PDA

View Full Version : smitfraud and possibly others?



olsens11
2006-12-13, 21:07
spybot keeps on reporting smitfraud, and a few others every time i run it. i was able to remove "command service" and "virtumonde" by using tool, and looking at some forums. i read that smitfraud may be a false positive, but since i keep on getting reports of other things i want to make sure.

oh, and IE keeps on opening by itself to to different pages, generally to someplace selling bogus spyware removal software.

thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 2:02:01 PM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\{30CDE1E2-063C-1033-0722-050506220001}\Update.exe
C:\WINDOWS\system32\ISHOST.EXE
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvbep.dll,startup
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

steamwiz
2006-12-13, 22:47
HI

You definately have a Smitfraud infection ;)

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

steam

olsens11
2006-12-14, 04:40
here you go, thanks for being so quick about it!



SmitFraudFix v2.130

Scan done at 21:38:06.31, Wed 12/13/2006
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\David\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\David\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

steamwiz
2006-12-14, 23:49
HI

That's a clean log ... but it shouldn't be ...

It should at least show this :-

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismini.exe FOUND !

I want you to go ahead as if it had found them...


1. Reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here... + a new hijackthis log.

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

steam

olsens11
2006-12-15, 08:37
...well, i was out all day today, and by the time i got back there were about 10 IE windows open to different places, so yeah... (i dont even use IE) but yes, here are the 2 logs you asked for:

SmitFraudFix v2.130

Scan done at 1:25:13.87, Fri 12/15/2006
Run from C:\Documents and Settings\David\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"



»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 1:32:49 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Common Files\{30CDE1E2-063C-1033-0722-050506220001}\Update.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\David\APPLIC~1\SEMBLY~1\userinit.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\?dobe\w?nspool.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe

R3 - URLSearchHook: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\kfgeagvt.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\David\APPLIC~1\SEMBLY~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Rzmx] C:\WINDOWS\system32\?dobe\w?nspool.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

thanks again!
-dave

steamwiz
2006-12-16, 01:04
Hi

First go to add\remove programs in the control Panel and uninstall Toolbar: Bar888

Please run this now :-

Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

steam

olsens11
2006-12-16, 09:05
ok, so i was gone again all day today, but this time i was smart enough to disable my internet connection so nothing could be downloaded without me knowing...

ok, so the logfiles are too big to post in one reply so, here goes:

David - 06-12-16 1:43:32.60 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wnstssu.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{30CDE1E2-063C-1033-0722-050506220001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\David\Application Data\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\David\Application Data\SEMBLY~1\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\David\Application Data\SEMBLY~1\userinit.exe
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\TSKS~1
C:\QooBox\Purity\WINDOWS\system32\DOBE~1\w?nspool.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-16 to 2006-12-16 ))))))))))))))))))))))))))))))))))


2006-12-16 01:34 44,052 --a------ C:\WINDOWS\system32\fiwvpwrx.dll
2006-12-15 01:17 118,804 --a------ C:\WINDOWS\system32\kfgeagvt.dll
2006-12-14 13:10 72,704 --a------ C:\WINDOWS\system32\drvgac.dll
2006-12-14 13:10 40,973 ---hs---- C:\WINDOWS\system32\ssqonmj.dll
2006-12-14 00:11 72,704 --a------ C:\WINDOWS\system32\drvbit.dll
2006-12-14 00:11 40,973 ---hs---- C:\WINDOWS\system32\rqrssts.dll
2006-12-13 14:18 58,880 --a------ C:\WINDOWS\system32\fwrpzij.dll
2006-12-13 14:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-12 22:58 72,704 --a------ C:\WINDOWS\system32\drvbep.dll
2006-12-12 22:58 40,973 ---hs---- C:\WINDOWS\system32\ddccaba.dll
2006-12-12 13:48 899,116 ---hs---- C:\WINDOWS\system32\ayadd.bak1
2006-12-12 11:50 <DIR> d-------- C:\Program Files\Safer Networking
2006-12-11 13:44 <DIR> d-------- C:\bintheredunthat
2006-12-11 13:32 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-11 13:31 <DIR> d-------- C:\Program Files\Grisoft
2006-12-11 12:27 40,973 ---hs---- C:\WINDOWS\system32\mljgefg.dll
2006-12-11 09:48 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-11 09:09 72,704 --a------ C:\WINDOWS\system32\drvjej.dll
2006-12-11 09:08 40,973 ---hs---- C:\WINDOWS\system32\ssqnmjh.dll
2006-12-11 08:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-11 07:15 824,952 ---hs---- C:\WINDOWS\system32\ayadd.ini2
2006-12-11 00:41 40,973 ---hs---- C:\WINDOWS\system32\tuvsqrq.dll
2006-12-10 17:41 90,164 ---hs---- C:\WINDOWS\system32\jkhhi.dll
2006-12-10 17:23 72,704 --a------ C:\WINDOWS\system32\drvxoh.dll
2006-12-10 17:23 40,973 ---hs---- C:\WINDOWS\system32\qomkkll.dll
2006-12-10 17:23 126,996 --a------ C:\WINDOWS\system32\nbphinwe.dll
2006-12-10 16:15 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2006-12-10 15:45 <DIR> d-------- C:\Program Files\CCleaner
2006-12-10 13:52 90,164 ---hs---- C:\WINDOWS\system32\vtstu.dll
2006-12-10 13:52 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2006-12-10 13:51 <DIR> d-------- C:\Documents and Settings\David\Application Data\Regrun
2006-12-10 13:49 <DIR> d-------- C:\Program Files\Greatis
2006-12-10 00:08 56,832 --------- C:\WINDOWS\system32\dgvn.dll
2006-12-09 23:56 72,704 --a------ C:\WINDOWS\system32\drvkov.dll
2006-12-09 23:56 40,973 ---hs---- C:\WINDOWS\system32\gebxxxy.dll
2006-12-09 20:53 90,164 ---hs---- C:\WINDOWS\system32\ssqro.dll
2006-12-09 19:47 94,208 --a------ C:\WINDOWS\system32\sruusxm.dll
2006-12-09 19:47 71,680 --a------ C:\WINDOWS\system32\ipnydgh.dll
2006-12-09 19:46 72,704 --a------ C:\WINDOWS\system32\drvdov.dll
2006-12-09 19:46 40,973 ---hs---- C:\WINDOWS\system32\awtrspp.dll
2006-12-09 18:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-09 17:30 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-09 17:04 88,340 --a------ C:\WINDOWS\system32\jsjsvipy.exe
2006-12-09 17:04 870,256 ---hs---- C:\WINDOWS\system32\ayadd.bak2
2006-12-09 17:04 42,516 --a------ C:\WINDOWS\system32\lvkxvbhm.dll
2006-12-09 17:04 126,996 --a------ C:\WINDOWS\system32\llyglqpr.dll
2006-12-07 02:43 90,164 ---hs---- C:\WINDOWS\system32\vtsqn.dll
2006-12-05 02:58 <DIR> d--hs---- C:\WINDOWS\RGF2aWQ
2006-12-04 00:11 71,168 --a------ C:\WINDOWS\system32\ushwxcb.dll
2006-12-04 00:10 94,208 --a------ C:\WINDOWS\system32\kpdwooh.dll
2006-12-04 00:10 40,973 ---hs---- C:\WINDOWS\system32\yayyxus.dll
2006-11-27 14:31 704,564 ---hs---- C:\WINDOWS\system32\ddaya.dll
2006-11-25 12:55 93,696 --a------ C:\WINDOWS\system32\vvdkkpe.dll
2006-11-25 12:55 71,680 --a------ C:\WINDOWS\system32\vorenbj.dll
2006-11-25 12:54 40,973 ---hs---- C:\WINDOWS\system32\gebywus.dll
2006-11-25 12:20 <DIR> d-------- C:\3cf8750814afb111a3f41c8f34
2006-11-23 21:01 <DIR> d-------- C:\Program Files\Unlocker
2006-11-22 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2006-11-22 20:54 <DIR> d-------- C:\Documents and Settings\David\Application Data\Creative
2006-11-22 20:51 41,984 --------- C:\WINDOWS\Ctregrun.exe
2006-11-22 20:50 86,016 -ra------ C:\WINDOWS\CtDrvIns.exe
2006-11-22 20:50 4,216 -ra------ C:\WINDOWS\system32\drivers\V0250STB.SYS
2006-11-22 20:50 36,864 -ra------ C:\WINDOWS\system32\V0250Pin.dll
2006-11-22 20:50 32,768 -ra------ C:\WINDOWS\system32\V0250Hwx.dll
2006-11-22 20:50 204,800 -ra------ C:\WINDOWS\system32\V0250Cvw.dll
2006-11-22 20:50 20,480 -ra------ C:\WINDOWS\V0250Cfg.exe
2006-11-22 20:50 20,480 -ra------ C:\WINDOWS\system32\V0250Srv.exe
2006-11-22 20:50 163,840 -ra------ C:\WINDOWS\system32\drivers\V0250Dev.sys
2006-11-22 20:50 122,880 -ra------ C:\WINDOWS\system32\V0250Vfw.dll
2006-11-22 20:49 24,576 -ra------ C:\WINDOWS\system32\V0250Aor.dll
2006-11-22 20:49 <DIR> d-------- C:\WINDOWS\CtDrvInstall
2006-11-22 20:47 <DIR> d-------- C:\Program Files\SightSpeed
2006-11-22 20:45 36,864 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2006-11-22 20:45 24,576 --------- C:\WINDOWS\system32\CTWEBFUN.DLL
2006-11-22 20:43 <DIR> d-------- C:\Program Files\Creative
2006-11-19 20:17 18,944 --a------ C:\WINDOWS\system32\winjrs32.dll
2006-11-19 20:11 <DIR> d-------- C:\Program Files\PQDVD
2006-11-19 12:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-19 12:26 <DIR> d-------- C:\faadf869e662b65fb01f78


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-16 01:47 -------- d-------- C:\Program Files\Common Files
2006-12-16 01:42 -------- d-------- C:\Program Files\Trillian
2006-12-13 21:56 -------- d-------- C:\Program Files\Internet Explorer
2006-12-13 21:53 -------- d-------- C:\Program Files\Outlook Express
2006-12-13 21:53 -------- d-------- C:\Program Files\Common Files\System
2006-12-12 23:50 -------- d-------- C:\Documents and Settings\David\Application Data\Adobe
2006-12-12 00:53 232 --a------ C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-12-10 16:38 -------- d-------- C:\Program Files\Advanced GDS Toolbox
2006-12-10 16:36 -------- d-------- C:\Program Files\Xilisoft
2006-12-10 16:35 -------- d-------- C:\Program Files\Jasc Software Inc
2006-12-10 16:30 -------- d-------- C:\Program Files\Google
2006-12-10 16:29 -------- d-------- C:\Program Files\MagicDVDRipper
2006-12-10 16:29 -------- d-------- C:\Program Files\Image-Line
2006-12-10 16:26 -------- d-------- C:\Program Files\SoundSpectrum
2006-12-10 16:26 -------- d-------- C:\Program Files\LitexMedia
2006-12-10 16:26 -------- d-------- C:\Program Files\GustoSoft
2006-12-10 16:26 -------- d-------- C:\Program Files\Arial Audio Converter
2006-12-10 16:23 -------- d-------- C:\Program Files\palmOne
2006-12-10 16:22 -------- d-------- C:\Program Files\MP3 WAV Converter
2006-12-10 16:21 -------- d-------- C:\Program Files\InterActual
2006-12-10 16:21 -------- d-------- C:\Program Files\GetASFStream
2006-12-10 16:18 -------- d-------- C:\Program Files\VstPlugins
2006-12-10 13:03 -------- d-------- C:\Program Files\Common Files\Services
2006-12-09 20:01 -------- d-------- C:\Program Files\Cloudbrain
2006-12-09 19:57 -------- d-------- C:\Program Files\Linx
2006-12-09 18:13 -------- d-------- C:\Program Files\Windows Media Player
2006-12-09 17:05 -------- d-------- C:\Documents and Settings\David\Application Data\Azureus
2006-12-09 16:50 -------- d-------- C:\Program Files\Common Files\Intuit
2006-11-27 13:28 3502 --a------ C:\Documents and Settings\David\Application Data\.googlewebacchosts
2006-11-22 22:51 -------- d-------- C:\Program Files\WinXMedia
2006-11-22 21:18 -------- d-------- C:\Program Files\QuickTime
2006-11-22 20:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-15 23:30 -------- d-------- C:\Documents and Settings\David\Application Data\Armagetron
2006-11-15 13:19 -------- d-------- C:\Program Files\Dl_cats
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 00:46 -------- d-------- C:\Program Files\XP Codec Pack
2006-11-04 00:46 -------- d-------- C:\Program Files\ffdshow
2006-10-24 13:55 -------- d-------- C:\Program Files\X3watch
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 22:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 22:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 22:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 22:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 22:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 22:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 22:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 22:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 22:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 22:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 22:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 22:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 22:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 22:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 22:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 22:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 22:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 22:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 22:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 22:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 22:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 22:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 22:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 22:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 22:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 22:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 22:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 22:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 22:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 22:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 22:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 22:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 22:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 22:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 22:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 22:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 22:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 22:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 22:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 22:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 22:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 22:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 22:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 22:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 22:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 22:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 22:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 22:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 22:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 22:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 22:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 22:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 22:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 22:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 22:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 21:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 21:00 38528 --a------ C:\WINDOWS\system32\drivers\wpdusb.sys
2006-10-18 21:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 21:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 13:33 818688 --a------ C:\WINDOWS\system32\wininet(2).dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- C:\WINDOWS\system32\WudfHost.exe
2006-09-25 17:58 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe

olsens11
2006-12-16, 09:06
combo fix log (cont.)





(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Creative WebCam Tray"="\"C:\\Program Files\\Creative\\Shared Files\\CamTray.exe\""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Tair"="\"C:\\DOCUME~1\\David\\APPLIC~1\\SEMBLY~1\\userinit.exe\" -vt ndrv"
"Rzmx"="C:\\WINDOWS\\system32\\?dobe\\w?nspool.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"Logitech Utility"="Logi_MwX.Exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"x3watch"="C:\\Program Files\\X3watch\\x3watch.exe"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"dlccmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 924\\dlccmon.exe\""
"sruusxm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\sruusxm.dll,nsrxhv"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\kfgeagvt.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C671A733-A4AA-4B5F-8CEE-006242C457B5}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Tair"="\"C:\\DOCUME~1\\David\\APPLIC~1\\SEMBLY~1\\userinit.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"mmtask"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=dword:00000003
"McTskshd.exe"=dword:00000002
"McShield"=dword:00000002
"McDetect.exe"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnmjh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjrs32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmbj32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis entries set to ignore ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VS
O4 - HKLM\..\Run: [MCAgentExe] c:\PR
O4 - HKLM\..\Run: [MCUpdateExe] C:\PR
O4 - HKLM\..\Run: [VirusScan
O4 - HKLM\..\Run: [MPFExe] C:\PR
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PR
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AI
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PR

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (ALPHA1BETA2-David).job

Completion time: 06-12-16 1:50:24.65
C:\ComboFix.txt ... 06-12-16 01:50


Logfile of HijackThis v1.99.1
Scan saved at 1:56:19 AM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\kfgeagvt.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\David\APPLIC~1\SEMBLY~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Rzmx] C:\WINDOWS\system32\?dobe\w?nspool.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

olsens11
2006-12-16, 09:08
...just incase i screwd up that combofix log, i uploaded it <a href="http://olsens11.googlepages.com/ComboFix.txt">here</a> thanks again!!!
-dave

steamwiz
2006-12-16, 22:16
HI

You've lots of work ahead of you to get this clean...

The combofix log is fine... that's to say, it shows lots of malware... I'll need to see another combofix log later after we've run some other programs...

First please rename your hijackthis.exe file to something else... olsens11.exe if you like... then run it again and post a new log...

After you've posted the log ... I want to see how it stands now for reference later...

Please do this :-

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.(run after vundofix)

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix untill it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

steam

olsens11
2006-12-17, 08:38
ok, heres my new "SteamWizIsTheMan.exe" logfile:

Logfile of HijackThis v1.99.1
Scan saved at 1:37:51 AM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Documents and Settings\David\Desktop\SteamwizIsTheMan.exe

R3 - URLSearchHook: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - C:\WINDOWS\system32\ipnydgh.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\fiwvpwrx.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {604A4AA2-3376-37BF-630B-08DE790722C8} - C:\WINDOWS\system32\ushwxcb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\ssqnmjh.dll
O2 - BHO: (no name) - {D2D92ABD-2BE2-4C5B-A07E-D03968975BEC} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\kfgeagvt.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\David\APPLIC~1\SEMBLY~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Rzmx] C:\WINDOWS\system32\?dobe\w?nspool.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: ssqnmjh - C:\WINDOWS\SYSTEM32\ssqnmjh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjrs32 - C:\WINDOWS\SYSTEM32\winjrs32.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

olsens11
2006-12-17, 09:14
...and sure enough, after several reboots and at long last, "no infected files found" was displayed on my screen. (woot) sweet deal, that sounds like a great place to start, now then, what shall i do next?

-dave

steamwiz
2006-12-17, 20:45
HI Dave

Next...

From my last post...

7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.(run after vundofix)

cheers

steam

olsens11
2006-12-18, 07:20
oops! sorry about that. anyway, here are those logs:


VundoFix V4.2.16
Scan started at 1:59:41 PM 1/31/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\rrqss.tmp

C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.tmp
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\ssqrr.dll
Attempting to delete C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\rrqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.tmp
C:\WINDOWS\system32\rrqss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V4.2.16
Scan started at 12:26:47 PM 12/11/2006

Listing files found while scanning....


No infected files were found.


VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.3

Scan started at 1:40:31 AM 12/17/2006

Listing files found while scanning....

C:\WINDOWS\system32\kpdwooh.dll
C:\WINDOWS\system32\sruusxm.dll
C:\WINDOWS\system32\winjrs32.dll
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ayadd.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\kpdwooh.dll
C:\WINDOWS\system32\kpdwooh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sruusxm.dll
C:\WINDOWS\system32\sruusxm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winjrs32.dll
C:\WINDOWS\system32\winjrs32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddaya.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\ayadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ayadd.tmp
C:\WINDOWS\system32\ayadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winjrs32.dll
C:\WINDOWS\system32\winjrs32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\ddaya.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.3

Scan started at 1:57:52 AM 12/17/2006

Listing files found while scanning....

C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\mllml.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\mllml.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.3

Scan started at 2:07:07 AM 12/17/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.13

Checking Java version...

Java version is 1.4.2.3

Scan started at 12:15:50 AM 12/18/2006

Listing files found while scanning....



and now the newly renamed hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:36 AM, on 12/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\David\Desktop\VundoFix.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\David\Desktop\SteamwizIsTheMan.exe

R3 - URLSearchHook: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - C:\WINDOWS\system32\ipnydgh.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\fiwvpwrx.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {604A4AA2-3376-37BF-630B-08DE790722C8} - C:\WINDOWS\system32\ushwxcb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {D2D92ABD-2BE2-4C5B-A07E-D03968975BEC} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: (no name) - {D3A25FAD-BD97-446C-8795-DD20C6F1E2D5} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\kfgeagvt.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\David\APPLIC~1\SEMBLY~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Rzmx] C:\WINDOWS\system32\?dobe\w?nspool.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

thanks again!
-dave

steamwiz
2006-12-18, 22:40
Hi

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ...

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6' and press the 'Download' button.

-----

THEN...

Please go here and upload this file ...

C:\WINDOWS\winstart.bat

http://www.virustotal.com/flash/index_en.html

Click the browse button & browse to the file on your computer

Post back the results

-----

THEN...

Disconnect from the internet Close ALL browser windows

(including this one) - run hijackthis and tick to fix (check the box next to) the list

below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


R3 - URLSearchHook: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll

O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\system32\vorenbj.dll
O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - C:\WINDOWS\system32\ipnydgh.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\fiwvpwrx.dll
O2 - BHO: (no name) - {604A4AA2-3376-37BF-630B-08DE790722C8} - C:\WINDOWS\system32\ushwxcb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {D2D92ABD-2BE2-4C5B-A07E-D03968975BEC} - C:\WINDOWS\system32\ddaya.dll (file missing)
O2 - BHO: (no name) - {D3A25FAD-BD97-446C-8795-DD20C6F1E2D5} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: (no name) - {F5CD3F5A-A3CF-8063-98F8-85FA4BAA3AB5} - C:\WINDOWS\system32\fwrpzij.dll

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30CDE~1\Bar888.dll (file missing)

O4 - HKLM\..\Run: [sruusxm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sruusxm.dll,nsrxhv
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\kfgeagvt.dll",setvm
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\David\APPLIC~1\SEMBLY~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Rzmx] C:\WINDOWS\system32\?dobe\w?nspool.exe

O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner -

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)

O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)


-----

THEN...

REBOOT your computer...

-----

THEN...

1. Download and unzip Avenger (by Swandog46) to your desktop. > http://swandog46.geekstogo.com/avenger.zip
2. Double click the Avenger.exe file
3. Click OK
4. Select Input script manually
5. Click the Magnifying Glass icon
6. Highlight the text in the code box below, & copy and paste it into the View/edit script box



Files to delete:
C:\WINDOWS\system32\fwrpzij.dll
C:\WINDOWS\system32\vorenbj.dll
C:\WINDOWS\system32\vvdkkpe.dll
C:\WINDOWS\system32\ipnydgh.dll
C:\WINDOWS\system32\fiwvpwrx.dll
C:\WINDOWS\system32\ushwxcb.dll
C:\WINDOWS\system32\yayyxus.dll
C:\WINDOWS\system32\kfgeagvt.dll
C:\WINDOWS\system32\ssqonmj.dll
C:\WINDOWS\system32\drvgac.dll
C:\WINDOWS\system32\drvbit.dll
C:\WINDOWS\system32\rqrssts.dll
C:\WINDOWS\system32\drvbep.dll
C:\WINDOWS\system32\ddccaba.dll
C:\WINDOWS\system32\mljgefg.dll
C:\WINDOWS\system32\ssqnmjh.dll
C:\WINDOWS\system32\drvjej.dll
C:\WINDOWS\system32\tuvsqrq.dll
C:\WINDOWS\system32\drvxoh.dll
C:\WINDOWS\system32\qomkkll.dll
C:\WINDOWS\system32\drvkov.dll
C:\WINDOWS\system32\gebxxxy.dll
C:\WINDOWS\system32\drvdov.dll
C:\WINDOWS\system32\awtrspp.dll
C:\WINDOWS\system32\gebywus.dll
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\nbphinwe.dll
C:\WINDOWS\system32\llyglqpr.dll
C:\WINDOWS\system32\dgvn.dll
C:\WINDOWS\system32\jsjsvipy.exe
C:\WINDOWS\system32\lvkxvbhm.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these

directions as they could damage the workings of your system.


7. Click Done
8. Click the Traffic Light icon to start the program.
9. click Yes to execute the script and click Yes when asked to reboot your computer
10. Post the contents of the file C:\Avenger.txt

After the reboot... run hijackthis & post a new log .....

Also run combofix again and post the new log...

-----
Please remember to ....

1. post the results from the scan at virustotal
2. the contents of the file C:\Avenger.txt
3. run combofix again and post the new log
4. run hijackthis again and post the new log

steam

olsens11
2006-12-19, 03:33
ok, here is the "virus total" report you requested:

i also uploaded a neater looking html version at: http://olsens11.googlepages.com/Antivirus.htm

Antivirus Version Update Result
AntiVir 7.3.0.19 12.18.2006 no virus found
Authentium 4.93.8 12.15.2006 no virus found
Avast 4.7.892.0 12.16.2006 no virus found
AVG 386 12.18.2006 no virus found
BitDefender 7.2 12.19.2006 no virus found
CAT-QuickHeal 8.00 12.18.2006 no virus found
ClamAV devel-20060426 12.19.2006 no virus found
DrWeb 4.33 12.18.2006 no virus found
eSafe 7.0.14.0 12.17.2006 no virus found
eTrust-InoculateIT 23.73.88 12.18.2006 no virus found
eTrust-Vet 30.3.3259 12.18.2006 no virus found
Ewido 4.0 12.18.2006 no virus found
Fortinet 2.82.0.0 12.18.2006 no virus found
F-Prot 3.16f 12.15.2006 no virus found
F-Prot4 4.2.1.29 12.18.2006 no virus found
Ikarus T3.1.0.27 12.18.2006 no virus found
Kaspersky 4.0.2.24 12.19.2006 no virus found
McAfee 4921 12.18.2006 no virus found
Microsoft 1.1804 12.19.2006 no virus found
NOD32v2 1926 12.18.2006 no virus found
Norman 5.80.02 12.18.2006 no virus found
Panda 9.0.0.4 12.19.2006 no virus found
Prevx1 V2 12.19.2006 no virus found
Sophos 4.12.0 12.18.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.134 12.18.2006 no virus found
UNA 1.83 12.18.2006 no virus found
VBA32 3.11.1 12.18.2006 no virus found
VirusBuster 4.3.19:9 12.18.2006 no virus found

Aditional Information
File size: 2 bytes
MD5: 81051bcc2cf1bedf378224b0a93e2877
SHA1: ba8ab5a0280b953aa97435ff8946cbcbb2755a27

olsens11
2006-12-19, 04:20
here is the "avenger" log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\slpjgihx

*******************

Script file located at: \??\C:\Documents and Settings\weyxjeuh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\fwrpzij.dll not found!
Deletion of file C:\WINDOWS\system32\fwrpzij.dll failed!

Could not process line:
C:\WINDOWS\system32\fwrpzij.dll
Status: 0xc0000034



File C:\WINDOWS\system32\vorenbj.dll not found!
Deletion of file C:\WINDOWS\system32\vorenbj.dll failed!

Could not process line:
C:\WINDOWS\system32\vorenbj.dll
Status: 0xc0000034

File C:\WINDOWS\system32\vvdkkpe.dll deleted successfully.


File C:\WINDOWS\system32\ipnydgh.dll not found!
Deletion of file C:\WINDOWS\system32\ipnydgh.dll failed!

Could not process line:
C:\WINDOWS\system32\ipnydgh.dll
Status: 0xc0000034



File C:\WINDOWS\system32\fiwvpwrx.dll not found!
Deletion of file C:\WINDOWS\system32\fiwvpwrx.dll failed!

Could not process line:
C:\WINDOWS\system32\fiwvpwrx.dll
Status: 0xc0000034



File C:\WINDOWS\system32\ushwxcb.dll not found!
Deletion of file C:\WINDOWS\system32\ushwxcb.dll failed!

Could not process line:
C:\WINDOWS\system32\ushwxcb.dll
Status: 0xc0000034

File C:\WINDOWS\system32\yayyxus.dll deleted successfully.
File C:\WINDOWS\system32\kfgeagvt.dll deleted successfully.
File C:\WINDOWS\system32\ssqonmj.dll deleted successfully.
File C:\WINDOWS\system32\drvgac.dll deleted successfully.
File C:\WINDOWS\system32\drvbit.dll deleted successfully.
File C:\WINDOWS\system32\rqrssts.dll deleted successfully.
File C:\WINDOWS\system32\drvbep.dll deleted successfully.
File C:\WINDOWS\system32\ddccaba.dll deleted successfully.
File C:\WINDOWS\system32\mljgefg.dll deleted successfully.
File C:\WINDOWS\system32\ssqnmjh.dll deleted successfully.
File C:\WINDOWS\system32\drvjej.dll deleted successfully.
File C:\WINDOWS\system32\tuvsqrq.dll deleted successfully.
File C:\WINDOWS\system32\drvxoh.dll deleted successfully.
File C:\WINDOWS\system32\qomkkll.dll deleted successfully.
File C:\WINDOWS\system32\drvkov.dll deleted successfully.
File C:\WINDOWS\system32\gebxxxy.dll deleted successfully.
File C:\WINDOWS\system32\drvdov.dll deleted successfully.
File C:\WINDOWS\system32\awtrspp.dll deleted successfully.
File C:\WINDOWS\system32\gebywus.dll deleted successfully.
File C:\WINDOWS\system32\jkhhi.dll deleted successfully.
File C:\WINDOWS\system32\vtstu.dll deleted successfully.
File C:\WINDOWS\system32\ssqro.dll deleted successfully.
File C:\WINDOWS\system32\vtsqn.dll deleted successfully.
File C:\WINDOWS\system32\nbphinwe.dll deleted successfully.
File C:\WINDOWS\system32\llyglqpr.dll deleted successfully.
File C:\WINDOWS\system32\dgvn.dll deleted successfully.
File C:\WINDOWS\system32\jsjsvipy.exe deleted successfully.
File C:\WINDOWS\system32\lvkxvbhm.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

olsens11
2006-12-19, 04:23
and heres the combo fix log:

David - 06-12-18 21:20:40.60 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\David\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\David\Application Data\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\David\Application Data\SEMBLY~1\SEMBLY~1
C:\QooBox\Purity\Documents and Settings\David\Application Data\SEMBLY~1\userinit.exe
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\TSKS~1
C:\QooBox\Purity\WINDOWS\system32\DOBE~1\w?nspool.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-18 to 2006-12-18 ))))))))))))))))))))))))))))))))))


2006-12-18 21:17 <DIR> d-------- C:\avenger
2006-12-17 01:40 <DIR> d-------- C:\VundoFix Backups
2006-12-13 14:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-12 11:50 <DIR> d-------- C:\Program Files\Safer Networking
2006-12-11 13:44 <DIR> d-------- C:\bintheredunthat
2006-12-11 13:32 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-11 13:31 <DIR> d-------- C:\Program Files\Grisoft
2006-12-11 09:48 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-11 08:37 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-10 16:15 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2006-12-10 15:45 <DIR> d-------- C:\Program Files\CCleaner
2006-12-10 13:52 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2006-12-10 13:51 <DIR> d-------- C:\Documents and Settings\David\Application Data\Regrun
2006-12-10 13:49 <DIR> d-------- C:\Program Files\Greatis
2006-12-09 18:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-09 17:30 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-05 02:58 <DIR> d--hs---- C:\WINDOWS\RGF2aWQ
2006-11-25 12:20 <DIR> d-------- C:\3cf8750814afb111a3f41c8f34
2006-11-23 21:01 <DIR> d-------- C:\Program Files\Unlocker
2006-11-22 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2006-11-22 20:54 <DIR> d-------- C:\Documents and Settings\David\Application Data\Creative
2006-11-22 20:51 41,984 --------- C:\WINDOWS\Ctregrun.exe
2006-11-22 20:50 86,016 -ra------ C:\WINDOWS\CtDrvIns.exe
2006-11-22 20:50 4,216 -ra------ C:\WINDOWS\system32\drivers\V0250STB.SYS
2006-11-22 20:50 36,864 -ra------ C:\WINDOWS\system32\V0250Pin.dll
2006-11-22 20:50 32,768 -ra------ C:\WINDOWS\system32\V0250Hwx.dll
2006-11-22 20:50 204,800 -ra------ C:\WINDOWS\system32\V0250Cvw.dll
2006-11-22 20:50 20,480 -ra------ C:\WINDOWS\V0250Cfg.exe
2006-11-22 20:50 20,480 -ra------ C:\WINDOWS\system32\V0250Srv.exe
2006-11-22 20:50 163,840 -ra------ C:\WINDOWS\system32\drivers\V0250Dev.sys
2006-11-22 20:50 122,880 -ra------ C:\WINDOWS\system32\V0250Vfw.dll
2006-11-22 20:49 24,576 -ra------ C:\WINDOWS\system32\V0250Aor.dll
2006-11-22 20:49 <DIR> d-------- C:\WINDOWS\CtDrvInstall
2006-11-22 20:47 <DIR> d-------- C:\Program Files\SightSpeed
2006-11-22 20:45 36,864 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2006-11-22 20:45 24,576 --------- C:\WINDOWS\system32\CTWEBFUN.DLL
2006-11-22 20:43 <DIR> d-------- C:\Program Files\Creative
2006-11-19 20:11 <DIR> d-------- C:\Program Files\PQDVD
2006-11-19 12:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-19 12:26 <DIR> d-------- C:\faadf869e662b65fb01f78


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-18 20:35 350 --a------ C:\Documents and Settings\David\Application Data\wklnhst.dat
2006-12-18 20:19 -------- d-------- C:\Program Files\Java
2006-12-17 01:37 -------- d-------- C:\Program Files\Trillian
2006-12-16 01:47 -------- d-------- C:\Program Files\Common Files
2006-12-13 21:56 -------- d-------- C:\Program Files\Internet Explorer
2006-12-13 21:53 -------- d-------- C:\Program Files\Outlook Express
2006-12-13 21:53 -------- d-------- C:\Program Files\Common Files\System
2006-12-12 23:50 -------- d-------- C:\Documents and Settings\David\Application Data\Adobe
2006-12-10 16:38 -------- d-------- C:\Program Files\Advanced GDS Toolbox
2006-12-10 16:36 -------- d-------- C:\Program Files\Xilisoft
2006-12-10 16:35 -------- d-------- C:\Program Files\Jasc Software Inc
2006-12-10 16:30 -------- d-------- C:\Program Files\Google
2006-12-10 16:29 -------- d-------- C:\Program Files\MagicDVDRipper
2006-12-10 16:29 -------- d-------- C:\Program Files\Image-Line
2006-12-10 16:26 -------- d-------- C:\Program Files\SoundSpectrum
2006-12-10 16:26 -------- d-------- C:\Program Files\LitexMedia
2006-12-10 16:26 -------- d-------- C:\Program Files\GustoSoft
2006-12-10 16:26 -------- d-------- C:\Program Files\Arial Audio Converter
2006-12-10 16:23 -------- d-------- C:\Program Files\palmOne
2006-12-10 16:22 -------- d-------- C:\Program Files\MP3 WAV Converter
2006-12-10 16:21 -------- d-------- C:\Program Files\InterActual
2006-12-10 16:21 -------- d-------- C:\Program Files\GetASFStream
2006-12-10 16:18 -------- d-------- C:\Program Files\VstPlugins
2006-12-10 13:03 -------- d-------- C:\Program Files\Common Files\Services
2006-12-09 20:01 -------- d-------- C:\Program Files\Cloudbrain
2006-12-09 19:57 -------- d-------- C:\Program Files\Linx
2006-12-09 18:13 -------- d-------- C:\Program Files\Windows Media Player
2006-12-09 17:05 -------- d-------- C:\Documents and Settings\David\Application Data\Azureus
2006-12-09 16:50 -------- d-------- C:\Program Files\Common Files\Intuit
2006-11-27 13:28 3502 --a------ C:\Documents and Settings\David\Application Data\.googlewebacchosts
2006-11-22 22:51 -------- d-------- C:\Program Files\WinXMedia
2006-11-22 21:18 -------- d-------- C:\Program Files\QuickTime
2006-11-22 20:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-15 23:30 -------- d-------- C:\Documents and Settings\David\Application Data\Armagetron
2006-11-15 13:19 -------- d-------- C:\Program Files\Dl_cats
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 00:46 -------- d-------- C:\Program Files\XP Codec Pack
2006-11-04 00:46 -------- d-------- C:\Program Files\ffdshow
2006-10-24 13:55 -------- d-------- C:\Program Files\X3watch
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 22:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 22:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 22:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 22:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 22:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 22:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 22:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 22:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 22:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 22:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 22:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 22:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 22:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 22:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 22:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 22:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 22:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 22:47 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 22:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 22:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 22:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 22:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 22:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 22:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 22:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 22:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 22:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 22:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 22:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 22:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 22:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 22:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 22:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 22:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 22:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 22:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 22:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 22:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 22:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 22:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 22:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 22:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 22:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 22:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 22:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 22:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 22:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 22:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 22:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 22:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 22:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 22:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 22:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 22:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 22:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 22:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 22:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 22:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 21:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 21:00 38528 --a------ C:\WINDOWS\system32\drivers\wpdusb.sys
2006-10-18 21:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 21:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 13:33 818688 --a------ C:\WINDOWS\system32\wininet(2).dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll
2006-09-28 20:13 95344 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-09-28 18:56 55808 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-09-28 18:56 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-09-28 18:56 165376 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-09-28 18:56 146432 --------- C:\WINDOWS\system32\WudfHost.exe
2006-09-25 17:58 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Creative WebCam Tray"="\"C:\\Program Files\\Creative\\Shared Files\\CamTray.exe\""
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"googletalk"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"Logitech Utility"="Logi_MwX.Exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"x3watch"="C:\\Program Files\\X3watch\\x3watch.exe"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"dlccmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 924\\dlccmon.exe\""
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Tair"="\"C:\\DOCUME~1\\David\\APPLIC~1\\SEMBLY~1\\userinit.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"mmtask"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=dword:00000003
"McTskshd.exe"=dword:00000002
"McShield"=dword:00000002
"McDetect.exe"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (ALPHA1BETA2-David).job

Completion time: 06-12-18 21:22:34.67
C:\ComboFix.txt ... 06-12-18 21:22
C:\ComboFix2.txt ... 06-12-16 01:50

olsens11
2006-12-19, 04:25
and finally, here is the new "hijack this" log:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:21 PM, on 12/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\SteamwizIsTheMan.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

thanks a bunch!
-dave

steamwiz
2006-12-19, 21:29
HI

Looking good...

Just these 2 entries remain in your hijackthis log :-

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)

O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)

If you missed them when fixing the entries with hijackthis, then please try to fix them with hijackthis.

If you tried but failed to fix them with hijackthis, then please do this ...

go to Start > Run and type Services.msc > click OK

Scroll down and find the service called Plug and Play Device Manager

double-click on it

click the Stop button

change the Startup Type to Disabled

click Apply and then OK and close any open windows

run hijackthis...

click "Open Misc Tools Section"

click "delete an NT service"

enter $sys$DRMServer

click OK

close hijackthis

--
Now we repeat the above process for the second service...

go to Start > Run and type Services.msc > click OK

Scroll down and find the service called NTBOOTMGR

double-click on it

click the Stop button

change the Startup Type to Disabled

click Apply and then OK and close any open windows

run hijackthis...

click "Open Misc Tools Section"

click "delete an NT service"

enter NTBOOT

click OK

close hijackthis

reboot

post a new hijackthis log

-----

Just these I would like to check on from combofix...

2006-12-10 13:52 (2) -rahs-ot- C:\WINDOWS\winstart.bat

2006-12-05 02:58 <DIR> d--hs---- C:\WINDOWS\RGF2aWQ

2006-11-19 20:11 <DIR> d-------- C:\Program Files\PQDVD

Can you please find the ...

C:\WINDOWS\winstart.bat file

zip it & send it to me here :-

cactus445 AT hotmail.com ... replace AT with @

Then take a look in these 2 folders :-

C:\WINDOWS\RGF2aWQ
C:\Program Files\PQDVD

If you recognise what is in them as OK, then we need look no closer, if you don't recognise them, then can you tell me what's in them ?

steam

olsens11
2006-12-20, 04:24
the first of those two folders you specified i did not recognize, but it was empty. (i have it set to view hidden and system files)

the second of the two folders was left over from a video converter i used a couple of weeks ago, but uninstalled. i guess the uninstaller did not remove the folder, so i deleted it.

i just emailed you the the file winstart.bat, however, i had to change the extension (as i said in the email) just change it back to ".bat". i dont know why gmail wouldnt let me send it as is, but w/e.


here is the new hijack this log:



Logfile of HijackThis v1.99.1
Scan saved at 21:18, on 06-12-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\CDProxyServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOSHOME22\Binn\sqlservr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\David\Desktop\SteamwizIsTheMan.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



thanks again,
-dave

olsens11
2006-12-20, 04:26
...oh, and did you want me to do something with combo fix? i didnt quite understand specifically what it was if you did. thanx.

steamwiz
2006-12-20, 19:51
Hi

No nothing I need you to do with combofix ...

Your hijackthis log is clean now you've deleted the services...

& as you've deleted the folders I asked you to look at ... there's no problem there either...

Which just leaves the winstart.bat

I unzipped the file you sent me ... and the folder was empty...

So I looked inside the zip file and saw that it contained a winstart.jpg file...

So I checked the empty folder & found that the file was there, but hidden...

I had to uncheck "HIde protected operating system files" in order to see it...

I changed the extension to txt, to view it in notepad, and windows still had it as a "protected operating system file"

nevertheless, the extension was changed ... but when I opened it in notepad ... it was empty...

I don't want to waste any more time over this, so can you please find the file & change the extension to txt ... then open it in notepad and copy & paste what it says here...

steam

olsens11
2006-12-20, 21:56
i just changed the extension of "winstart.bat" (directly from c:\windows) to ".txt" and opened it in notepad, but it was just blank, so there was nothing to copy and paste back into this post.

many thanks,
dave

olsens11
2006-12-20, 22:10
oh, and just one thing, somehow the clock in the task bar got switched to a 24 hour clock. how do i fix that?

-dave

steamwiz
2006-12-20, 23:01
i just changed the extension of "winstart.bat" (directly from c:\windows) to ".txt" and opened it in notepad, but it was just blank, so there was nothing to copy and paste back into this post.

many thanks,
dave

HI

I guess that's why I couldn't see anything in it then... go ahead & delete the winstart.bat file ...

The clock sometimes gets changed when removing infected files with combofix... if you run combofix again, it should return the clock to normal... let me know...

Then I think that's everything cleaned up... what do you think ? is everything resolved ?

steam

olsens11
2006-12-21, 09:27
Alrighty then. i deleted the file, fixed the clock, and everything seems to be working most excellently, thanks to you. thank you so incredibly much for helping me get everything working properly, i dont know what i would have done without you.

merry christmas and such!
-dave

steamwiz
2006-12-21, 21:37
You're very welcome :)

Merry Christmas, a Happy new year & Happy surfing ...

steam