowehizi.dll
c:\windows\system32\mepavuhi.dll
c:\windows\system32\owilatak.ini
c:\windows\system32\Process.exe
c:\windows\system32\rakoyopo.dll.tmp
c:\windows\system32\romemazu.dll
c:\windows\system32\sabafiru.dll.tmp
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tkdnjsev.ini
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vdcgjd.dll
c:\windows\system32\waiwbmjg.ini
c:\windows\system32\woqrki.dll
c:\windows\system32\wriimy.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\wslknnqf.ini
c:\windows\system32\xnatrhty.ini
c:\windows\system32\yvcwunvt.ini
c:\windows\system32\zajasuvu.dll
c:\windows\system32\zukidudu.dll.tmp
c:\windows\system32\zuyisuro.dll
c:\windows\system32\zwwuzo.dll
c:\windows\Tasks\awtbnljo.job

c:\windows\system32\lsass.exe . . . is infected!!

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\system32\services.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\$NtUninstallKB896423$\spoolsv.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$NtUninstallKB938828$\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-03 21:02 . 2009-03-03 21:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 21:02 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 21:01 . 2009-03-03 21:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 21:01 . 2009-03-03 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 21:01 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 01:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-28 01:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 23:13 --------- d-----w c:\program files\RegCure
2009-02-11 22:39 --------- d-----w c:\program files\ERUNT
2009-02-11 22:27 --------- d-----w c:\program files\Trend Micro
2009-02-10 22:56 --------- d-----w c:\program files\Google
2009-02-07 21:06 --------- d-----w c:\documents and settings\NetworkService\Application Data\Webroot
2009-02-07 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\Webroot
2009-01-31 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-31 14:37 --------- d-----w c:\program files\Norton AntiVirus
2007-07-28 11:58 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-04 04:00 17408 1de5e1a075d8015d469af962f1c19990 c:\windows\system32\svchost.exe

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-08-04 04:00 506368 2c504621d1acf3b511c652d356c6c320 c:\windows\system32\winlogon.exe

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-04 04:00 110592 18683310e91a4218f3b3522abdcd3f09 c:\windows\system32\services.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-04 04:00 14848 6ea25e21c1f98e10ccc047409c639596 c:\windows\system32\lsass.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}"= "c:\program files\Dallas Cowboys\Helper.dll" [2008-10-14 225280]

[HKEY_CLASSES_ROOT\clsid\{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{A79DCA30-7864-4B9E-9C6B-EBD5DBD015F2}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-07 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inetchk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jsf8uiw3jnjgffght
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tezrtsjhfr84iusjfo84f
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 13:38 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a--c--- 2004-12-31 17:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-07 18:41 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a--c--- 2003-11-06 09:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 17:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 03:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-03 16:03 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AVG Anti-Spyware Guard"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 hpah;hpah;c:\windows\system32\drivers\stbimf.sys --> c:\windows\system32\drivers\stbimf.sys [?]
S1 313ba0ec;313ba0ec;c:\windows\system32\drivers\313ba0ec.sys --> c:\windows\system32\drivers\313ba0ec.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-13 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{57336c30-5a80-4e16-a92c-210e73324b16} - (no file)
BHO-{5f60a1b6-2ca1-4a3a-8b7c-6719bde2cd2e} - (no file)
Toolbar-SITEguard - (no file)
HKLM-Run-rayihepuzu - c:\windows\system32\sirivepe.dll
HKLM-Run-CPM655c9a27 - c:\windows\system32\vapodilu.dll
SSODL-ydCwtx-{666FA915-CCC5-03BF-F638-DD3A7CCDD75C} - (no file)
MSConfigStartUp-666fa9bb - c:\windows\system32\nupodate.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-cpm655c9a27 - c:\windows\system32\kejepuha.dll
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-rayihepuzu - c:\windows\system32\zukidudu.dll
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-sysguard - c:\windows\sysguard.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-VirusIsolator - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://globaldiscoveryvacations.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZNxmk572YYUS
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 17:27:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-24 17:31:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 21:31:37

Pre-Run: 67,669,590,016 bytes free
Post-Run: 67,664,171,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

249 --- E O F --- 2009-01-10 00:39:09

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:46 PM, on 3/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4519 bytes
Blade81
2009-03-25, 16:31
Hi again,

Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information into your topic.



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
joshwg
2009-03-26, 03:06
Wednesday, March 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, March 26, 2009 00:38:43
Records in database: 1970486


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
Z:\

Scan statistics
Files scanned 64099
Threat name 8
Infected objects 23
Suspicious objects 0
Duration of the scan 01:14:03

File name Threat name Threats count
C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\services.exe/C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\lsass.exe/C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\svchost.exe/C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa 4

C:\WINDOWS\System32\svchost.exe/C:\WINDOWS\System32\svchost.exe Infected: Trojan.Win32.Patched.aa 1

C:\Documents and Settings\Administrator\My Documents\InstallAVg_770522166350.exe Infected: Packed.Win32.Katusha.a 1

C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1

C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\depohowi.dll.vir Infected: Trojan.Win32.Monder.avtz 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\gazafasi.dll.vir Infected: Trojan.Win32.Monder.avtz 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\lopivasa.dll.vir Infected: Packed.Win32.Mondera.b 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolsv.exe.vir Infected: Trojan.Win32.Patched.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\vdcgjd.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DER4TUV\inst[1].php Infected: Worm.Win32.AutoRun.evs 1

C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\sesombqe.dll Infected: Trojan.Win32.Monder.atjd 1

C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa 1

C:\WINDOWS\system32\xbjkib.dll Infected: Trojan.Win32.Monder.atjd 1

The selected area was scanned.
Blade81
2009-03-26, 16:03
Hi again,


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Upload following files one by one to http://www.virustotal.com and post back the results:
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
joshwg
2009-03-26, 22:32
a-squared 4.0.0.101 2009.03.26 -
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 -
Avast 4.8.1335.0 2009.03.25 -
AVG 8.5.0.283 2009.03.26 -
BitDefender 7.2 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.26 -
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 -
Ikarus T3.1.1.48.0 2009.03.26 -
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.26 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.40.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.26 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 14336 bytes
MD5...: 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1..: 49083ae3725a0488e0a8fbbe1335c745f70c4667
SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
SHA512: 1ea76bd898f96603f3aec695eb7bedcef8b4e1b27253ecb98035ac5ea42745c0
da6b5523f8848cb0e6acb58710d8f2973368763e7b3895fa28d999552c9030d3
ssdeep: 384:IDvi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:INcG6xlCRaJKGOA7S
HJ

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2509
timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 f6589e1ed3da6afefb0b4294d9ff7f2e
.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2
.rsrc 0x5000 0x408 0x600 2.51 dcede0c303bbb48c6875eb64477e5882

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )

RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=27c6d03bcdb8cfeb96b716f3d8be3e18' target='_blank'>http://www.threatexpert.com/report.aspx?md5=27c6d03bcdb8cfeb96b716f3d8be3e18</a>

a-squared 4.0.0.101 2009.03.26 -
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 -
Avast 4.8.1335.0 2009.03.25 -
AVG 8.5.0.283 2009.03.26 -
BitDefender 7.2 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.26 -
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 -
Ikarus T3.1.1.48.0 2009.03.26 -
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.26 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.40.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.26 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 507904 bytes
MD5...: ed0ef0a136dec83df69f04118870003e
SHA1..: f77a7cd78877527023ebfb35e83b75ef59d3df07
SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e
SHA512: c7de542a3298dc4a6dd40fce4dc839042384ef60774097d0717f66efae89bf30
09a0b758b896ba8dbb810d8867a168082d87d3c82d59e009bfe04b48f19556e4
ssdeep: 6144:kNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+
lcDKao6nSKHsRqOMgxZg

PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3e5e1
timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70a00 6.82 39d0278af55c2446adf638b9f0236aff
.data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
.rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187

( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, -, getaddrinfo

( 0 exports )

RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=ed0ef0a136dec83df69f04118870003e' target='_blank'>http://www.threatexpert.com/report.aspx?md5=ed0ef0a136dec83df69f04118870003e</a>

a-squared 4.0.0.101 2009.03.26 -
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 -
Avast 4.8.1335.0 2009.03.25 -
AVG 8.5.0.283 2009.03.26 -
BitDefender 7.2 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.26 Win32.Banker
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.26 -
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 -
Ikarus T3.1.1.48.0 2009.03.26 -
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.26 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.40.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.26 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 108544 bytes
MD5...: 0e776ed5f7cc9f94299e70461b7b8185
SHA1..: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
SHA256: 22750b3829133d1d4bb3ce2fa6247be2373b5d15a6ed1c8a71673aa1ce7d9530
SHA512: aa2db559fca0a95282f6e86f672be2d1253d11124ed8b6be21799b78ef8890d8
d6de0263754c7d52b29532c2bad7e892aba8db2d4db07d68459326ddb03e9629
ssdeep: 3072:moK+l4lDQ+Anfn0LcsBhuvIg2fPCaGzh:m/lE+E0LNhDfPhG

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xc15b
timedatestamp.....: 0x48025b9a (Sun Apr 13 19:14:34 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x18f35 0x19000 6.26 bed3e26782956f737fabacb625fa10f1
.data 0x1a000 0xa30 0xc00 1.78 486e711917101f0eb3dc0d8986335fee
.rsrc 0x1b000 0x7a0 0x800 3.13 37626f0277e3ec55e3e5d0b205b00964

( 10 imports )
> ADVAPI32.dll: RegOpenKeyW, ConvertSidToStringSidW, LogonUserExW, LsaStorePrivateData, LsaLookupNames, LsaQueryInformationPolicy, OpenThreadToken, RegNotifyChangeKeyValue, InitializeSecurityDescriptor, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, SystemFunction029, SystemFunction005, CheckTokenMembership, FreeSid, AllocateAndInitializeSid, SetSecurityDescriptorOwner, GetSecurityDescriptorDacl, GetLengthSid, CopySid, InitializeAcl, AddAce, SetSecurityDescriptorDacl, LsaOpenPolicy, LsaLookupSids, LsaFreeMemory, LsaClose, ImpersonateLoggedOnUser, CreateProcessAsUserW, GetTokenInformation, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, InitiateSystemShutdownW, RevertToSelf
> KERNEL32.dll: TerminateProcess, SetProcessShutdownParameters, lstrcmpiW, FormatMessageW, ExitThread, ReleaseMutex, DelayLoadFailureHook, RaiseException, GetExitCodeThread, SetErrorMode, SetUnhandledExceptionFilter, LoadLibraryA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcess, UnhandledExceptionFilter, GetModuleHandleA, CreateMutexW, LocalAlloc, LocalFree, Sleep, LeaveCriticalSection, EnterCriticalSection, SetLastError, CloseHandle, CreateThread, GetLastError, CreateProcessW, ExpandEnvironmentStringsW, InitializeCriticalSection, HeapAlloc, HeapFree, SetConsoleCtrlHandler, WaitForSingleObject, HeapCreate, FreeLibrary, GetProcAddress, GetModuleHandleExW, InterlockedCompareExchange, CreateNamedPipeW, ReadFile, CancelIo, GetOverlappedResult, WaitForMultipleObjects, ConnectNamedPipe, TransactNamedPipe, WriteFile, GetTickCount, GetSystemTimeAsFileTime, GetModuleHandleW, GetComputerNameW, CreateEventW, SetEvent, ResetEvent, DeviceIoControl, CreateFileW, ResumeThread, GetCurrentProcessId, LoadLibraryW, GetDriveTypeW, OpenEventW, GetCurrentThread
> msvcrt.dll: wcsrchr, time, _except_handler3, memmove, wcschr, _c_exit, _exit, _XcptFilter, _cexit, _wcsicmp, exit, __initenv, __getmainargs, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcslen, wcsncmp, _wtol, wcscpy, _itow, _wcsnicmp, wcscat, _initterm, wcsncpy, wcscspn, _ultow
> NCObjAPI.DLL: WmiSetAndCommitObject, WmiEventSourceConnect, WmiCreateObjectWithFormat
> ntdll.dll: RtlCreateAcl, NtCreateKey, NtQueryValueKey, NtSetValueKey, NtDeleteValueKey, NtEnumerateKey, NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, NtDeleteKey, RtlSetControlSecurityDescriptor, RtlValidSecurityDescriptor, RtlLengthSecurityDescriptor, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtAccessCheckAndAuditAlarm, NtSetInformationThread, NtAdjustPrivilegesToken, NtDuplicateToken, NtOpenProcessToken, NtQueryInformationToken, RtlQuerySecurityObject, RtlAddAccessAllowedAce, RtlValidRelativeSecurityDescriptor, RtlMapGenericMask, RtlCopyUnicodeString, NtSetInformationFile, NtQueryInformationFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, NtWaitForSingleObject, NtQueryDirectoryFile, NtDeleteFile, NtSetInformationProcess, RtlUnhandledExceptionFilter, NtSetEvent, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlAllocateHeap, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, RtlUnicodeStringToAnsiString, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlNewSecurityObject, RtlAddAce, RtlSetOwnerSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSubAuthorityCountSid, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlCompareUnicodeString, NtLoadDriver, NtUnloadDriver, RtlExpandEnvironmentStrings_U, RtlAdjustPrivilege, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, RtlAreAllAccessesGranted, NtDeleteObjectAuditAlarm, NtCloseObjectAuditAlarm, RtlQueueWorkItem, RtlCopyLuid, RtlDeregisterWait, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, RtlDeleteSecurityObject, RtlLockBootStatusData, RtlGetSetBootStatusData, RtlUnlockBootStatusData, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosError, NtShutdownSystem, RtlSetSecurityObject, RtlMakeSelfRelativeSD, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtSetSecurityObject
> RPCRT4.dll: RpcServerRegisterAuthInfoW, RpcBindingFree, RpcEpResolveBinding, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrClientCall2, RpcAsyncCompleteCall, RpcAsyncInitializeHandle, NdrAsyncServerCall, NdrAsyncClientCall, RpcMgmtStopServerListening, RpcMgmtWaitServerListen, NdrServerCall2, I_RpcBindingIsClientLocal, RpcRevertToSelf, I_RpcMapWin32Status, RpcImpersonateClient, RpcStringBindingParseW, RpcStringFreeW, RpcBindingToStringBindingW, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcServerRegisterIf, RpcServerListen, RpcServerUnregisterIf
> SCESRV.dll: ScesrvInitializeServer, ScesrvTerminateServer
> umpnpmgr.dll: RegisterScmCallback, PNP_SetActiveService, PNP_GetDeviceRegProp, PNP_GetDeviceListSize, PNP_GetDeviceList, PNP_HwProfFlags, RegisterServiceNotification, DeleteServicePlugPlayRegKeys
> USER32.dll: wsprintfW, BroadcastSystemMessageW, MessageBoxW, LoadStringW, RegisterServicesProcess
> USERENV.dll: UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock

( 0 exports )

RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=0e776ed5f7cc9f94299e70461b7b8185' target='_blank'>http://www.threatexpert.com/report.aspx?md5=0e776ed5f7cc9f94299e70461b7b8185</a>

a-squared 4.0.0.101 2009.03.26 -
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.126 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 -
Avast 4.8.1335.0 2009.03.25 -
AVG 8.5.0.283 2009.03.26 -
BitDefender 7.2 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.26 -
Comodo 1084 2009.03.25 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.25 -
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.26 -
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 -
Ikarus T3.1.1.48.0 2009.03.26 -
K7AntiVirus 7.10.680 2009.03.24 -
Kaspersky 7.0.0.125 2009.03.26 -
McAfee 5564 2009.03.25 -
McAfee+Artemis 5564 2009.03.25 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3965 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.39.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.26 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.25 -
Additional information
File size: 13312 bytes
MD5...: bf2466b3e18e970d8a976fb95fc1ca85
SHA1..: de5a73cbb5f51f64c53fb4277ef2c23e70db123f
SHA256: f7794b5d12dc5d820a162850f4388e2aa80426ad07cb221799cf941c682ab501
SHA512: c1f09ab3ad3b892f009270eb5325d801435ff2ffbf1354e66e333025634b707a
4cedf58a6b306efdddfcb1c010767983000d72dc5935240455f98f4490f551d4
ssdeep: 384:ggHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:338z4zRfMpy0BF4

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14bd
timedatestamp.....: 0x48025186 (Sun Apr 13 18:31:34 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10d0 0x1200 6.00 7d33d24893e1db0fa0ecbd7a8fa637bd
.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250
.rsrc 0x4000 0x1b30 0x1c00 7.15 54488850c25258396b2c9492c36b0bd5

( 5 imports )
> ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf
> KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery
> ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter
> LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo
> SAMSRV.dll: SamIInitialize, SampUsingDsData

( 0 exports )

RDS...: NSRL Reference Data Set
-
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=bf2466b3e18e970d8a976fb95fc1ca85
Blade81
2009-03-26, 22:55
Hi

Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - (no file)

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:



Driver::
hpah
313ba0ec

File::
c:\windows\system32\drivers\stbimf.sys
c:\windows\system32\drivers\313ba0ec.sys

FCopy::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe | c:\windows\system32\services.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe | c:\windows\system32\lsass.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\inetchk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jsf8uiw3jnjgffght]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tezrtsjhfr84iusjfo84f]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ttool]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please re-run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner).


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
joshwg
2009-03-28, 17:00
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 28, 2009 14:02:52
Records in database: 1981050
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
Z:\

Scan statistics:
Files scanned: 60857
Threat name: 8
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 01:09:48


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\My Documents\InstallAVg_770522166350.exe Infected: Packed.Win32.Katusha.a 1
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\depohowi.dll.vir Infected: Trojan.Win32.Monder.avtz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gazafasi.dll.vir Infected: Trojan.Win32.Monder.avtz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lopivasa.dll.vir Infected: Packed.Win32.Mondera.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsass.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\services.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolsv.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vdcgjd.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DER4TUV\inst[1].php Infected: Worm.Win32.AutoRun.evs 1
C:\WINDOWS\system32\sesombqe.dll Infected: Trojan.Win32.Monder.atjd 1
C:\WINDOWS\system32\xbjkib.dll Infected: Trojan.Win32.Monder.atjd 1

The selected area was scanned.

ComboFix 09-03-26.03 - Administrator 2009-03-27 17:44:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.292 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\New Folder\cfscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\313ba0ec.sys
c:\windows\system32\drivers\stbimf.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe --> c:\windows\system32\svchost.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe --> c:\windows\system32\services.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe --> c:\windows\system32\lsass.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_313ba0ec
-------\Service_hpah


((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-25 17:59 . 2009-03-25 18:00 1,374 --a------ c:\windows\imsins.BAK
2009-03-03 21:02 . 2009-03-03 21:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 21:02 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 21:01 . 2009-03-03 21:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 21:01 . 2009-03-03 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 21:01 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 01:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-28 01:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 23:13 --------- d-----w c:\program files\RegCure
2009-02-11 22:39 --------- d-----w c:\program files\ERUNT
2009-02-11 22:27 --------- d-----w c:\program files\Trend Micro
2009-02-10 22:56 --------- d-----w c:\program files\Google
2009-02-07 21:06 --------- d-----w c:\documents and settings\NetworkService\Application Data\Webroot
2009-02-07 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\Webroot
2009-01-31 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-31 14:37 --------- d-----w c:\program files\Norton AntiVirus
2007-07-28 11:58 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_17.30.39.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 10:20:05 1,847,424 ----a-w c:\windows\$hf_mig$\KB958690\SP2QFE\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\$hf_mig$\KB958690\SP3GDR\win32k.sys
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:41:26 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP2QFE\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3GDR\schannel.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\$hf_mig$\KB967715\SP2QFE\shell32.dll
+ 2008-02-15 09:06:21 351,744 ----a-w c:\windows\$hf_mig$\KB967715\SP2QFE\xpsp3res.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\$hf_mig$\KB967715\SP3GDR\shell32.dll
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 ------w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 ------w c:\windows\system32\dllcache\advpack.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 ------w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 ------w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ------w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ------w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ------w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 13:00:00 13,312 ----a-w c:\windows\system32\dllcache\lsass.exe
- 2008-10-16 20:38:37 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ------w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 01:35:14 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
- 2007-04-25 14:21:15 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
+ 2008-12-05 07:12:45 144,896 ------w c:\windows\system32\dllcache\schannel.dll
+ 2004-08-04 13:00:00 108,032 ----a-w c:\windows\system32\dllcache\services.exe
- 2007-10-26 03:36:51 8,454,656 -c----w c:\windows\system32\dllcache\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 ------w c:\windows\system32\dllcache\shell32.dll
- 2008-08-28 10:04:17 333,056 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 ------w c:\windows\system32\dllcache\srv.sys
+ 2004-08-04 13:00:00 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
- 2008-10-16 20:38:39 105,984 ------w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 ------w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
- 2008-09-15 11:57:41 1,846,016 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 10:19:34 1,846,272 ------w c:\windows\system32\dllcache\win32k.sys
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 13:00:00 502,272 ----a-w c:\windows\system32\dllcache\winlogon.exe
- 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-11-20 21:57:26 1,433,712 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-25 22:21:30 1,433,712 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 01:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll
- 2009-03-24 21:20:15 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-24 21:31:05 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-24 21:20:15 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-24 21:31:05 380,350 ----a-w c:\windows\system32\perfh009.dat
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-04-25 14:21:15 144,896 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 07:12:45 144,896 ----a-w c:\windows\system32\schannel.dll
- 2007-10-26 03:36:51 8,454,656 ----a-w c:\windows\system32\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 ----a-w c:\windows\system32\shell32.dll
- 2007-07-27 14:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
+ 2009-02-09 10:19:34 1,846,272 ----a-w c:\windows\system32\win32k.sys
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}"= "c:\program files\Dallas Cowboys\Helper.dll" [2008-10-14 225280]

[HKEY_CLASSES_ROOT\clsid\{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{A79DCA30-7864-4B9E-9C6B-EBD5DBD015F2}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-07 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 13:38 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a--c--- 2004-12-31 17:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-07 18:41 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a--c--- 2003-11-06 09:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 17:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 03:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-03 16:03 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AVG Anti-Spyware Guard"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-13 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://globaldiscoveryvacations.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZNxmk572YYUS
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 17:48:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-27 17:51:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-27 21:51:01
ComboFix2.txt 2009-03-24 21:31:40

Pre-Run: 67,278,966,784 bytes free
Post-Run: 67,328,126,976 bytes free

369 --- E O F --- 2009-03-25 22:01:43

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:50 PM, on 3/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4829 bytes
Blade81
2009-03-28, 17:09
Hi


Start hjt, do a system scan, check (if found):
R3 - URLSearchHook: (no name) - - (no file)

Close browsers and fix checked.


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\Documents and Settings\Administrator\My Documents\InstallAVg_770522166350.exe
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DER4TUV\inst[1].php
C:\WINDOWS\system32\sesombqe.dll
C:\WINDOWS\system32\xbjkib.dll



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
joshwg
2009-04-01, 00:20
no pics while browsing still. I had to remove the R3 item twice. removed as directed and when I produced a fresh HJT log it was there again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:58 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4766 bytes

ComboFix 09-03-31.01 - Administrator 2009-03-31 18:03:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.295 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\New Folder\cfscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Administrator\My Documents\InstallAVg_770522166350.exe
c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DER4TUV\inst[1].php
c:\windows\system32\sesombqe.dll
c:\windows\system32\xbjkib.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\My Documents\InstallAVg_770522166350.exe
c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DER4TUV\inst[1].php
c:\windows\system32\sesombqe.dll
c:\windows\system32\xbjkib.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-27 20:18 . 2009-03-27 20:18 <DIR> d-------- c:\program files\Java
2009-03-27 20:18 . 2009-03-27 20:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-27 20:18 . 2009-03-27 20:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-27 20:15 . 2009-03-27 20:15 0 --a------ c:\windows\system32\REN84.tmp
2009-03-27 20:15 . 2009-03-27 20:15 0 --a------ c:\windows\system32\REN83.tmp
2009-03-25 17:59 . 2009-03-25 18:00 1,374 --a------ c:\windows\imsins.BAK
2009-03-03 21:02 . 2009-03-03 21:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 21:02 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 21:01 . 2009-03-03 21:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 21:01 . 2009-03-03 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 21:01 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 04:45 . 2009-02-21 04:45 2,713 ---hs---- c:\windows\system32\mefuwoma.dll
2009-02-20 16:44 . 2009-02-20 16:44 2,713 ---hs---- c:\windows\system32\sukeweri.dll
2009-02-20 04:44 . 2009-02-20 04:44 2,713 ---hs---- c:\windows\system32\kisojaze.dll
2009-02-19 16:44 . 2009-02-19 16:44 2,713 ---hs---- c:\windows\system32\kuwiguri.dll
2009-02-19 03:19 . 2009-02-19 03:19 2,713 ---hs---- c:\windows\system32\sitevahi.dll
2009-02-18 15:20 . 2009-02-18 15:20 2,713 ---hs---- c:\windows\system32\zajifali.dll
2009-02-17 22:09 . 2009-02-17 22:09 2,713 ---hs---- c:\windows\system32\wohajulo.dll
2009-02-17 10:09 . 2009-02-17 10:09 2,713 ---hs---- c:\windows\system32\julakaso.dll
2009-02-16 22:09 . 2009-02-16 22:09 2,713 ---hs---- c:\windows\system32\dujosiye.dll
2009-02-16 10:08 . 2009-02-16 10:08 2,713 ---hs---- c:\windows\system32\nosefabi.dll
2009-02-15 22:08 . 2009-02-15 22:08 2,713 ---hs---- c:\windows\system32\vodujiku.dll
2009-02-14 22:08 . 2009-02-14 22:08 2,713 ---hs---- c:\windows\system32\kunisulu.dll
2009-02-13 19:30 . 2009-02-13 19:30 2,713 ---hs---- c:\windows\system32\rekemopi.dll
2009-02-13 07:30 . 2009-02-13 07:30 2,713 ---hs---- c:\windows\system32\towozoha.dll
2009-02-12 19:40 . 2009-02-12 19:40 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-12 19:40 . 2009-02-12 19:40 1,409 --a------ c:\windows\QTFont.for
2009-02-12 19:09 . 2009-02-12 19:09 2,713 ---hs---- c:\windows\system32\weyonoru.dll
2009-02-11 18:39 . 2009-02-11 18:39 <DIR> d-------- c:\program files\ERUNT
2009-02-11 18:27 . 2009-02-11 18:27 <DIR> d-------- c:\program files\Trend Micro
2009-02-10 16:51 . 2009-02-10 16:51 2,713 ---hs---- c:\windows\system32\rahupeke.dll
2009-02-07 17:06 . 2009-02-07 17:06 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2009-02-07 15:14 . 2009-02-07 15:14 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2009-02-07 13:30 . 2009-02-07 13:30 <DIR> d-------- c:\windows\RegCure
2009-02-07 13:30 . 2009-02-12 19:13 <DIR> d-------- c:\program files\RegCure
2009-02-07 10:38 . 2009-02-07 10:38 2,713 ---hs---- c:\windows\system32\guratayo.dll
2009-02-06 21:48 . 2009-02-06 21:48 2,713 ---hs---- c:\windows\system32\refurepo.dll
2009-02-05 16:53 . 2009-02-05 16:53 2,713 ---hs---- c:\windows\system32\towuvela.dll
2009-02-04 21:19 . 2009-02-04 21:19 2,713 ---hs---- c:\windows\system32\dugigidu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 21:58 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 01:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-28 01:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-10 22:56 --------- d-----w c:\program files\Google
2009-01-31 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-31 14:37 --------- d-----w c:\program files\Norton AntiVirus
2007-07-28 11:58 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-27_17.50.05.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 04:31:24 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\java.exe
- 2007-03-14 04:31:28 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-03-14 06:04:46 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-28 00:18:14 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2008-07-29 22:28:21 74,649 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-28 00:18:13 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-31 22:06:11 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6d0.dat
+ 2006-12-02 02:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}"= "c:\program files\Dallas Cowboys\Helper.dll" [2008-10-14 225280]

[HKEY_CLASSES_ROOT\clsid\{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{A79DCA30-7864-4B9E-9C6B-EBD5DBD015F2}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-07 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-27 148888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 13:38 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a--c--- 2004-12-31 17:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-07 18:41 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a--c--- 2003-11-06 09:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 17:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-03 16:03 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AVG Anti-Spyware Guard"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-13 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_01\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://globaldiscoveryvacations.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZNxmk572YYUS
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 18:06:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WRLogonNTF.dll
c:\windows\System32\NETUI1.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-31 18:09:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 22:09:43
ComboFix2.txt 2009-03-27 21:51:04
ComboFix3.txt 2009-03-24 21:31:40

Pre-Run: 66,900,099,072 bytes free
Post-Run: 66,972,819,456 bytes free

212 --- E O F --- 2009-03-25 22:01:43
Blade81
2009-04-01, 07:54
Hi again,

Are you using IE as your browser? If so, please check this (http://support.microsoft.com/kb/283807)


Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\system32\REN84.tmp
c:\windows\system32\REN83.tmp
c:\windows\system32\mefuwoma.dll
c:\windows\system32\sukeweri.dll
c:\windows\system32\kisojaze.dll
c:\windows\system32\kuwiguri.dll
c:\windows\system32\sitevahi.dll
c:\windows\system32\zajifali.dll
c:\windows\system32\wohajulo.dll
c:\windows\system32\julakaso.dll
c:\windows\system32\dujosiye.dll
c:\windows\system32\nosefabi.dll
c:\windows\system32\vodujiku.dll
c:\windows\system32\kunisulu.dll
c:\windows\system32\rekemopi.dll
c:\windows\system32\towozoha.dll
c:\windows\system32\weyonoru.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\guratayo.dll
c:\windows\system32\refurepo.dll
c:\windows\system32\towuvela.dll
c:\windows\system32\dugigidu.dll



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
joshwg
2009-04-02, 02:46
show pictures was off. thanks for that.

ComboFix 09-04-01.01 - Administrator 2009-04-01 20:39:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.288 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\New Folder\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\New Folder\cfscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\dugigidu.dll
c:\windows\system32\dujosiye.dll
c:\windows\system32\guratayo.dll
c:\windows\system32\julakaso.dll
c:\windows\system32\kisojaze.dll
c:\windows\system32\kunisulu.dll
c:\windows\system32\kuwiguri.dll
c:\windows\system32\mefuwoma.dll
c:\windows\system32\nosefabi.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\refurepo.dll
c:\windows\system32\rekemopi.dll
c:\windows\system32\REN83.tmp
c:\windows\system32\REN84.tmp
c:\windows\system32\sitevahi.dll
c:\windows\system32\sukeweri.dll
c:\windows\system32\towozoha.dll
c:\windows\system32\towuvela.dll
c:\windows\system32\vodujiku.dll
c:\windows\system32\weyonoru.dll
c:\windows\system32\wohajulo.dll
c:\windows\system32\zajifali.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dugigidu.dll
c:\windows\system32\dujosiye.dll
c:\windows\system32\guratayo.dll
c:\windows\system32\julakaso.dll
c:\windows\system32\kisojaze.dll
c:\windows\system32\kunisulu.dll
c:\windows\system32\kuwiguri.dll
c:\windows\system32\mefuwoma.dll
c:\windows\system32\nosefabi.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\refurepo.dll
c:\windows\system32\rekemopi.dll
c:\windows\system32\REN83.tmp
c:\windows\system32\REN84.tmp
c:\windows\system32\sitevahi.dll
c:\windows\system32\sukeweri.dll
c:\windows\system32\towozoha.dll
c:\windows\system32\towuvela.dll
c:\windows\system32\vodujiku.dll
c:\windows\system32\weyonoru.dll
c:\windows\system32\wohajulo.dll
c:\windows\system32\zajifali.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-03-31 21:49 . 2009-03-31 21:49 <DIR> d-------- c:\windows\system32\KB905474
2009-03-31 21:49 . 2009-03-10 22:26 1,403,264 --a------ c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-31 21:49 . 2009-03-10 22:18 453,512 --a------ c:\windows\system32\KB905474\wgasetup.exe
2009-03-31 21:49 . 2009-02-09 18:51 12,490 --a------ c:\windows\system32\KB905474\wga_eula.txt
2009-03-27 20:18 . 2009-03-27 20:18 <DIR> d-------- c:\program files\Java
2009-03-27 20:18 . 2009-03-27 20:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-27 20:18 . 2009-03-27 20:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-25 17:59 . 2009-03-25 18:00 1,374 --a------ c:\windows\imsins.BAK
2009-03-03 21:02 . 2009-03-03 21:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-03 21:02 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 21:01 . 2009-03-03 21:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 21:01 . 2009-03-03 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 21:01 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 21:58 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 01:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-28 01:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 23:13 --------- d-----w c:\program files\RegCure
2009-02-11 22:39 --------- d-----w c:\program files\ERUNT
2009-02-11 22:27 --------- d-----w c:\program files\Trend Micro
2009-02-10 22:56 --------- d-----w c:\program files\Google
2009-02-07 21:06 --------- d-----w c:\documents and settings\NetworkService\Application Data\Webroot
2009-02-07 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\Webroot
2007-07-28 11:58 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-27_17.50.05.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-14 04:31:24 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\java.exe
- 2007-03-14 04:31:28 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-28 00:18:14 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-03-14 06:04:46 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-28 00:18:14 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2008-07-29 22:28:21 74,649 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-28 00:18:13 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-04-02 00:41:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
+ 2006-12-02 02:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}"= "c:\program files\Dallas Cowboys\Helper.dll" [2008-10-14 225280]

[HKEY_CLASSES_ROOT\clsid\{8a32e8dd-ee22-4e60-a38d-dbf6f51e3139}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{A79DCA30-7864-4B9E-9C6B-EBD5DBD015F2}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{27E7F580-724E-46EB-846F-96C2396D23ED}"= "c:\program files\Dallas Cowboys\Toolbar.dll" [2008-10-14 1220608]

[HKEY_CLASSES_ROOT\clsid\{27e7f580-724e-46eb-846f-96c2396d23ed}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{8518B5E9-EDF5-4BDA-B5D3-4AA044EC072D}]
[HKEY_CLASSES_ROOT\FCTB000056891.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-07 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-27 148888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniMavis.lnk]
backup=c:\windows\pss\MiniMavis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-15 13:38 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a--c--- 2004-12-31 17:14 469824 c:\program files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-03-07 18:41 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
--a--c--- 2003-11-06 09:22 524800 c:\program files\Compaq\SetRefresh\SetRefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2009-01-26 16:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 17:34 36864 c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-04-03 16:03 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"AVG Anti-Spyware Guard"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-03-13 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe []

2009-04-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://globaldiscoveryvacations.com/
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZNxmk572YYUS
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 20:42:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-01 20:44:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-02 00:44:53
ComboFix2.txt 2009-03-31 22:09:46
ComboFix3.txt 2009-03-27 21:51:04
ComboFix4.txt 2009-03-24 21:31:40

Pre-Run: 66,924,503,040 bytes free
Post-Run: 66,914,172,928 bytes free

222 --- E O F --- 2009-04-01 01:49:13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:30 PM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4867 bytes
Blade81
2009-04-02, 11:09
Hi again,

Start hjt, do a system scan, check (if found):
R3 - URLSearchHook: (no name) - - (no file)

Close all browsers and fix checked.

Post a fresh hjt log and let me know how's the system running :)
joshwg
2009-04-03, 02:31
I removed it and it came back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:27 PM, on 4/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globaldiscoveryvacations.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {8a32e8dd-ee22-4e60-a38d-dbf6f51e3139} - C:\Program Files\Dallas Cowboys\Helper.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dallas Cowboys - {27E7F580-724E-46EB-846F-96C2396D23ED} - C:\Program Files\Dallas Cowboys\Toolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Search - ?p=ZNxmk572YYUS
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: my current home page - about:home

--
End of file - 4827 bytes
Blade81
2009-04-03, 15:08
Hi

We can leave that there if it won't stay away (nothing malicious) :)

How's the system running?
joshwg
2009-04-03, 23:46
everything seems to be running just fine!

If there is nothing else you would have me do I can do the rest.

I have the prevention suggestions from the last computer I posted. Thank you for your help.
Blade81
2009-04-03, 23:52
You're welcome :)

Remember uninstall ComboFix.


Click START then RUN
Now type Combofix /u in the runbox and click OK
joshwg
2009-04-04, 01:04
I installed avg, updated it. Left the computer sit and resident shield came up saying it found a trojan.



"Trojan horse Generic12.BFIO";"C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP28\A0004112.dll";"Moved to Virus Vault";"4/3/2009, 6:49:07 PM";"File";"C:\WINDOWS\system32\svchost.exe"
Blade81
2009-04-04, 01:08
Hi

That's in system restore and flushing will remove it.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
joshwg
2009-04-04, 01:27
ok all set thank you again so very much!
Blade81
2009-04-04, 12:48
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.