Command Service help

[Sunflash]

Hey, I've been infected with a Command Service virus. I've Run SpyBot numerous times as well as Adaware and Avast Cleaner and CCleaner. Nothing seems to be working. Whats more, the virus seems to be spawning new viruses every time I scan. I just downloaded and ran Hijackthis.exe, here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 8:15:44 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kgsgk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vbakurm.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CW] "C:\Program Files\CW4\cw4.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [venf449c] RUNDLL32.EXE w19b254e.dll,n 005f44970000001219b254e
O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS\next06.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [{68-81-17-7E-ZN}] C:\windows\system32\ojdsregm.exe ELT001
O4 - HKLM\..\Run: [ms05605186-1338] C:\WINDOWS\ms05605186-1338.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UPS OnLine PLD Reminder Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mcafeeasap.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - http://vs.mcafeeasap.com/MC/ENU/VS40/bin/myCioAgt.20060504175614.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KitsapPayroll.local
O17 - HKLM\Software\..\Telephony: DomainName = KitsapPayroll.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KitsapPayroll.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: B0DGIBHE - {1431317B-4B9E-24A3-6AF8-0CBB4E634506} - C:\WINDOWS\system32\Lkkbda32.dll (file missing)
O21 - SSODL: mtklefap - {1522EB60-18DF-4E9A-4993-92BAA694032F} - (no file)
O21 - SSODL: mtklefa - {333A83B4-46A3-472B-C684-46DC29992870} - C:\WINDOWS\system32\ormhm32.dll (file missing)
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINDOWS\system32\gnbfgbei.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmltIENyYXN3ZWxs\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe




What should I do?

 

[Sunflash]

ANother thing I forgot to mention is that whenever I run either Firfox or Internet Explorer, I'm bombarded with popups.

 

[pskelley]

Welcome to the forum, if you still need help and are not receiving it elsewhere I will see what I can do.
You are badly infected and my first suggestion will be to keep the computer offline as much as possible, this junk will attract more and you have enough now. We will start like this:

Thanks to sUBs and anyone who helped with this fix.

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

If the log is large You might need to post half in one reply half in another.

After you post combofix log, post a fresh HJT log as well. Use "Post reply" to stay in this same topic.

Thanks

 

[Sunflash]

Ok, I'm gonna do that now, I'll have the logs posted monentarily. Thanks for the help

 

[Sunflash]

Ok, tell me if this isn't right, the only log that ComboFix.exe gave me was this:

administrator - 06-10-21 11:48:45.80 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\"


The first time I ran it it came up with a bunch of infected files, then it restarted the computer, and when it came back up there was only one bad file found (as far as I can tell.) It said it was SurfSideKick. Then ComboFix.exe closed.
Anyways, here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:01, on 06-10-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\next06.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\userinit.exe
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CW] "C:\Program Files\CW4\cw4.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [venf449c] RUNDLL32.EXE w19b254e.dll,n 005f44970000001219b254e
O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS\next06.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [{68-81-17-7E-ZN}] C:\windows\system32\ojdsregm.exe ELT001
O4 - HKLM\..\Run: [ms05605186-1338] C:\WINDOWS\ms05605186-1338.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UPS OnLine PLD Reminder Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mcafeeasap.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - http://vs.mcafeeasap.com/MC/ENU/VS40/bin/myCioAgt.20060504175614.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KitsapPayroll.local
O17 - HKLM\Software\..\Telephony: DomainName = KitsapPayroll.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KitsapPayroll.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O21 - SSODL: B0DGIBHE - {1431317B-4B9E-24A3-6AF8-0CBB4E634506} - C:\WINDOWS\system32\Lkkbda32.dll (file missing)
O21 - SSODL: mtklefap - {1522EB60-18DF-4E9A-4993-92BAA694032F} - (no file)
O21 - SSODL: mtklefa - {333A83B4-46A3-472B-C684-46DC29992870} - C:\WINDOWS\system32\ormhm32.dll (file missing)
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINDOWS\system32\gnbfgbei.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

 

[pskelley]

Not sure what you are doing, try it again. Look at the combofix log in this topic:
http://forums.spybot.info/showthread.php?t=8190 Yours will NOT be the same but it will be similiar. Read and follow the directions carefully. I would like to see that combofix log, it will save us both a lot of work.

There is a combofix log in this topic you can view also:
http://forums.spybot.info/showthread.php?p=47994#post47994

Continue to copy/paste your information like you are.

Thanks

 

[Sunflash]

Ok, here's where the problem is, what causes it I don't know. When ComboFix says that it's going to close, then reopen in no more then 10 seconds, it closes, but never comes back up.

 

[pskelley]

OK, listen up. You have a badly infected computer here and you need to keep it offline as much as possible, this junk will attract more. Command.exe is Spybot locating leftover junk Ad-aware removed badly. I understand Ad-aware may now be updated to remove what it left the last time. Update Ad-aware and run it to see. That is by far the least of your problems. You have a Qoologic trojan, DeluxeCommunications which is the hackers new SurfSideKick and loads of other junk. I suggest you may have gotten a bad download, and that you remove everything you downloaded for combofix and try the download again. This tool will remove several of the infections at once. If after you try a fresh download you are still not able to run it, post to let me know. I will start preparing instructions for removing the junk one at a time, but I will not do this until morning EST.

Thanks

 

[pskelley]

Did you have more success when you uninstalled combofix and downloaded it again? I am waiting on you.

Thanks

 

[Sunflash]

Yeah. I had to do it several times. Each time yielded better results, until finally I got the entire log. Here it is:

administrator - 06-10-23 21:32:52.33 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\DeluxeCommunications\bak
C:\Program Files\DeluxeCommunications\Dxc.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\Program Files\DeluxeCommunications\bak
C:\Program Files\DeluxeCommunications\Dxc.exe
((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))


2006-10-23 20:43 688,180 --------- C:\WINDOWS\SYSTEM32\pmkjk.dll
2006-10-23 19:54 276,918 --a------ C:\combofix.exe
2006-10-21 11:27 67,604 --a------ C:\WINDOWS\SYSTEM32\byblqaff.exe
2006-10-18 21:29 516,063 ---hs---- C:\WINDOWS\SYSTEM32\jlkkj.bak2
2006-10-18 20:33 864,256 --a------ C:\WINDOWS\SYSTEM32\DevIL.dll
2006-10-18 20:33 81,920 --a------ C:\WINDOWS\SYSTEM32\ILU.dll
2006-10-18 20:33 36,864 --a------ C:\WINDOWS\SYSTEM32\ILUT.dll
2006-10-18 20:33 161,280 --a------ C:\WINDOWS\SYSTEM32\fmod.dll
2006-10-17 21:33 66,264 --a------ C:\WINDOWS\SYSTEM32\ipv6monl.dll
2006-10-17 21:33 18,432 --a------ C:\svhost.exe
2006-10-17 21:24 98,324 --a------ C:\WINDOWS\SYSTEM32\mbjcohlm.dll
2006-10-17 21:24 465,903 ---hs---- C:\WINDOWS\SYSTEM32\jlkkj.bak1
2006-10-17 21:24 143,380 --a------ C:\WINDOWS\SYSTEM32\adqibqai.exe
2006-10-17 21:23 684,084 ---hs---- C:\WINDOWS\SYSTEM32\jkklj.dll
2006-10-17 21:08 919 --a------ C:\WINDOWS\SYSTEM32\winpfg32.sys
2006-10-17 21:07 73,728 --a------ C:\WINDOWS\win320986-133860512006.exe
2006-10-17 21:03 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-10-17 21:02 217,346 --a------ C:\WINDOWS\Setup90.exe
2006-10-17 21:01 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-10-17 21:01 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-10-17 21:01 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-10-17 21:00 25,600 --a------ C:\WINDOWS\xload.exe
2006-10-17 20:57 96,768 --a------ C:\WINDOWS\SYSTEM32\dxclib303562752.dll
2006-10-17 20:57 45,056 --a------ C:\WINDOWS\wpfmzds.exe
2006-10-17 20:57 353,280 --a------ C:\WINDOWS\SYSTEM32\1011_113.exe
2006-10-17 20:57 32,768 --a------ C:\WINDOWS\unstall.exe
2006-10-17 20:57 186,381 --a------ C:\WINDOWS\srvnhsvgzz.exe
2006-10-17 20:56 40,973 ---hs---- C:\WINDOWS\SYSTEM32\iifgfcd.dll
2006-10-17 20:56 32,768 --a------ C:\WINDOWS\DXCecho.exe
2006-10-17 20:56 25,600 --a------ C:\WINDOWS\next06.exe
2006-10-17 20:56 221,533 --a------ C:\WINDOWS\1011_emi03.exe
2006-10-17 20:56 2,560 --a------ C:\WINDOWS\ac3_0018.exe
2006-10-17 20:56 147,456 --a------ C:\WINDOWS\aff_0006.exe
2006-10-17 20:56 1,288 --a------ C:\WINDOWS\SYSTEM32\venf449c.sys
2006-10-12 07:14 78,848 --a------ C:\WINDOWS\SYSTEM32\nswB5C.dll
2006-10-11 10:51 115,131 --a------ C:\WINDOWS\SYSTEM32\Eim03.exe
2006-10-11 09:39 96,932 --a------ C:\WINDOWS\SYSTEM32\ts_www2.exe
2006-10-08 18:19 0 --a------ C:\AUTOEXEC.BAT
2006-10-02 12:04 806,912 --a------ C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2006-10-02 12:04 806,912 --a------ C:\WINDOWS\SYSTEM32\divx_xx07.dll
2006-10-02 12:04 790,528 --a------ C:\WINDOWS\SYSTEM32\divx_xx11.dll
2006-10-02 12:04 635,486 --a------ C:\WINDOWS\SYSTEM32\DivX.dll
2006-09-28 14:55 53,248 --a------ C:\WINDOWS\SYSTEM32\PhysXLoader.dll
2006-09-26 14:01 45,056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelJapanese.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-23 21:35 817 --ahs---- C:\WINDOWS\SYSTEM32\mmf.sys
2006-10-23 20:01 -------- d-------- C:\Program Files\DeluxeCommunications
2006-10-23 15:54 -------- d-------- C:\Program Files\CyberPay
2006-10-21 17:25 -------- d-------- C:\Program Files\QuickTime
2006-10-21 17:24 25600 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2006-10-21 17:24 25600 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2006-10-21 17:24 25600 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2006-10-21 11:48 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-21 11:29 -------- d-------- C:\Program Files\Common Files
2006-10-21 11:28 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\SearchToolbarCorp
2006-10-21 11:27 -------- d-------- C:\Program Files\VSToolbar
2006-10-18 19:25 -------- d-------- C:\Program Files\Windows NT
2006-10-18 19:25 -------- d-------- C:\Program Files\Common Files\rwwf
2006-10-18 19:21 -------- d-------- C:\Program Files\Lavasoft
2006-10-18 19:19 -------- d-------- C:\Program Files\Windows Media Player
2006-10-18 19:19 -------- d-------- C:\Program Files\Messenger
2006-10-17 21:35 -------- d-------- C:\Program Files\SysShield Tools
2006-10-17 21:26 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-17 21:23 -------- d-------- C:\Program Files\Microsoft Games
2006-10-17 21:23 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\Microsoft
2006-10-17 21:23 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\Microsoft
2006-10-17 21:23 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\Microsoft
2006-10-17 21:23 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\Microsoft
2006-10-17 21:17 -------- d-------- C:\Program Files\Google
2006-10-17 21:04 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\àppPatch
2006-10-17 21:04 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\àppPatch
2006-10-17 21:03 -------- d-------- C:\Program Files\T?sks
2006-10-17 21:03 -------- d-------- C:\Program Files\T?sks
2006-10-17 21:03 -------- d-------- C:\Program Files\Common Files\?ymantec
2006-10-17 21:02 -------- d-------- C:\Program Files\s?mbols
2006-10-17 21:02 -------- d-------- C:\Program Files\s?mbols
2006-10-17 21:02 -------- d-------- C:\Program Files\Common Files\çasks
2006-10-17 21:02 -------- d-------- C:\Program Files\Common Files\çasks
2006-10-17 21:02 -------- d-------- C:\Program Files\Common Files\çasks
2006-10-17 21:01 -------- d-------- C:\Program Files\çasks
2006-10-17 21:01 -------- d-------- C:\Program Files\çasks
2006-10-17 21:01 -------- d-------- C:\Program Files\çasks
2006-10-17 21:00 -------- d-------- C:\Program Files\s?curity
2006-10-17 21:00 -------- d-------- C:\Program Files\s?curity
2006-10-17 21:00 -------- d-------- C:\Program Files\Common Files\?ecurity
2006-10-17 21:00 -------- d-------- C:\Program Files\?ecurity
2006-10-17 21:00 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\s?curity
2006-10-17 21:00 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\s?curity
2006-10-17 21:00 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?ssembly
2006-10-17 20:59 -------- d-------- C:\Program Files\Common Files\àppPatch
2006-10-17 20:59 -------- d-------- C:\Program Files\Common Files\àppPatch
2006-10-17 20:59 -------- d-------- C:\Program Files\Common Files\àppPatch
2006-10-17 20:59 -------- d-------- C:\Program Files\Common Files\s?curity
2006-10-17 20:59 -------- d-------- C:\Program Files\Common Files\s?curity
2006-10-17 20:59 -------- d-------- C:\Program Files\Common Files\M?crosoft
2006-10-17 20:59 -------- d-------- C:\Program Files\Common Files\M?crosoft
2006-10-17 20:59 -------- d-------- C:\Program Files\A?pPatch
2006-10-17 20:59 -------- d-------- C:\Program Files\A?pPatch
2006-10-17 20:59 -------- d-------- C:\Program Files\?icrosoft
2006-10-17 20:59 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\T?sks
2006-10-17 20:59 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?racle
2006-10-17 20:59 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?racle
2006-10-17 20:58 -------- d-------- C:\Program Files\M?crosoft
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\W?nSxS
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\T?sks
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\T?sks
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\s?mbols
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\s?mbols
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\S?mantec
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\S?mantec
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\M?crosoft.NET
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\M?crosoft.NET
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\F?nts
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\F?nts
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\a?sembly
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\a?sembly
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\?ystem32
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\?ystem32
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\?ssembly
2006-10-17 20:58 -------- d-------- C:\Program Files\Common Files\?icrosoft.NET
2006-10-17 20:58 -------- d-------- C:\Program Files\?ystem
2006-10-17 20:58 -------- d-------- C:\Program Files\?ssembly
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\çasks
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\çasks
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\çasks
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\àdobe
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\W?nSxS
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\s?stem32
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\s?stem32
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\s?mbols
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\s?mbols
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\S?mantec
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\S?mantec
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\F?nts
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\F?nts
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?ystem
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?ystem
2006-10-17 20:58 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?ymbols
2006-10-17 20:57 -------- d-------- C:\Program Files\àppPatch
2006-10-17 20:57 -------- d-------- C:\Program Files\àppPatch
2006-10-17 20:57 -------- d-------- C:\Program Files\àdobe
2006-10-17 20:57 -------- d-------- C:\Program Files\W?nSxS
2006-10-17 20:57 -------- d-------- C:\Program Files\s?stem32
2006-10-17 20:57 -------- d-------- C:\Program Files\s?stem32
2006-10-17 20:57 -------- d-------- C:\Program Files\s?stem
2006-10-17 20:57 -------- d-------- C:\Program Files\s?stem
2006-10-17 20:57 -------- d-------- C:\Program Files\S?mantec
2006-10-17 20:57 -------- d-------- C:\Program Files\S?mantec
2006-10-17 20:57 -------- d-------- C:\Program Files\Common Files\àdobe
2006-10-17 20:57 -------- d-------- C:\Program Files\Common Files\?ymbols
2006-10-17 20:57 -------- d-------- C:\Program Files\Common Files\?racle
2006-10-17 20:57 -------- d-------- C:\Program Files\Common Files\?icrosoft
2006-10-17 20:57 -------- d-------- C:\Program Files\a?sembly
2006-10-17 20:57 -------- d-------- C:\Program Files\a?sembly
2006-10-17 20:57 -------- d-------- C:\Program Files\?ystem32
2006-10-17 20:57 -------- d-------- C:\Program Files\?ymbols
2006-10-17 20:57 -------- d-------- C:\Program Files\?racle
2006-10-17 20:57 -------- d-------- C:\Program Files\?racle
2006-10-17 20:57 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\a?sembly
2006-10-17 20:57 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\a?sembly
2006-10-17 20:57 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?ystem32
2006-10-17 20:57 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?ecurity
2006-10-17 20:56 -------- d-------- C:\Program Files\F?nts
2006-10-17 20:56 -------- d-------- C:\Program Files\?ymantec
2006-10-17 20:56 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\M?crosoft.NET
2006-10-17 20:56 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\M?crosoft.NET
2006-10-17 20:56 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\A?pPatch
2006-10-17 20:56 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\A?pPatch
2006-10-17 20:56 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\?ymantec
2006-10-14 14:46 -------- d-------- C:\Program Files\DivX
2006-10-14 14:36 -------- d-------- C:\Program Files\MTV Networks
2006-10-14 14:24 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-10-13 22:06 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-13 22:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-09 20:21 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\AdobeUM
2006-10-08 15:51 -------- d-------- C:\Program Files\3D World Studio
2006-10-08 12:52 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\Right Hemisphere
2006-10-08 12:51 -------- d-------- C:\Program Files\Right Hemisphere
2006-10-08 12:04 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\Adobe
2006-10-07 14:46 -------- d-------- C:\Program Files\AGEIA Technologies
2006-10-07 14:05 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-22 07:38 53248 --a------ C:\WINDOWS\109uninst.exe
2006-09-22 07:36 53248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-19 21:41 -------- d-------- C:\Program Files\MSN Messenger
2006-09-10 13:05 -------- d-------- C:\Program Files\Adobe
2006-09-10 13:05 -------- d-------- C:\Program Files\Adobe
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelTraditionalChinese.dll
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelSwedish.dll
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelSpanish.dll
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelSimplifiedChinese.dll
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelPortugese.dll
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelKorean.dll
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelGerman.dll
2006-09-08 09:01 45056 -ra------ C:\WINDOWS\SYSTEM32\AgCPanelFrench.dll
2006-08-30 22:05 -------- d-------- C:\Documents and Settings\administrator.KITSAPPAYROLL\Application Data\Skype
2006-08-24 22:42 8704 --a------ C:\WINDOWS\SYSTEM32\wdfmgr.exe
2006-08-24 22:42 8704 --a------ C:\WINDOWS\SYSTEM32\uwdf.exe
2006-08-24 22:30 99840 --a------ C:\WINDOWS\SYSTEM32\wmpshell.dll
2006-08-24 22:30 990208 --a------ C:\WINDOWS\SYSTEM32\drmv2clt.dll
2006-08-24 22:30 937984 --a------ C:\WINDOWS\SYSTEM32\WMNetMgr.dll
2006-08-24 22:30 8337920 --a------ C:\WINDOWS\SYSTEM32\wmploc.dll
2006-08-24 22:30 790016 --------- C:\WINDOWS\SYSTEM32\WMVSENCD.dll
2006-08-24 22:30 757248 --a------ C:\WINDOWS\SYSTEM32\WMADMOD.dll
2006-08-24 22:30 7168 --a------ C:\WINDOWS\SYSTEM32\asferror.dll



The rest is in the next post:

 

[Sunflash]

2006-08-24 22:30 656896 --------- C:\WINDOWS\SYSTEM32\WMVXENCD.dll
2006-08-24 22:30 63488 --a------ C:\WINDOWS\SYSTEM32\wpdmtpus.dll
2006-08-24 22:30 629760 --a------ C:\WINDOWS\SYSTEM32\wpd_ci.dll
2006-08-24 22:30 611840 --------- C:\WINDOWS\SYSTEM32\wmpmde.dll
2006-08-24 22:30 603648 --a------ C:\WINDOWS\SYSTEM32\WMSPDMOD.dll
2006-08-24 22:30 537600 --a------ C:\WINDOWS\SYSTEM32\blackbox.dll
2006-08-24 22:30 532992 --------- C:\WINDOWS\SYSTEM32\wmdrmsdk.dll
2006-08-24 22:30 428032 --a------ C:\WINDOWS\SYSTEM32\wmdrmdev.dll
2006-08-24 22:30 414208 --a------ C:\WINDOWS\SYSTEM32\msscp.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\wmvdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\wmvdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\WMVADVE.DLL
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\WMVADVD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\wmsdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\wmsdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\wdfapi.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\MPG4DMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\MP4SDMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\SYSTEM32\MP43DMOD.dll
2006-08-24 22:30 37376 --a------ C:\WINDOWS\SYSTEM32\wmdmps.dll
2006-08-24 22:30 35840 --a------ C:\WINDOWS\SYSTEM32\wpdconns.dll
2006-08-24 22:30 349184 --a------ C:\WINDOWS\SYSTEM32\wpdsp.dll
2006-08-24 22:30 347648 --a------ C:\WINDOWS\SYSTEM32\wmdrmnet.dll
2006-08-24 22:30 33792 --a------ C:\WINDOWS\SYSTEM32\wmdmlog.dll
2006-08-24 22:30 320512 --a------ C:\WINDOWS\SYSTEM32\mswmdm.dll
2006-08-24 22:30 316928 --------- C:\WINDOWS\SYSTEM32\MP4SDECD.dll
2006-08-24 22:30 314368 --a------ C:\WINDOWS\SYSTEM32\wmpdxm.dll
2006-08-24 22:30 305152 --------- C:\WINDOWS\SYSTEM32\MSDelta.dll
2006-08-24 22:30 295424 --------- C:\WINDOWS\SYSTEM32\wmpeffects.dll
2006-08-24 22:30 284160 --------- C:\WINDOWS\SYSTEM32\PortableDeviceApi.dll
2006-08-24 22:30 276480 --a------ C:\WINDOWS\SYSTEM32\audiodev.dll
2006-08-24 22:30 27648 --a------ C:\WINDOWS\SYSTEM32\mspmsnsv.dll
2006-08-24 22:30 259072 --------- C:\WINDOWS\SYSTEM32\MPG4DECD.dll
2006-08-24 22:30 2589184 --------- C:\WINDOWS\SYSTEM32\WpdShext.dll
2006-08-24 22:30 258560 --------- C:\WINDOWS\SYSTEM32\MP43DECD.dll
2006-08-24 22:30 2450944 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-08-24 22:30 242176 --a------ C:\WINDOWS\SYSTEM32\wmpasf.dll
2006-08-24 22:30 228352 --a------ C:\WINDOWS\SYSTEM32\cewmdm.dll
2006-08-24 22:30 227328 --a------ C:\WINDOWS\SYSTEM32\wmerror.dll
2006-08-24 22:30 222208 --a------ C:\WINDOWS\SYSTEM32\WMASF.dll
2006-08-24 22:30 211968 --------- C:\WINDOWS\SYSTEM32\MFPLAT.dll
2006-08-24 22:30 210432 --a------ C:\WINDOWS\SYSTEM32\qasf.dll
2006-08-24 22:30 204800 --a------ C:\WINDOWS\SYSTEM32\wmpsrcwp.dll
2006-08-24 22:30 198144 --------- C:\WINDOWS\SYSTEM32\PortableDeviceWMDRM.dll
2006-08-24 22:30 179712 --a------ C:\WINDOWS\SYSTEM32\msnetobj.dll
2006-08-24 22:30 175104 --a------ C:\WINDOWS\SYSTEM32\mspmsp.dll
2006-08-24 22:30 166912 --------- C:\WINDOWS\SYSTEM32\PortableDeviceTypes.dll
2006-08-24 22:30 1660416 --a------ C:\WINDOWS\SYSTEM32\wmpencen.dll
2006-08-24 22:30 157184 --a------ C:\WINDOWS\SYSTEM32\wmidx.dll
2006-08-24 22:30 154624 --a------ C:\WINDOWS\SYSTEM32\wpdmtp.dll
2006-08-24 22:30 1539584 --------- C:\WINDOWS\SYSTEM32\WMVDECOD.dll
2006-08-24 22:30 1532416 --------- C:\WINDOWS\SYSTEM32\WMVENCOD.dll
2006-08-24 22:30 1392128 --------- C:\WINDOWS\SYSTEM32\WMVSDECD.dll
2006-08-24 22:30 133120 --------- C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll
2006-08-24 22:30 1327616 --a------ C:\WINDOWS\SYSTEM32\WMSPDMOE.dll
2006-08-24 22:30 132096 --------- C:\WINDOWS\SYSTEM32\PortableDeviceWiaCompat.dll
2006-08-24 22:30 130048 --------- C:\WINDOWS\SYSTEM32\wmpps.dll
2006-08-24 22:30 11264 --a------ C:\WINDOWS\SYSTEM32\LAPRXY.dll
2006-08-24 22:30 1118208 --a------ C:\WINDOWS\SYSTEM32\WMADMOE.dll
2006-08-24 22:30 101888 --------- C:\WINDOWS\SYSTEM32\PortableDeviceClassExtension.dll
2006-08-24 20:31 100864 --a------ C:\WINDOWS\SYSTEM32\logagent.exe
2006-08-24 20:27 249344 --------- C:\WINDOWS\SYSTEM32\drmupgds.exe
2006-08-24 20:26 95288 --------- C:\WINDOWS\SYSTEM32\WUDFCoinstaller.dll
2006-08-24 20:26 38656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpdusb.sys
2006-08-24 20:26 17408 --------- C:\WINDOWS\SYSTEM32\wpdshextautoplay.exe
2006-08-24 19:22 90112 --------- C:\WINDOWS\SYSTEM32\DRIVERS\WudfRd.sys
2006-08-24 19:19 316416 --------- C:\WINDOWS\SYSTEM32\WUDFx.dll
2006-08-24 19:19 145920 --------- C:\WINDOWS\SYSTEM32\WudfHost.exe
2006-08-24 19:18 84864 --------- C:\WINDOWS\SYSTEM32\DRIVERS\WudfPf.sys
2006-08-24 19:18 56320 --------- C:\WINDOWS\SYSTEM32\WudfSvc.dll
2006-08-24 19:18 168448 --------- C:\WINDOWS\SYSTEM32\WudfPlatform.dll
2006-08-11 20:14 22752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-08-10 16:03 73728 --a------ C:\WINDOWS\SYSTEM32\dpl100.dll
2006-08-10 16:03 196608 --a------ C:\WINDOWS\SYSTEM32\dtu100.dll
2006-08-07 08:17 61440 --a------ C:\WINDOWS\SYSTEM32\BattyRun2.dll
2006-07-28 09:30 62744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2006-07-28 09:30 236824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2006-07-27 10:28 3596288 --a------ C:\WINDOWS\SYSTEM32\qt-dx331.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"CW"="\"C:\\Program Files\\CW4\\cw4.exe\""
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"venf449c"="RUNDLL32.EXE w19b254e.dll,n 005f44970000001219b254e"
"mmnext06"="C:\\WINDOWS\\next06.exe"
"xload"="\"C:\\WINDOWS\\xload.exe\""
"{68-81-17-7E-ZN}"="C:\\windows\\system32\\ojdsregm.exe ELT001"
"ms05605186-1338"="C:\\WINDOWS\\ms05605186-1338.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"Register Homesite+.exe"="\"C:\\Program Files\\Macromedia\\HomeSite+\\Homesite+.exe\" /REGSERVER"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows Media Player\\kyzerek.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Messenger\\howypyheg.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"B0DGIBHE"="{1431317B-4B9E-24A3-6AF8-0CBB4E634506}"
"mtklefap"="{1522EB60-18DF-4E9A-4993-92BAA694032F}"
"mtklefa"="{333A83B4-46A3-472B-C684-46DC29992870}"
"SysTray.Exmr"="{73F8D5FF-6F5C-4f5b-B964-E6F214F6F852}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bldbubg"
"hkey"="HKLM"
"command"="c:\\dell\\bldbubg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSCD_Creator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PreODM"
"hkey"="HKLM"
"command"="c:\\Dell\\PreODM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QBReminder"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Intuit\\QuickBooks 2005\\Atom\\QBReminder.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smax4pnp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dvd4free
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklj

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DELL100-Jim Craswell).job

Completion time: 06-10-23 22:02:04.79
C:\ComboFix.txt ... 06-10-23 22:02
C:\ComboFix2.txt ... 06-10-23 20:02

 

[pskelley]

Thanks for getting combofix to work:bigthumb: that got some of the junk. I need to see a new HJT log. It will require a little time to research questionable files located and I may need your help. Post the HJT log and try to stay offline if possible. The junk will attract more junk.

Thanks

 

[pskelley]

You have a real mess, I suggest you keep this computer offline eccept when troubleshooting. This junk is going to attract more.

Return here: C:\hijackthis\HijackThis.exe <<< rename this file to say Sunflash.exe Make sure you restart the computer. I think we have a hidden Vundo trojan, the next HJT will tell us.

Once you post that log then follow the instructions in this link:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the tutorial

Post the scan results when you get them, include a new HJT log with those results.

Thanks

 

[Sunflash]

Ok. The scan is going on now. I have to leave to school any minute so I'm not sure how much I can get done this morning. I'll be gone all day to. I'll try to get those logs up before I leave though.

gahhh! It froze my computer. Drats. it was just quarintined. Hmm, I'll let it sit awhile and maybe it will start working.

 

[Sunflash]

OK, in the end I had to restart the scanning process. It's going now. I'm really mad I didn't get that log, but if it helps, all (or at least most) of the infections are listed on a page of AVG. If you really need it, I could take screen shots of each page, but I doubt it contains as much info as a log would.

Anyways, here's the scan results:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:54 06-10-24

+ Scan result:



C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054049.dll -> Adware.AutoSearch : Ignored.
C:\WINDOWS\aff_0006.exe/AutoSearch.dll -> Adware.AutoSearch : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054076.dll -> Adware.CASClient : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054294.exe -> Adware.CASClient : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP361\A0054688.exe -> Adware.CASClient : Ignored.
C:\WINDOWS\SYSTEM32\BattyRun2.dll -> Adware.CASClient : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054288.exe -> Adware.CommAd : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054620.dll -> Adware.CommAd : Ignored.
C:\Program Files\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\Dxc.exe -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\bak -> Adware.DeluxeCommunications : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0052781.dll -> Adware.EZula : Ignored.
C:\WINDOWS\motorsix.ocx -> Adware.MediaMotor : Ignored.
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054053.dll -> Adware.Mirar : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP361\A0054685.dll -> Adware.Mirar : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0052814.exe -> Adware.PurityScan : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054042.exe -> Adware.PurityScan : Ignored.
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055024.exe -> Adware.SurfSide : Ignored.
C:\WINDOWS\SYSTEM32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1068] C:\WINDOWS\System32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1128] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1260] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1432] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1456] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1540] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1596] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1640] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1664] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1680] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[1776] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[2788] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[3892] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[652] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[700] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[712] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[896] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[968] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055025.dll -> Adware.TargetServer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0052357.dll -> Adware.TrafficSol : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053855.dll -> Adware.TrafficSol : Ignored.
C:\WINDOWS\SYSTEM32\iifgfcd.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0052782.exe -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0052783.dll -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053841.exe -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053844.exe -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053845.dll -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053846.exe -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053847.dll -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053848.exe -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053850.dll -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053851.exe -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053861.dll -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP358\A0053862.dll -> Adware.WebHancer : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054065.exe -> Adware.ZenoSearch : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054067.exe -> Adware.ZenoSearch : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054068.exe -> Adware.ZenoSearch : Ignored.
C:\WINDOWS\TIELT001.exe -> Adware.ZenoSearch : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055022.exe -> Downloader.Small.cln : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055019.exe -> Downloader.Small.cyh : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055020.exe -> Downloader.Small.cyh : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055015.exe -> Downloader.TSUpdate.f : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055014.exe -> Downloader.TSUpdate.r : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055021.exe -> Downloader.VB.wz : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055023.exe -> Dropper.Agent.mu : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055016.exe -> Dropper.Delf.aad : Ignored.
C:\Documents and Settings\cheryl\Local Settings\Temporary Internet Files\Content.IE5\VLQULHAY\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\A0054062.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055017.exe -> Trojan.VB.tg : Ignored.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP363\A0055018.exe -> Trojan.VB.tg : Ignored.


::Report end


The HijackThis.exe log will follow.

 

[Sunflash]

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 08:05, on 06-10-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\userinit.exe
C:\hijackthis\Sunflash.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\mbjcohlm.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {4d62db20-b5ff-4199-9666-b44e12c67d6a} - C:\WINDOWS\system32\CSS591.dll
O2 - BHO: (no name) - {5CBE8308-7437-4218-9EDF-76B0CC9A0D05} - C:\WINDOWS\system32\jkklj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [CW] "C:\Program Files\CW4\cw4.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [venf449c] RUNDLL32.EXE w19b254e.dll,n 005f44970000001219b254e
O4 - HKLM\..\Run: [{68-81-17-7E-ZN}] C:\windows\system32\ojdsregm.exe ELT001
O4 - HKLM\..\Run: [ms05605186-1338] C:\WINDOWS\ms05605186-1338.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UPS OnLine PLD Reminder Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mcafeeasap.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - http://vs.mcafeeasap.com/MC/ENU/VS40/bin/myCioAgt.20060504175614.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KitsapPayroll.local
O17 - HKLM\Software\..\Telephony: DomainName = KitsapPayroll.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KitsapPayroll.local
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: awvtr - awvtr.dll (file missing)
O20 - Winlogon Notify: CSS591 - C:\WINDOWS\SYSTEM32\CSS591.dll
O20 - Winlogon Notify: dvd4free - dvd4free.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll (file missing)
O21 - SSODL: B0DGIBHE - {1431317B-4B9E-24A3-6AF8-0CBB4E634506} - C:\WINDOWS\system32\Lkkbda32.dll (file missing)
O21 - SSODL: mtklefap - {1522EB60-18DF-4E9A-4993-92BAA694032F} - (no file)
O21 - SSODL: mtklefa - {333A83B4-46A3-472B-C684-46DC29992870} - C:\WINDOWS\system32\ormhm32.dll (file missing)
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINDOWS\system32\gnbfgbei.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

 

[pskelley]

Why would you "ignore" the junk the spyware program located??? Make sure you run it in Safe Mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html

choose to delete or quarantine whatever it locates unless you know it is not bad. You are making this much harder on both of us than it should be.
When you have deleted or quarantined what AVG Anti-Spyware locates, follow the directions in the tutorial to save and post the log. Include a new HJT log that is created after the AVG Anti-Spyware scan is complete.

Thanks:sad:

 

[Sunflash]

I saved the log, then I quirintined the infected files. Whenever I quirintine it goes half way then freezes the computer. The log says it's ignored because that was the current setting when I save the log. The HJT log was taken after everything from the HJT scan that could be was cleaned.

 

[pskelley]

Please go back and read the instructions for running AVG Anti-Spyware I posted. Then follow the directions I posted.

Thanks

 

[Sunflash]

Gahhh! I finally got both the log, then I restarted windows again and booted into windows noramally, but it erased my log!! Gahh... So I'm going to do it all over again, but this time, if it's ok, I'm going to allow netorking in safe mode so I can place the logs on a drive that my other computers can access.