Command Service, Virtumonde, various other problems...please help!

pearllita · Mar 4, 2008

My Kaspersky log is too long to put in one post. Please let me know if you need it.

I ran spybot in safe mode for two days, until it no longer showed items in red. (although i'm sure if i went back to run it now, that would not be true)

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:36 PM, on 3/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\hkcmd .exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\COMMON~1\qmmi\qmmim .exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://agoga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\System32\mljgd.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rxhtnn] c:\windows\system32\eujjzpl.exe r
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [kglyic] C:\WINDOWS\System32\kglyic.exe
O4 - HKLM\..\Run: [BM93b93598] Rundll32.exe "C:\WINDOWS\System32\ecsmlnmq.dll",s
O4 - HKLM\..\Run: [908a0604] rundll32.exe "C:\WINDOWS\System32\dcqsbvtc.dll",b
O4 - HKCU\..\Run: [0acc253b.exe] C:\Documents and Settings\Owner.DARLENE\Local Settings\Application Data\0acc253b.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [Nrowykj] C:\WINDOWS\system32\?ecurity\tracert.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [qmmi] C:\PROGRA~1\COMMON~1\qmmi\qmmim .exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Meu] "C:\Program Files\Common Files\W?nSxS\attrib.exe"
O4 - HKCU\..\Run: [Btx] C:\WINDOWS\system32\W?nSxS\regedit.exe
O4 - HKCU\..\Run: [Mgqcz] "C:\Program Files\?racle\rundll.exe"
O4 - HKCU\..\Run: [Rsrsd] "C:\Program Files\Common Files\?dobe\dvdplay.exe"
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {691A317B-85E9-666F-4CCC-5FC46C7DFB1C} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Clorox/Coupons.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://sympatico.zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC005DA7-13DB-440C-B90A-667CD9C225B7}: NameServer = 68.94.156.1 68.94.157.1
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\perfc000.dat
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsydy.html
O24 - Desktop Component 1: (no name) - http://pbskids.org/images/spring-girl-on.gif

--
End of file - 9482 bytes

Shaba · Mar 6, 2008

Hi pearllita

Rename HijackThis.exe to pearllita.exe and post back a fresh HijackThis.exe, please

pearllita · Mar 6, 2008

I hope I did this right...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:05 PM, on 3/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\hkcmd .exe
C:\Program Files\QuickTime\qttask .exe
C:\PROGRA~1\COMMON~1\qmmi\qmmim .exe
C:\Program Files\Common Files\?dobe\dvdplay.exe
C:\PROGRA~1\COMMON~1\qmmi\qmmia.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MCROSO~1.NET\winlogon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://agoga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\System32\mljgd.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rxhtnn] c:\windows\system32\eujjzpl.exe r
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [kglyic] C:\WINDOWS\System32\kglyic.exe
O4 - HKLM\..\Run: [908a0604] rundll32.exe "C:\WINDOWS\System32\cdocfljx.dll",b
O4 - HKLM\..\Run: [BM93b93598] Rundll32.exe "C:\WINDOWS\System32\ajfbdild.dll",s
O4 - HKCU\..\Run: [0acc253b.exe] C:\Documents and Settings\Owner.DARLENE\Local Settings\Application Data\0acc253b.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [Nrowykj] C:\WINDOWS\system32\?ecurity\tracert.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [qmmi] C:\PROGRA~1\COMMON~1\qmmi\qmmim .exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Meu] "C:\Program Files\Common Files\W?nSxS\attrib.exe"
O4 - HKCU\..\Run: [Btx] C:\WINDOWS\system32\W?nSxS\regedit.exe
O4 - HKCU\..\Run: [Mgqcz] "C:\Program Files\?racle\rundll.exe"
O4 - HKCU\..\Run: [Rsrsd] "C:\Program Files\Common Files\?dobe\dvdplay.exe"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\MCROSO~1.NET\winlogon.exe" -vt ndrv
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {691A317B-85E9-666F-4CCC-5FC46C7DFB1C} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Clorox/Coupons.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://sympatico.zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC005DA7-13DB-440C-B90A-667CD9C225B7}: NameServer = 68.94.156.1 68.94.157.1
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\perfc000.dat
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsydy.html
O24 - Desktop Component 1: (no name) - http://pbskids.org/images/spring-girl-on.gif

--
End of file - 9733 bytes

Shaba · Mar 7, 2008

Hi

Unfortunately you didn't.

Rename HijackThis.exe to pearllita.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to pearllita.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

pearllita · Mar 7, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:18 AM, on 3/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\System32\hkcmd .exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\?dobe\dvdplay.exe
C:\PROGRA~1\COMMON~1\qmmi\qmmim .exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\qmmi\qmmia.exe
C:\PROGRA~1\MCROSO~1.NET\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\pearllita.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://agoga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\System32\mljgd.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {463FCCCD-0373-5FD8-0210-5800CCC7DCCC} - C:\WINDOWS\System32\wlwj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {b75d79e9-895b-48b9-4094-080f97f09788} - {88790f79-f080-4904-9b84-b5989e97d57b} - C:\WINDOWS\System32\bqswsfem.dll
O2 - BHO: (no name) - {9B6D6223-9DED-4C98-950E-407665C0B1D9} - C:\WINDOWS\System32\mljgd.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\System32\vtutrol.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rxhtnn] c:\windows\system32\eujjzpl.exe r
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [kglyic] C:\WINDOWS\System32\kglyic.exe
O4 - HKLM\..\Run: [908a0604] rundll32.exe "C:\WINDOWS\System32\romycfxn.dll",b
O4 - HKLM\..\Run: [BM93b93598] Rundll32.exe "C:\WINDOWS\System32\cdnpfiwg.dll",s
O4 - HKCU\..\Run: [0acc253b.exe] C:\Documents and Settings\Owner.DARLENE\Local Settings\Application Data\0acc253b.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [Nrowykj] C:\WINDOWS\system32\?ecurity\tracert.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [qmmi] C:\PROGRA~1\COMMON~1\qmmi\qmmim .exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Meu] "C:\Program Files\Common Files\W?nSxS\attrib.exe"
O4 - HKCU\..\Run: [Btx] C:\WINDOWS\system32\W?nSxS\regedit.exe
O4 - HKCU\..\Run: [Mgqcz] "C:\Program Files\?racle\rundll.exe"
O4 - HKCU\..\Run: [Rsrsd] "C:\Program Files\Common Files\?dobe\dvdplay.exe"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\MCROSO~1.NET\winlogon.exe" -vt ndrv
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {691A317B-85E9-666F-4CCC-5FC46C7DFB1C} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Clorox/Coupons.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://sympatico.zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC005DA7-13DB-440C-B90A-667CD9C225B7}: NameServer = 68.94.156.1 68.94.157.1
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\perfc000.dat
O20 - Winlogon Notify: vtutrol - C:\WINDOWS\SYSTEM32\vtutrol.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsydy.html
O24 - Desktop Component 1: (no name) - http://pbskids.org/images/spring-girl-on.gif

--
End of file - 10681 bytes

Shaba · Mar 7, 2008

Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

pearllita · Mar 7, 2008

ComboFix 08-03-07.1 - Owner 2008-03-07 14:10:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.55 [GMT -6:00]
Running from: C:\Documents and Settings\Owner.DARLENE\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.DARLENE\Application Data\ICROSO~1
C:\Documents and Settings\Owner.DARLENE\Application Data\SEMBLY~1
C:\Documents and Settings\Owner.DARLENE\My Documents\FNTS~1
C:\Documents and Settings\Owner.DARLENE\My Documents\MCROSO~1.NET
C:\Documents and Settings\Owner.DARLENE\My Documents\TSKS~1
C:\Documents and Settings\Owner.DARLENE\My Documents\YSTEM~1
C:\Documents and Settings\Owner.DARLENE\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner.DARLENE\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner.DARLENE\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\PROGRA~1\COMMON~1\qmmi\qmmim .exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~1\dvdplay.exe
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\qmmi
C:\Program Files\Common Files\qmmi\qmmia.exe
C:\Program Files\Common Files\qmmi\qmmia.lck
C:\Program Files\Common Files\qmmi\qmmid\class-barrel
C:\Program Files\Common Files\qmmi\qmmid\qmmic.dll
C:\Program Files\Common Files\qmmi\qmmid\vocabulary
C:\Program Files\Common Files\qmmi\qmmih
C:\Program Files\Common Files\qmmi\qmmil.exe
C:\Program Files\Common Files\qmmi\qmmil.lck
C:\Program Files\Common Files\qmmi\qmmim .exe
C:\Program Files\Common Files\qmmi\qmmim.exe
C:\Program Files\Common Files\qmmi\qmmim.lck
C:\Program Files\Common Files\qmmi\qmmip.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\mcroso~1.net
C:\Program Files\mcroso~1.net\M?crosoft.NET\
C:\Program Files\mcroso~1.net\winlogon .exe
C:\Program Files\mcroso~1.net\winlogon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrPack
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\racle~1
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Temporary
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows NT\profsydy.html
C:\WINDOWS\BM93b93598.xml
C:\WINDOWS\ecurit~1
C:\WINDOWS\pppatc~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\qmmi
C:\WINDOWS\qmmi\qmmi.dat
C:\WINDOWS\qmmi\wu
C:\WINDOWS\sembly~1
C:\WINDOWS\system32\aboqpnnn.dll
C:\WINDOWS\system32\acwncrky.ini
C:\WINDOWS\system32\aekkodks.dll
C:\WINDOWS\system32\afcmkajm.dll
C:\WINDOWS\system32\ajfbdild.dll
C:\WINDOWS\system32\aopqctfc.dll
C:\WINDOWS\system32\bqswsfem.dll
C:\WINDOWS\system32\cdnpfiwg.dll
C:\WINDOWS\system32\cefnqddm.ini
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\cimflrpn.dll
C:\WINDOWS\system32\cxiidwhn.dll
C:\WINDOWS\system32\dbqnfrvm.dll
C:\WINDOWS\system32\dcipbdfv.dll
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dhwihoqg.ini
C:\WINDOWS\system32\dmbbjomq.dll
C:\WINDOWS\system32\dmlfmcfw.dll
C:\WINDOWS\system32\ebdnwyjy.dll
C:\WINDOWS\system32\ecsmlnmq.dll
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\eeorcxnx.dll
C:\WINDOWS\system32\eittdbdc.dll
C:\WINDOWS\system32\elljqygb.dll
C:\WINDOWS\system32\emwccsur.dll
C:\WINDOWS\system32\eohyymsk.dll
C:\WINDOWS\system32\euwkeeqd.dll
C:\WINDOWS\system32\eyjcwkhe.dll
C:\WINDOWS\system32\eymnsntx.dll
C:\WINDOWS\system32\fabllniq.dll
C:\WINDOWS\system32\fbrauhvc.dll
C:\WINDOWS\system32\ferhohcy.dll
C:\WINDOWS\system32\gmtqwnkf.dll
C:\WINDOWS\system32\gqohiwhd.dll
C:\WINDOWS\system32\gswgrfbu.dll
C:\WINDOWS\system32\hfvakeuu.dll
C:\WINDOWS\system32\hhmeenxs.dll
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ibudxkcp.dll
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\jbmpguqu.dll
C:\WINDOWS\system32\jetbsbik.dll
C:\WINDOWS\system32\jjnlynux.dll
C:\WINDOWS\system32\jnaboofc.dll
C:\WINDOWS\system32\kaxjoygb.dll
C:\WINDOWS\System32\kglyic.exe
C:\WINDOWS\system32\kkafrokr.dll
C:\WINDOWS\system32\klscughx.dll
C:\WINDOWS\system32\kwphwtue.dll
C:\WINDOWS\system32\kxlffuxd.dll
C:\WINDOWS\system32\lvcolsyw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mddqnfec.dll
C:\WINDOWS\system32\mfmuxpek.dll
C:\WINDOWS\system32\mlggbnvg.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.exe
C:\WINDOWS\system32\mvrfnqbd.ini
C:\WINDOWS\system32\ncyarfcl.dll
C:\WINDOWS\system32\neemcmmn.dll
C:\WINDOWS\system32\nxfcymor.ini
C:\WINDOWS\system32\oalvruuw.ini
C:\WINDOWS\system32\odqtvoyw.ini
C:\WINDOWS\system32\ogfltyhi.dll
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\pjiwwhpu.ini
C:\WINDOWS\system32\pqdcmaxa.dll
C:\WINDOWS\system32\pytauagb.dll
C:\WINDOWS\system32\qjymbmwv.dll
C:\WINDOWS\system32\qmojbbmd.ini
C:\WINDOWS\system32\qnhvpxlk.dll
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\rkorfakk.ini
C:\WINDOWS\system32\romycfxn.dll
C:\WINDOWS\system32\sdibclxk.dll
C:\WINDOWS\system32\sjtqrwki.dll
C:\WINDOWS\system32\svdxrrvg.dll
C:\WINDOWS\system32\swspbckj.dll
C:\WINDOWS\system32\syedstjq.dll
C:\WINDOWS\system32\tarvfbjq.dll
C:\WINDOWS\system32\thvjfgqi.dll
C:\WINDOWS\system32\tlhkudhv.dll
C:\WINDOWS\system32\trrrawwx.dll
C:\WINDOWS\system32\uomrdcxs.dll
C:\WINDOWS\system32\uphwwijp.dll
C:\WINDOWS\system32\vlicvaic.dll
C:\WINDOWS\system32\vlxentwv.dll
C:\WINDOWS\system32\vnufgcwo.dll
C:\WINDOWS\system32\votnhisy.dll
C:\WINDOWS\system32\vpqeuknv.dll
C:\WINDOWS\system32\vtutrol.dll
C:\WINDOWS\system32\vwtnexlv.ini
C:\WINDOWS\system32\wlwj.dll
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wuurvlao.dll
C:\WINDOWS\system32\wyovtqdo.dll
C:\WINDOWS\system32\xhgucslk.ini
C:\WINDOWS\system32\xmcamvqe.dll
C:\WINDOWS\system32\xoxkebfu.dll
C:\WINDOWS\system32\xtnsnmye.ini
C:\WINDOWS\system32\ybslosgx.dll
C:\WINDOWS\system32\ykrcnwca.dll
C:\WINDOWS\system32\ymapstvm.dll
C:\WINDOWS\system32\ysihntov.ini
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\wnsxs~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 14:00 . 2008-03-07 14:00 347,648 --a------ C:\WINDOWS\system32\RCX65.tmp
2008-03-07 13:27 . 2008-03-07 13:27 347,648 --a------ C:\WINDOWS\system32\RCX64.tmp
2008-03-07 12:13 . 2008-03-07 12:13 347,648 --a------ C:\WINDOWS\system32\RCX63.tmp
2008-03-07 05:06 . 2008-03-07 05:06 347,648 --a------ C:\WINDOWS\system32\RCX62.tmp
2008-03-06 19:35 . 2008-03-06 19:35 347,648 --a------ C:\WINDOWS\system32\RCX61.tmp
2008-03-06 15:50 . 2008-03-06 15:50 347,648 --a------ C:\WINDOWS\system32\RCX60.tmp
2008-03-06 06:55 . 2008-03-06 06:55 347,648 --a------ C:\WINDOWS\system32\RCX5F.tmp
2008-03-05 22:24 . 2008-03-06 19:37 2,934 ---hs---- C:\WINDOWS\system32\xjlfcodc.ini
2008-03-05 21:18 . 2008-03-05 21:19 2,694 ---hs---- C:\WINDOWS\system32\gtbthovi.ini
2008-03-05 21:08 . 2008-03-05 21:08 347,648 --a------ C:\WINDOWS\system32\RCX5E.tmp
2008-03-05 07:15 . 2008-03-05 07:15 347,648 --a------ C:\WINDOWS\system32\RCX5D.tmp
2008-03-04 16:55 . 2008-03-04 16:55 347,648 --a------ C:\WINDOWS\system32\RCX5C.tmp
2008-03-04 13:47 . 2008-03-05 21:11 2,634 ---hs---- C:\WINDOWS\system32\kelvnfpo.ini
2008-03-04 12:31 . 2008-03-04 12:31 347,648 --a------ C:\WINDOWS\system32\RCX5B.tmp
2008-03-04 08:11 . 2008-03-04 08:11 347,648 --a------ C:\WINDOWS\system32\RCX5A.tmp
2008-03-03 20:08 . 2008-03-03 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 18:47 . 2008-03-03 18:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 18:47 . 2008-03-03 18:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 18:33 . 2008-03-04 12:33 2,394 ---hs---- C:\WINDOWS\system32\ctvbsqcd.ini
2008-03-03 10:50 . 2008-03-03 10:50 347,648 --a------ C:\WINDOWS\system32\RCX59.tmp
2008-03-02 13:03 . 2008-03-02 13:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-02 13:03 . 2008-03-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-03-02 11:34 . 2008-03-02 11:34 347,648 --a------ C:\WINDOWS\system32\RCX58.tmp
2008-03-02 10:16 . 2008-03-03 18:21 2,214 ---hs---- C:\WINDOWS\system32\bcpvybxw.ini
2008-03-02 10:12 . 2008-03-02 10:12 347,648 --a------ C:\WINDOWS\system32\RCX57.tmp
2008-03-02 08:50 . 2008-03-02 08:50 347,648 --a------ C:\WINDOWS\system32\RCX56.tmp
2008-03-01 09:24 . 2008-03-01 09:24 347,648 --a------ C:\WINDOWS\system32\RCX55.tmp
2008-02-29 17:52 . 2008-02-29 17:52 347,648 --a------ C:\WINDOWS\system32\RCX54.tmp
2008-02-22 18:41 . 2008-02-22 18:41 347,648 --a------ C:\WINDOWS\system32\RCX53.tmp
2008-02-22 16:28 . 2008-02-22 16:28 347,648 --a------ C:\WINDOWS\system32\RCX52.tmp
2008-02-22 09:57 . 2008-02-22 09:57 347,648 --a------ C:\WINDOWS\system32\RCX51.tmp
2008-02-20 15:17 . 2008-02-20 15:17 347,648 --a------ C:\WINDOWS\system32\RCX50.tmp
2008-02-16 15:54 . 2008-02-16 15:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Go Go Gourmet
2008-02-16 15:53 . 2008-02-18 19:44 <DIR> d-------- C:\Program Files\MSN Games
2008-02-15 18:53 . 2008-03-02 10:16 1,854 --ahs---- C:\WINDOWS\system32\opryaokh.ini
2008-02-14 18:47 . 2008-02-15 06:18 1,134 --ahs---- C:\WINDOWS\system32\iqliwoar.ini
2008-02-14 16:52 . 2008-02-14 16:52 347,648 --a------ C:\WINDOWS\system32\RCX4F.tmp
2008-02-13 18:51 . 2008-02-14 18:44 1,074 --ahs---- C:\WINDOWS\system32\urcoobkr.ini
2008-02-13 18:48 . 2008-02-13 18:48 834 --ahs---- C:\WINDOWS\system32\cqegrceb.ini
2008-02-13 17:35 . 2008-02-13 17:35 347,648 --a------ C:\WINDOWS\system32\RCX4E.tmp
2008-02-12 19:12 . 2008-02-13 18:45 774 --ahs---- C:\WINDOWS\system32\vdnefvra.ini
2008-02-12 19:00 . 2008-02-12 19:00 534 --ahs---- C:\WINDOWS\system32\inxomwrt.ini
2008-02-12 16:08 . 2008-02-12 16:08 347,648 --a------ C:\WINDOWS\system32\RCX4D.tmp
2008-02-12 13:21 . 2008-02-12 13:21 347,648 --a------ C:\WINDOWS\system32\RCX4C.tmp
2008-02-11 19:04 . 2008-02-12 16:10 474 --ahs---- C:\WINDOWS\system32\foujikli.ini
2008-02-11 17:26 . 2008-02-11 17:26 347,648 --a------ C:\WINDOWS\system32\RCX4B.tmp
2008-02-11 17:18 . 2008-02-11 17:18 347,648 --a------ C:\WINDOWS\system32\RCX4A.tmp
2008-02-11 13:38 . 2008-02-11 13:38 347,648 --a------ C:\WINDOWS\system32\RCX49.tmp
2008-02-10 19:06 . 2008-02-11 17:28 1,134 --ahs---- C:\WINDOWS\system32\fegegsqq.ini
2008-02-10 19:03 . 2008-02-10 19:04 954 --ahs---- C:\WINDOWS\system32\hombuung.ini
2008-02-09 19:09 . 2008-02-09 19:10 894 --ahs---- C:\WINDOWS\system32\ckroadvi.ini
2008-02-09 19:06 . 2008-02-09 19:07 834 --ahs---- C:\WINDOWS\system32\vkqfiqpk.ini
2008-02-08 19:00 . 2008-02-09 19:01 774 --ahs---- C:\WINDOWS\system32\acmyravy.ini
2008-02-08 18:57 . 2008-02-08 18:58 714 --ahs---- C:\WINDOWS\system32\odomdkqc.ini
2008-02-07 19:06 . 2008-02-08 18:55 654 --ahs---- C:\WINDOWS\system32\nyhjpthq.ini
2008-02-07 19:00 . 2008-02-07 19:00 534 --ahs---- C:\WINDOWS\system32\nxavnhmj.ini
2008-02-07 08:49 . 2008-02-07 08:49 347,648 --a------ C:\WINDOWS\system32\RCX48.tmp

.

pearllita · Mar 7, 2008

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 20:24 --------- d-----w C:\Program Files\Winamp
2008-03-07 20:24 --------- d-----w C:\Program Files\QuickTime
2008-03-07 20:24 --------- d-----w C:\Program Files\Browser MOUSE
2008-03-07 20:00 57,344 ----a-w C:\WINDOWS\system32\kglyic .exe
2008-03-07 20:00 155,648 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-03-07 19:29 126,976 ----a-w C:\WINDOWS\system32\hkcmd .exe
2008-03-07 19:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-02 17:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kodak
2008-03-01 16:10 --------- d-----w C:\Program Files\Yahoo!
2008-02-27 14:37 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-23 03:03 --------- d--h--w C:\Documents and Settings\Owner.DARLENE\Application Data\Move Networks
2008-02-06 03:03 347,648 ----a-w C:\WINDOWS\system32\RCX47.tmp
2008-02-06 01:06 90,688 ----a-w C:\WINDOWS\system32\sfwhagtc.dll
2008-02-06 01:00 94,272 ----a-w C:\WINDOWS\system32\jalpfqpv.dll
2008-02-06 00:48 94,272 ----a-w C:\WINDOWS\system32\fcskkkxd.dll
2008-02-05 22:29 347,648 ----a-w C:\WINDOWS\system32\RCX46.tmp
2008-02-05 00:59 93,248 ----a-w C:\WINDOWS\system32\uikgfrcj.dll
2008-02-05 00:44 93,248 ----a-w C:\WINDOWS\system32\ixnngetl.dll
2008-02-04 23:41 347,648 ----a-w C:\WINDOWS\system32\RCX45.tmp
2008-02-04 21:54 347,648 ----a-w C:\WINDOWS\system32\RCX44.tmp
2008-02-02 11:04 96,832 ----a-w C:\WINDOWS\system32\fxesuhby.dll
2008-02-02 10:58 96,832 ----a-w C:\WINDOWS\system32\qominkvv.dll
2008-02-01 12:45 347,648 ----a-w C:\WINDOWS\system32\RCX43.tmp
2008-01-30 12:43 347,648 ----a-w C:\WINDOWS\system32\RCX42.tmp
2008-01-30 12:31 347,648 ----a-w C:\WINDOWS\system32\RCX40.tmp
2008-01-30 03:18 347,648 ----a-w C:\WINDOWS\system32\RCX3F.tmp
2008-01-29 22:50 347,648 ----a-w C:\WINDOWS\system32\RCX3C.tmp
2008-01-29 19:56 347,648 ----a-w C:\WINDOWS\system32\RCX3B.tmp
2008-01-29 12:22 347,648 ----a-w C:\WINDOWS\system32\RCX39.tmp
2008-01-29 03:18 347,648 ----a-w C:\WINDOWS\system32\RCX38.tmp
2008-01-29 01:17 347,648 ----a-w C:\WINDOWS\system32\RCX37.tmp
2008-01-27 14:54 347,648 ----a-w C:\WINDOWS\system32\RCX36.tmp
2008-01-27 04:06 --------- d-----w C:\Documents and Settings\Owner.DARLENE\Application Data\Yahoo!
2008-01-27 04:02 347,648 ----a-w C:\WINDOWS\system32\RCX35.tmp
2008-01-27 03:56 347,648 ----a-w C:\WINDOWS\system32\RCX33.tmp
2008-01-25 14:37 347,648 ----a-w C:\WINDOWS\system32\RCX31.tmp
2008-01-25 12:03 347,648 ----a-w C:\WINDOWS\system32\RCX30.tmp
2008-01-24 02:31 347,648 ----a-w C:\WINDOWS\system32\RCX2F.tmp
2008-01-23 00:04 347,648 ----a-w C:\WINDOWS\system32\RCX2E.tmp
2008-01-19 21:53 347,648 ----a-w C:\WINDOWS\system32\RCX28.tmp
2008-01-17 03:18 --------- d-----w C:\Program Files\Blubster
2008-01-17 02:23 --------- d-----w C:\Program Files\WarRock
2008-01-17 02:22 --------- d-----w C:\Program Files\SopCast
2008-01-17 02:11 347,648 ----a-w C:\WINDOWS\system32\RCX24.tmp
2008-01-17 01:53 --------- d-----w C:\Program Files\Google
2008-01-17 01:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 01:51 --------- d-----w C:\Program Files\ArcSoft
2008-01-17 00:58 --------- d-----w C:\Program Files\Maxis
2008-01-14 12:29 347,648 ----a-w C:\WINDOWS\system32\RCX3E.tmp
2008-01-09 22:54 17,642,616 ----a-w C:\WINDOWS\system32\MRT .exe
2008-01-08 17:32 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\roogpsmidnl.exe
2008-01-08 17:32 --------- d-----w C:\Program Files\Dell AIO Printer A940
2008-01-07 13:38 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx .exe
2008-01-07 13:35 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx.exe
2008-01-05 19:31 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\lad .exe
2008-01-05 19:29 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\lad.exe
2008-01-05 16:26 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza .exe
2008-01-05 16:24 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza.exe
2008-01-05 13:49 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\huskv .exe
2008-01-05 13:42 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\huskv.exe
2008-01-05 00:03 5,750,021 ----a-w C:\WINDOWS\java\Packages\q17fd3r3.zip
2008-01-04 23:32 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw .exe
2008-01-04 22:19 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw.exe
2008-01-04 18:53 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl .exe
2008-01-04 17:28 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl.exe
2008-01-04 15:19 388,608 ----a-w C:\WINDOWS\mrofinu72.exe
2008-01-04 13:55 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\obop .exe
2008-01-04 13:54 388,608 -c--a-w C:\WINDOWS\mrofinu72.exe.tmp
2008-01-04 13:53 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\obop.exe
2008-01-04 00:50 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\juqko .exe
2008-01-04 00:49 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\juqko.exe
2008-01-04 00:02 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf .exe
2008-01-04 00:00 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf.exe
2008-01-03 19:37 19,456 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\eie .exe
2008-01-03 19:35 367,104 ----a-w C:\Documents and Settings\Owner.DARLENE\Application Data\eie.exe
2008-01-03 03:05 19,456 ----a-w C:\bQQT.exe
2008-01-01 22:10 347,648 ----a-w C:\WINDOWS\system32\RCX41.tmp
2007-12-31 03:11 347,648 ----a-w C:\WINDOWS\system32\RCX3A.tmp
2007-12-25 01:33 322,251 ----a-w C:\WINDOWS\java\Packages\p3vj57xf.zip
2007-12-25 01:07 347,648 ----a-w C:\WINDOWS\system32\RCX3D.tmp
2007-12-25 00:44 347,648 ----a-w C:\WINDOWS\system32\RCX34.tmp
2007-12-24 17:46 322,251 ----a-w C:\WINDOWS\java\Packages\z9n1bfxr.zip
2007-12-24 02:04 347,648 ----a-w C:\WINDOWS\system32\RCX27.tmp
2007-12-24 01:58 347,648 ----a-w C:\WINDOWS\system32\RCX2B.tmp
2007-12-24 01:52 347,648 ----a-w C:\WINDOWS\system32\RCX2D.tmp
2007-12-23 15:39 347,648 ----a-w C:\WINDOWS\system32\RCX32.tmp
2007-06-16 23:51 59,856 -c--a-w C:\Documents and Settings\Owner.DARLENE\Application Data\GDIPFONTCACHEV1.DAT
2006-03-29 22:46 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-06-04 15:12 55,244 -c-ha-w C:\Documents and Settings\Owner.DARLENE\Application Data\ptads.bin
2004-08-25 20:08 154,010 ----a-w C:\Program Files\install.exe
2004-07-18 03:55 460,728 -c--a-w C:\WINDOWS\Fonts\SET7FD.tmp
2004-07-18 03:55 383,140 -c--a-w C:\WINDOWS\Fonts\SET7FC.tmp
2004-07-18 03:55 355,436 -c--a-w C:\WINDOWS\Fonts\SET7FB.tmp
2004-07-17 16:39 409,280 -c--a-w C:\WINDOWS\Fonts\SET7FA.tmp
2004-07-17 16:39 398,372 -c--a-w C:\WINDOWS\Fonts\SET7F9.tmp
2004-07-17 16:39 367,112 -c--a-w C:\WINDOWS\Fonts\SET800.tmp
2004-07-17 16:39 352,224 -c--a-w C:\WINDOWS\Fonts\SET7FF.tmp
2004-07-17 16:39 127,596 -c--a-w C:\WINDOWS\Fonts\SET7FE.tmp
2004-06-13 15:09 449 ----a-w C:\Documents and Settings\Owner.DARLENE\UpdateReg.reg
2005-08-02 22:46 187,904 --sha-r C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ\asappsrv.dll
2005-08-02 22:58 293,888 --sha-r C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ\command.exe
2005-07-29 22:24 472 -csha-r C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ\o3p1wAUPurl1KHhVsrxSwAk.vbs
.

Code:

<pre>
----a-w            19,456 2008-01-04 23:32:47  C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw .exe
----a-w            19,456 2008-01-03 19:37:48  C:\Documents and Settings\Owner.DARLENE\Application Data\eie .exe
----a-w            19,456 2008-01-05 13:49:41  C:\Documents and Settings\Owner.DARLENE\Application Data\huskv .exe
----a-w            19,456 2008-01-04 18:53:04  C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl .exe
----a-w            19,456 2008-01-04 00:02:16  C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf .exe
----a-w            19,456 2008-01-04 00:50:53  C:\Documents and Settings\Owner.DARLENE\Application Data\juqko .exe
----a-w            19,456 2008-01-05 19:31:36  C:\Documents and Settings\Owner.DARLENE\Application Data\lad .exe
----a-w            19,456 2008-01-05 16:26:59  C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza .exe
----a-w            19,456 2008-01-04 13:55:37  C:\Documents and Settings\Owner.DARLENE\Application Data\obop .exe
----a-w            19,456 2008-01-07 13:38:03  C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx .exe
----a-w           360,448 2008-01-21 15:23:52  C:\Program Files\Browser MOUSE\mouse32a .exe
----a-w           180,269 2008-01-04 13:53:41  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            86,102 2008-01-07 13:37:12  C:\Program Files\Dell AIO Printer A940\dlbabmgr .exe
----a-w           657,408 2008-03-07 19:27:54  C:\Program Files\QuickTime\qttask                                                        .exe
----a-w           657,408 2008-03-07 18:13:15  C:\Program Files\QuickTime\qttask                                                       .exe
----a-w           657,408 2008-03-07 11:06:54  C:\Program Files\QuickTime\qttask                                                      .exe
----a-w           657,408 2008-03-07 01:35:16  C:\Program Files\QuickTime\qttask                                                     .exe
----a-w           657,408 2008-03-06 21:50:00  C:\Program Files\QuickTime\qttask                                                    .exe
----a-w           657,408 2008-03-06 12:55:42  C:\Program Files\QuickTime\qttask                                                   .exe
----a-w           657,408 2008-03-06 03:08:57  C:\Program Files\QuickTime\qttask                                                  .exe
----a-w           657,408 2008-03-05 13:15:41  C:\Program Files\QuickTime\qttask                                                 .exe
----a-w           657,408 2008-03-04 22:55:18  C:\Program Files\QuickTime\qttask                                                .exe
----a-w           657,408 2008-03-04 18:31:09  C:\Program Files\QuickTime\qttask                                               .exe
----a-w           657,408 2008-03-04 14:11:29  C:\Program Files\QuickTime\qttask                                              .exe
----a-w           657,408 2008-03-03 17:04:00  C:\Program Files\QuickTime\qttask                                             .exe
----a-w           657,408 2008-03-03 16:50:13  C:\Program Files\QuickTime\qttask                                            .exe
----a-w           657,408 2008-03-03 00:32:57  C:\Program Files\QuickTime\qttask                                           .exe
----a-w           657,408 2008-03-02 22:38:10  C:\Program Files\QuickTime\qttask                                          .exe
----a-w           657,408 2008-03-02 17:34:16  C:\Program Files\QuickTime\qttask                                         .exe
----a-w           657,408 2008-03-02 16:12:04  C:\Program Files\QuickTime\qttask                                        .exe
----a-w           657,408 2008-03-02 16:01:32  C:\Program Files\QuickTime\qttask                                       .exe
----a-w           657,408 2008-03-02 15:37:51  C:\Program Files\QuickTime\qttask                                      .exe
----a-w           657,408 2008-03-02 14:50:23  C:\Program Files\QuickTime\qttask                                     .exe
----a-w           657,408 2008-03-02 13:59:25  C:\Program Files\QuickTime\qttask                                    .exe
----a-w           657,408 2008-03-02 02:45:29  C:\Program Files\QuickTime\qttask                                   .exe
----a-w           657,408 2008-03-02 01:19:09  C:\Program Files\QuickTime\qttask                                  .exe
----a-w           657,408 2008-02-14 22:52:06  C:\Program Files\QuickTime\qttask                                 .exe
----a-w           657,408 2008-02-13 23:35:12  C:\Program Files\QuickTime\qttask                                .exe
----a-w           657,408 2008-02-12 22:08:10  C:\Program Files\QuickTime\qttask                               .exe
----a-w           657,408 2008-02-12 19:21:35  C:\Program Files\QuickTime\qttask                              .exe
----a-w           657,408 2008-02-11 23:26:29  C:\Program Files\QuickTime\qttask                             .exe
----a-w           657,408 2008-02-11 23:18:03  C:\Program Files\QuickTime\qttask                            .exe
----a-w           657,408 2008-02-11 19:38:22  C:\Program Files\QuickTime\qttask                           .exe
----a-w           657,408 2008-02-07 14:49:55  C:\Program Files\QuickTime\qttask                          .exe
----a-w           657,408 2008-02-06 03:03:15  C:\Program Files\QuickTime\qttask                         .exe
----a-w           657,408 2008-02-05 22:29:43  C:\Program Files\QuickTime\qttask                        .exe
----a-w           657,408 2008-02-05 13:06:52  C:\Program Files\QuickTime\qttask                       .exe
----a-w           657,408 2008-02-04 23:41:03  C:\Program Files\QuickTime\qttask                      .exe
----a-w           657,408 2008-02-04 21:53:56  C:\Program Files\QuickTime\qttask                     .exe
----a-w           657,408 2008-02-02 17:23:09  C:\Program Files\QuickTime\qttask                    .exe
----a-w           657,408 2008-02-01 12:45:19  C:\Program Files\QuickTime\qttask                   .exe
----a-w           657,408 2008-01-30 22:54:42  C:\Program Files\QuickTime\qttask                  .exe
----a-w           657,408 2008-01-30 12:43:02  C:\Program Files\QuickTime\qttask                 .exe
----a-w           657,408 2008-01-30 12:31:07  C:\Program Files\QuickTime\qttask                .exe
----a-w           657,408 2008-01-30 03:18:30  C:\Program Files\QuickTime\qttask               .exe
----a-w           657,408 2008-01-29 22:50:24  C:\Program Files\QuickTime\qttask              .exe
----a-w           657,408 2008-01-29 21:06:45  C:\Program Files\QuickTime\qttask             .exe
----a-w           657,408 2008-01-29 19:56:17  C:\Program Files\QuickTime\qttask            .exe
----a-w           657,408 2008-01-29 12:22:30  C:\Program Files\QuickTime\qttask           .exe
----a-w           657,408 2008-01-29 03:18:30  C:\Program Files\QuickTime\qttask          .exe
----a-w           657,408 2008-01-29 01:17:31  C:\Program Files\QuickTime\qttask         .exe
----a-w           657,408 2008-01-27 15:01:06  C:\Program Files\QuickTime\qttask        .exe
----a-w           657,408 2008-01-27 14:54:30  C:\Program Files\QuickTime\qttask       .exe
----a-w           657,408 2008-01-27 04:02:34  C:\Program Files\QuickTime\qttask      .exe
----a-w           657,408 2008-01-27 03:56:22  C:\Program Files\QuickTime\qttask     .exe
----a-w           657,408 2008-01-27 00:41:38  C:\Program Files\QuickTime\qttask    .exe
----a-w           657,408 2008-01-26 17:24:16  C:\Program Files\QuickTime\qttask   .exe
----a-w           657,408 2008-01-25 14:37:54  C:\Program Files\QuickTime\qttask  .exe
----a-w           657,408 2008-01-25 12:03:41  C:\Program Files\QuickTime\qttask .exe
----a-w         1,460,560 2008-01-05 13:50:09  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w         3,073,536 2008-01-05 19:07:29  C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w            36,352 2008-01-14 12:30:19  C:\Program Files\Winamp\winampa .exe
----a-w           129,536 2008-01-14 01:12:31  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w         4,670,704 2008-02-05 22:31:40  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w         4,670,704 2008-02-16 19:30:32  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w           407,032 2007-12-28 18:35:32  C:\Program Files\Yahoo!\YOP\yop .exe
----a-w           126,976 2008-03-07 19:29:10  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-03-07 20:00:19  C:\WINDOWS\system32\igfxtray .exe
----a-w            57,344 2008-03-07 20:00:23  C:\WINDOWS\system32\kglyic .exe
----a-w        17,642,616 2008-01-09 22:54:08  C:\WINDOWS\system32\MRT .exe
</pre>

------- Sigcheck -------

4b446fb004dcf499fa4e3a7f33f99c23 C:\WINDOWS\explorer.exe
----a-w 1,004,544 2002-09-03 17:05:32 C:\WINDOWS\explorer.exe
----a-w 1,032,192 2004-08-04 07:56:49 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
----a-w 1,032,192 2004-08-04 07:56:49 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\explorer.exe
------w 1,004,544 2002-09-03 17:05:32 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.

pearllita · Mar 7, 2008

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0acc253b.exe"="C:\Documents and Settings\Owner.DARLENE\Local Settings\Application Data\0acc253b.exe" [ ]
"Nrowykj"="C:\WINDOWS\system32\?ecurity\tracert.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"Meu"="C:\Program Files\Common Files\W?nSxS\attrib.exe" [ ]
"Btx"="C:\WINDOWS\system32\W?nSxS\regedit.exe" [ ]
"Mgqcz"="C:\Program Files\?racle\rundll.exe" [ ]
"Rsrsd"="C:\Program Files\Common Files\?dobe\dvdplay.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"rxhtnn"="c:\windows\system32\eujjzpl.exe" [ ]
"Dinst"=" " []
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser MOUSE\mouse32a.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [ ]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"PC Pitstop Optimize2 Reminder"="C:\Program Files\PCPitstop\Optimize2\Reminder.exe" [ ]
"kglyic"="C:\WINDOWS\System32\kglyic.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msvcrt52.dll"= {34C03273-4E9A-4E50-8B6D-E61A49E219B3} - msvcrt52.dll [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2LRX2W83X2T3MQ]
C:\WINDOWS\System32\Sovr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5RN8BX92BPHBEQ]
C:\WINDOWS\SYSTEM32\SNUR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98D0CE0C16B1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bakra]
C:\WINDOWS\System32\IEHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-02-10 21:32 473920 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-26 10:36 657408 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rzjntgk]
c:\windows\system32\jagavyh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-04-19 10:06 102400 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\WINDOWS\\Explorer.EXE"=

S2 Ca504av;Dual Mode Digital Camera(Video);C:\WINDOWS\System32\Drivers\Ca504av.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\System32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 USBCamera;Dual Mode Digital Camera(Still);C:\WINDOWS\System32\Drivers\Bulk504.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 17:55:06 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\System32\rundll32.exepC:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 14:29:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 56320 bytes executable
C:\WINDOWS\system32\comctl32.dll:_rc_db_sec_obj 203264 bytes executable
C:\WINDOWS\system32\_003405_.tmp.dll:_rc_db_5.1.2600 56320 bytes executable
C:\WINDOWS\system32\_003405_.tmp.dll:_rc_db_sec_obj 203264 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-07 14:35:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-07 20:35:30
.
2008-03-07 01:39:36 --- E O F ---

Shaba · Mar 8, 2008

Hi

Wow a lot of stuff there :spider:

You didn't post a fresh HijackThis log.

Please post it after step below.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

RenV::
----a-w           360,448 2008-01-21 15:23:52  C:\Program Files\Browser MOUSE\mouse32a .exe
----a-w           180,269 2008-01-04 13:53:41  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            86,102 2008-01-07 13:37:12  C:\Program Files\Dell AIO Printer A940\dlbabmgr .exe
----a-w           657,408 2008-03-07 19:27:54  C:\Program Files\QuickTime\qttask                                                        .exe
----a-w           657,408 2008-03-07 18:13:15  C:\Program Files\QuickTime\qttask                                                       .exe
----a-w           657,408 2008-03-07 11:06:54  C:\Program Files\QuickTime\qttask                                                      .exe
----a-w           657,408 2008-03-07 01:35:16  C:\Program Files\QuickTime\qttask                                                     .exe
----a-w           657,408 2008-03-06 21:50:00  C:\Program Files\QuickTime\qttask                                                    .exe
----a-w           657,408 2008-03-06 12:55:42  C:\Program Files\QuickTime\qttask                                                   .exe
----a-w           657,408 2008-03-06 03:08:57  C:\Program Files\QuickTime\qttask                                                  .exe
----a-w           657,408 2008-03-05 13:15:41  C:\Program Files\QuickTime\qttask                                                 .exe
----a-w           657,408 2008-03-04 22:55:18  C:\Program Files\QuickTime\qttask                                                .exe
----a-w           657,408 2008-03-04 18:31:09  C:\Program Files\QuickTime\qttask                                               .exe
----a-w           657,408 2008-03-04 14:11:29  C:\Program Files\QuickTime\qttask                                              .exe
----a-w           657,408 2008-03-03 17:04:00  C:\Program Files\QuickTime\qttask                                             .exe
----a-w           657,408 2008-03-03 16:50:13  C:\Program Files\QuickTime\qttask                                            .exe
----a-w           657,408 2008-03-03 00:32:57  C:\Program Files\QuickTime\qttask                                           .exe
----a-w           657,408 2008-03-02 22:38:10  C:\Program Files\QuickTime\qttask                                          .exe
----a-w           657,408 2008-03-02 17:34:16  C:\Program Files\QuickTime\qttask                                         .exe
----a-w           657,408 2008-03-02 16:12:04  C:\Program Files\QuickTime\qttask                                        .exe
----a-w           657,408 2008-03-02 16:01:32  C:\Program Files\QuickTime\qttask                                       .exe
----a-w           657,408 2008-03-02 15:37:51  C:\Program Files\QuickTime\qttask                                      .exe
----a-w           657,408 2008-03-02 14:50:23  C:\Program Files\QuickTime\qttask                                     .exe
----a-w           657,408 2008-03-02 13:59:25  C:\Program Files\QuickTime\qttask                                    .exe
----a-w           657,408 2008-03-02 02:45:29  C:\Program Files\QuickTime\qttask                                   .exe
----a-w           657,408 2008-03-02 01:19:09  C:\Program Files\QuickTime\qttask                                  .exe
----a-w           657,408 2008-02-14 22:52:06  C:\Program Files\QuickTime\qttask                                 .exe
----a-w           657,408 2008-02-13 23:35:12  C:\Program Files\QuickTime\qttask                                .exe
----a-w           657,408 2008-02-12 22:08:10  C:\Program Files\QuickTime\qttask                               .exe
----a-w           657,408 2008-02-12 19:21:35  C:\Program Files\QuickTime\qttask                              .exe
----a-w           657,408 2008-02-11 23:26:29  C:\Program Files\QuickTime\qttask                             .exe
----a-w           657,408 2008-02-11 23:18:03  C:\Program Files\QuickTime\qttask                            .exe
----a-w           657,408 2008-02-11 19:38:22  C:\Program Files\QuickTime\qttask                           .exe
----a-w           657,408 2008-02-07 14:49:55  C:\Program Files\QuickTime\qttask                          .exe
----a-w           657,408 2008-02-06 03:03:15  C:\Program Files\QuickTime\qttask                         .exe
----a-w           657,408 2008-02-05 22:29:43  C:\Program Files\QuickTime\qttask                        .exe
----a-w           657,408 2008-02-05 13:06:52  C:\Program Files\QuickTime\qttask                       .exe
----a-w           657,408 2008-02-04 23:41:03  C:\Program Files\QuickTime\qttask                      .exe
----a-w           657,408 2008-02-04 21:53:56  C:\Program Files\QuickTime\qttask                     .exe
----a-w           657,408 2008-02-02 17:23:09  C:\Program Files\QuickTime\qttask                    .exe
----a-w           657,408 2008-02-01 12:45:19  C:\Program Files\QuickTime\qttask                   .exe
----a-w           657,408 2008-01-30 22:54:42  C:\Program Files\QuickTime\qttask                  .exe
----a-w           657,408 2008-01-30 12:43:02  C:\Program Files\QuickTime\qttask                 .exe
----a-w           657,408 2008-01-30 12:31:07  C:\Program Files\QuickTime\qttask                .exe
----a-w           657,408 2008-01-30 03:18:30  C:\Program Files\QuickTime\qttask               .exe
----a-w           657,408 2008-01-29 22:50:24  C:\Program Files\QuickTime\qttask              .exe
----a-w           657,408 2008-01-29 21:06:45  C:\Program Files\QuickTime\qttask             .exe
----a-w           657,408 2008-01-29 19:56:17  C:\Program Files\QuickTime\qttask            .exe
----a-w           657,408 2008-01-29 12:22:30  C:\Program Files\QuickTime\qttask           .exe
----a-w           657,408 2008-01-29 03:18:30  C:\Program Files\QuickTime\qttask          .exe
----a-w           657,408 2008-01-29 01:17:31  C:\Program Files\QuickTime\qttask         .exe
----a-w           657,408 2008-01-27 15:01:06  C:\Program Files\QuickTime\qttask        .exe
----a-w           657,408 2008-01-27 14:54:30  C:\Program Files\QuickTime\qttask       .exe
----a-w           657,408 2008-01-27 04:02:34  C:\Program Files\QuickTime\qttask      .exe
----a-w           657,408 2008-01-27 03:56:22  C:\Program Files\QuickTime\qttask     .exe
----a-w           657,408 2008-01-27 00:41:38  C:\Program Files\QuickTime\qttask    .exe
----a-w           657,408 2008-01-26 17:24:16  C:\Program Files\QuickTime\qttask   .exe
----a-w           657,408 2008-01-25 14:37:54  C:\Program Files\QuickTime\qttask  .exe
----a-w           657,408 2008-01-25 12:03:41  C:\Program Files\QuickTime\qttask .exe
----a-w         1,460,560 2008-01-05 13:50:09  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w         3,073,536 2008-01-05 19:07:29  C:\Program Files\Webroot\Spy Sweeper\SpySweeper .exe
----a-w            36,352 2008-01-14 12:30:19  C:\Program Files\Winamp\winampa .exe
----a-w           129,536 2008-01-14 01:12:31  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w         4,670,704 2008-02-05 22:31:40  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w         4,670,704 2008-02-16 19:30:32  C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w           407,032 2007-12-28 18:35:32  C:\Program Files\Yahoo!\YOP\yop .exe
----a-w           126,976 2008-03-07 19:29:10  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-03-07 20:00:19  C:\WINDOWS\system32\igfxtray .exe
----a-w        17,642,616 2008-01-09 22:54:08  C:\WINDOWS\system32\MRT .exe

File::
C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\eie .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\huskv .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\juqko .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\lad .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\obop .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx .exe
C:\WINDOWS\system32\kglyic .exe
C:\WINDOWS\system32\RCX65.tmp
C:\WINDOWS\system32\RCX64.tmp
C:\WINDOWS\system32\RCX63.tmp
C:\WINDOWS\system32\RCX62.tmp
C:\WINDOWS\system32\RCX61.tmp
C:\WINDOWS\system32\RCX60.tmp
C:\WINDOWS\system32\RCX5F.tmp
C:\WINDOWS\system32\xjlfcodc.ini
C:\WINDOWS\system32\gtbthovi.ini
C:\WINDOWS\system32\RCX5E.tmp
C:\WINDOWS\system32\RCX5D.tmp
C:\WINDOWS\system32\RCX5C.tmp
C:\WINDOWS\system32\kelvnfpo.ini
C:\WINDOWS\system32\RCX5B.tmp
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\ctvbsqcd.ini
C:\WINDOWS\system32\RCX59.tmp
C:\WINDOWS\system32\RCX58.tmp
C:\WINDOWS\system32\bcpvybxw.ini
C:\WINDOWS\system32\RCX57.tmp
C:\WINDOWS\system32\RCX56.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX54.tmp
C:\WINDOWS\system32\RCX53.tmp
C:\WINDOWS\system32\RCX52.tmp
C:\WINDOWS\system32\RCX51.tmp
C:\WINDOWS\system32\RCX50.tmp
C:\WINDOWS\system32\opryaokh.ini
C:\WINDOWS\system32\iqliwoar.ini
C:\WINDOWS\system32\RCX4F.tmp
C:\WINDOWS\system32\urcoobkr.ini
C:\WINDOWS\system32\cqegrceb.ini
C:\WINDOWS\system32\RCX4E.tmp
C:\WINDOWS\system32\vdnefvra.ini
C:\WINDOWS\system32\inxomwrt.ini
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\foujikli.ini
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4A.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\fegegsqq.ini
C:\WINDOWS\system32\hombuung.ini
C:\WINDOWS\system32\ckroadvi.ini
C:\WINDOWS\system32\vkqfiqpk.ini
C:\WINDOWS\system32\acmyravy.ini
C:\WINDOWS\system32\odomdkqc.ini
C:\WINDOWS\system32\nyhjpthq.ini
C:\WINDOWS\system32\nxavnhmj.ini
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\sfwhagtc.dll
C:\WINDOWS\system32\jalpfqpv.dll
C:\WINDOWS\system32\fcskkkxd.dll
C:\WINDOWS\system32\RCX46.tmp
C:\WINDOWS\system32\uikgfrcj.dll
C:\WINDOWS\system32\ixnngetl.dll
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX44.tmp
C:\WINDOWS\system32\fxesuhby.dll
C:\WINDOWS\system32\qominkvv.dll
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX40.tmp
C:\WINDOWS\system32\RCX3F.tmp
C:\WINDOWS\system32\RCX3C.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX39.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX35.tmp
C:\WINDOWS\system32\RCX33.tmp
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX28.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\Documents and Settings\Owner.DARLENE\Application Data\roogpsmidnl.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\lad .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\lad.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\huskv .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\huskv.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl.exe
C:\WINDOWS\mrofinu72.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\obop .exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\Documents and Settings\Owner.DARLENE\Application Data\obop.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\juqko .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\juqko.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\eie .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\eie.exe
C:\bQQT.exe
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX3A.tmp
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX34.tmp
C:\WINDOWS\system32\RCX27.tmp
C:\WINDOWS\system32\RCX2B.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\Fonts\SET7FD.tmp
C:\WINDOWS\Fonts\SET7FC.tmp
C:\WINDOWS\Fonts\SET7FB.tmp
C:\WINDOWS\Fonts\SET7FA.tmp
C:\WINDOWS\Fonts\SET7F9.tmp
C:\WINDOWS\Fonts\SET800.tmp
C:\WINDOWS\Fonts\SET7FF.tmp

Folder::
C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0acc253b.exe"=-
"Nrowykj"=-
"Router"=-
"Meu"=-
"Btx"=-
"Mgqcz"=-
"Rsrsd"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rxhtnn"=-
"kglyic"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msvcrt52.dll"=- 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rzjntgk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2LRX2W83X2T3MQ]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5RN8BX92BPHBEQ]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98D0CE0C16B1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bakra]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

pearllita · Mar 8, 2008

ComboFix 08-03-07.1 - Owner 2008-03-08 9:31:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.68 [GMT -6:00]
Running from: C:\Documents and Settings\Owner.DARLENE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.DARLENE\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\bQQT.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\eie .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\eie.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\huskv .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\huskv.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\juqko .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\juqko.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\lad .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\lad.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\obop .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\obop.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\roogpsmidnl.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx.exe
C:\WINDOWS\Fonts\SET7F9.tmp
C:\WINDOWS\Fonts\SET7FA.tmp
C:\WINDOWS\Fonts\SET7FB.tmp
C:\WINDOWS\Fonts\SET7FC.tmp
C:\WINDOWS\Fonts\SET7FD.tmp
C:\WINDOWS\Fonts\SET7FF.tmp
C:\WINDOWS\Fonts\SET800.tmp
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\system32\acmyravy.ini
C:\WINDOWS\system32\bcpvybxw.ini
C:\WINDOWS\system32\ckroadvi.ini
C:\WINDOWS\system32\cqegrceb.ini
C:\WINDOWS\system32\ctvbsqcd.ini
C:\WINDOWS\system32\fcskkkxd.dll
C:\WINDOWS\system32\fegegsqq.ini
C:\WINDOWS\system32\foujikli.ini
C:\WINDOWS\system32\fxesuhby.dll
C:\WINDOWS\system32\gtbthovi.ini
C:\WINDOWS\system32\hombuung.ini
C:\WINDOWS\system32\inxomwrt.ini
C:\WINDOWS\system32\iqliwoar.ini
C:\WINDOWS\system32\ixnngetl.dll
C:\WINDOWS\system32\jalpfqpv.dll
C:\WINDOWS\system32\kelvnfpo.ini
C:\WINDOWS\system32\kglyic .exe
C:\WINDOWS\system32\nxavnhmj.ini
C:\WINDOWS\system32\nyhjpthq.ini
C:\WINDOWS\system32\odomdkqc.ini
C:\WINDOWS\system32\opryaokh.ini
C:\WINDOWS\system32\qominkvv.dll
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX27.tmp
C:\WINDOWS\system32\RCX28.tmp
C:\WINDOWS\system32\RCX2B.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\system32\RCX33.tmp
C:\WINDOWS\system32\RCX34.tmp
C:\WINDOWS\system32\RCX35.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX39.tmp
C:\WINDOWS\system32\RCX3A.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX3C.tmp
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\RCX3F.tmp
C:\WINDOWS\system32\RCX40.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\RCX44.tmp
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX46.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX4A.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX4E.tmp
C:\WINDOWS\system32\RCX4F.tmp
C:\WINDOWS\system32\RCX50.tmp
C:\WINDOWS\system32\RCX51.tmp
C:\WINDOWS\system32\RCX52.tmp
C:\WINDOWS\system32\RCX53.tmp
C:\WINDOWS\system32\RCX54.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX56.tmp
C:\WINDOWS\system32\RCX57.tmp
C:\WINDOWS\system32\RCX58.tmp
C:\WINDOWS\system32\RCX59.tmp
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\RCX5B.tmp
C:\WINDOWS\system32\RCX5C.tmp
C:\WINDOWS\system32\RCX5D.tmp
C:\WINDOWS\system32\RCX5E.tmp
C:\WINDOWS\system32\RCX5F.tmp
C:\WINDOWS\system32\RCX60.tmp
C:\WINDOWS\system32\RCX61.tmp
C:\WINDOWS\system32\RCX62.tmp
C:\WINDOWS\system32\RCX63.tmp
C:\WINDOWS\system32\RCX64.tmp
C:\WINDOWS\system32\RCX65.tmp
C:\WINDOWS\system32\sfwhagtc.dll
C:\WINDOWS\system32\uikgfrcj.dll
C:\WINDOWS\system32\urcoobkr.ini
C:\WINDOWS\system32\vdnefvra.ini
C:\WINDOWS\system32\vkqfiqpk.ini
C:\WINDOWS\system32\xjlfcodc.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bQQT.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\dgzdvubhxlw.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\eie .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\eie.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\huskv .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\huskv.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\incvcfl.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\izrutvmuf.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\juqko .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\juqko.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\lad .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\lad.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\nqiquaza.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\obop .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\obop.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\roogpsmidnl.exe
C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx .exe
C:\Documents and Settings\Owner.DARLENE\Application Data\zkpjx.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\Fonts\SET7F9.tmp
C:\WINDOWS\Fonts\SET7FA.tmp
C:\WINDOWS\Fonts\SET7FB.tmp
C:\WINDOWS\Fonts\SET7FC.tmp
C:\WINDOWS\Fonts\SET7FD.tmp
C:\WINDOWS\Fonts\SET7FF.tmp
C:\WINDOWS\Fonts\SET800.tmp
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\system32\_003196_.tmp.dll
C:\WINDOWS\system32\_003221_.tmp.dll
C:\WINDOWS\system32\_003341_.tmp.dll
C:\WINDOWS\system32\_003342_.tmp.dll
C:\WINDOWS\system32\_003343_.tmp.dll
C:\WINDOWS\system32\_003344_.tmp.dll
C:\WINDOWS\system32\_003349_.tmp.dll
C:\WINDOWS\system32\_003350_.tmp.dll
C:\WINDOWS\system32\_003351_.tmp.dll
C:\WINDOWS\system32\_003352_.tmp.dll
C:\WINDOWS\system32\_003357_.tmp.dll
C:\WINDOWS\system32\_003358_.tmp.dll
C:\WINDOWS\system32\_003359_.tmp.dll
C:\WINDOWS\system32\_003360_.tmp.dll
C:\WINDOWS\system32\_003367_.tmp.dll
C:\WINDOWS\system32\_003368_.tmp.dll
C:\WINDOWS\system32\_003369_.tmp.dll
C:\WINDOWS\system32\_003370_.tmp.dll
C:\WINDOWS\system32\_003371_.tmp.dll
C:\WINDOWS\system32\_003374_.tmp.dll
C:\WINDOWS\system32\_003375_.tmp.dll
C:\WINDOWS\system32\_003377_.tmp.dll
C:\WINDOWS\system32\_003378_.tmp.dll
C:\WINDOWS\system32\_003379_.tmp.dll
C:\WINDOWS\system32\_003381_.tmp.dll
C:\WINDOWS\system32\_003382_.tmp.dll
C:\WINDOWS\system32\_003384_.tmp.dll
C:\WINDOWS\system32\_003388_.tmp.dll
C:\WINDOWS\system32\_003389_.tmp.dll
C:\WINDOWS\system32\_003391_.tmp.dll
C:\WINDOWS\system32\_003392_.tmp.dll
C:\WINDOWS\system32\_003394_.tmp.dll
C:\WINDOWS\system32\_003396_.tmp.dll
C:\WINDOWS\system32\_003397_.tmp.dll
C:\WINDOWS\system32\_003398_.tmp.dll
C:\WINDOWS\system32\_003399_.tmp.dll
C:\WINDOWS\system32\_003401_.tmp.dll
C:\WINDOWS\system32\_003403_.tmp.dll
C:\WINDOWS\system32\_003404_.tmp.dll
C:\WINDOWS\system32\_003405_.tmp.dll
C:\WINDOWS\system32\_003409_.tmp.dll
C:\WINDOWS\system32\_003410_.tmp.dll
C:\WINDOWS\system32\_003412_.tmp.dll
C:\WINDOWS\system32\_003413_.tmp.dll
C:\WINDOWS\system32\_003414_.tmp.dll
C:\WINDOWS\system32\_003415_.tmp.dll
C:\WINDOWS\system32\_003417_.tmp.dll
C:\WINDOWS\system32\_003419_.tmp.dll
C:\WINDOWS\system32\_003420_.tmp.dll
C:\WINDOWS\system32\_003421_.tmp.dll
C:\WINDOWS\system32\_003425_.tmp.dll
C:\WINDOWS\system32\_003539_.tmp.dll
C:\WINDOWS\system32\_003543_.tmp.dll
C:\WINDOWS\system32\_003549_.tmp.dll
C:\WINDOWS\system32\_003577_.tmp.dll
C:\WINDOWS\system32\_003583_.tmp.dll
C:\WINDOWS\system32\_003707_.tmp.dll
C:\WINDOWS\system32\_003708_.tmp.dll
C:\WINDOWS\system32\_003709_.tmp.dll
C:\WINDOWS\system32\_003710_.tmp.dll
C:\WINDOWS\system32\_003712_.tmp.dll
C:\WINDOWS\system32\_003713_.tmp.dll
C:\WINDOWS\system32\_003714_.tmp.dll
C:\WINDOWS\system32\_003715_.tmp.dll
C:\WINDOWS\system32\_003722_.tmp.dll
C:\WINDOWS\system32\_003723_.tmp.dll
C:\WINDOWS\system32\_003724_.tmp.dll
C:\WINDOWS\system32\_003726_.tmp.dll
C:\WINDOWS\system32\_003727_.tmp.dll
C:\WINDOWS\system32\_003730_.tmp.dll
C:\WINDOWS\system32\_003731_.tmp.dll
C:\WINDOWS\system32\_003733_.tmp.dll
C:\WINDOWS\system32\_003734_.tmp.dll
C:\WINDOWS\system32\_003735_.tmp.dll
C:\WINDOWS\system32\_003737_.tmp.dll
C:\WINDOWS\system32\_003738_.tmp.dll
C:\WINDOWS\system32\_003740_.tmp.dll
C:\WINDOWS\system32\_003744_.tmp.dll
C:\WINDOWS\system32\_003745_.tmp.dll
C:\WINDOWS\system32\_003747_.tmp.dll
C:\WINDOWS\system32\_003748_.tmp.dll
C:\WINDOWS\system32\_003749_.tmp.dll
C:\WINDOWS\system32\_003750_.tmp.dll
C:\WINDOWS\system32\_003757_.tmp.dll
C:\WINDOWS\system32\_003758_.tmp.dll
C:\WINDOWS\system32\_003759_.tmp.dll
C:\WINDOWS\system32\_003761_.tmp.dll
C:\WINDOWS\system32\_003762_.tmp.dll
C:\WINDOWS\system32\_003763_.tmp.dll
C:\WINDOWS\system32\_003764_.tmp.dll
C:\WINDOWS\system32\_003771_.tmp.dll
C:\WINDOWS\system32\_003772_.tmp.dll
C:\WINDOWS\system32\_003773_.tmp.dll
C:\WINDOWS\system32\_003775_.tmp.dll
C:\WINDOWS\system32\_003776_.tmp.dll
C:\WINDOWS\system32\_003779_.tmp.dll
C:\WINDOWS\system32\_003780_.tmp.dll
C:\WINDOWS\system32\_003782_.tmp.dll
C:\WINDOWS\system32\_003783_.tmp.dll
C:\WINDOWS\system32\_003784_.tmp.dll
C:\WINDOWS\system32\_003786_.tmp.dll
C:\WINDOWS\system32\_003787_.tmp.dll
C:\WINDOWS\system32\_003789_.tmp.dll
C:\WINDOWS\system32\_003793_.tmp.dll
C:\WINDOWS\system32\_003794_.tmp.dll
C:\WINDOWS\system32\_003796_.tmp.dll
C:\WINDOWS\system32\_003799_.tmp.dll
C:\WINDOWS\system32\_003801_.tmp.dll
C:\WINDOWS\system32\_003802_.tmp.dll
C:\WINDOWS\system32\_003803_.tmp.dll
C:\WINDOWS\system32\_003804_.tmp.dll
C:\WINDOWS\system32\_003807_.tmp.dll
C:\WINDOWS\system32\_003809_.tmp.dll
C:\WINDOWS\system32\_003810_.tmp.dll
C:\WINDOWS\system32\_003811_.tmp.dll
C:\WINDOWS\system32\_003815_.tmp.dll
C:\WINDOWS\system32\_003817_.tmp.dll
C:\WINDOWS\system32\acmyravy.ini
C:\WINDOWS\system32\bcpvybxw.ini
C:\WINDOWS\system32\ckroadvi.ini
C:\WINDOWS\system32\cqegrceb.ini
C:\WINDOWS\system32\ctvbsqcd.ini
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\fcskkkxd.dll
C:\WINDOWS\system32\fegegsqq.ini
C:\WINDOWS\system32\foujikli.ini
C:\WINDOWS\system32\fxesuhby.dll
C:\WINDOWS\system32\gtbthovi.ini
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\hombuung.ini
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\inxomwrt.ini
C:\WINDOWS\system32\iqliwoar.ini
C:\WINDOWS\system32\ixnngetl.dll
C:\WINDOWS\system32\jalpfqpv.dll
C:\WINDOWS\system32\kelvnfpo.ini
C:\WINDOWS\system32\kglyic .exe
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.exe
C:\WINDOWS\system32\nxavnhmj.ini
C:\WINDOWS\system32\nyhjpthq.ini
C:\WINDOWS\system32\odomdkqc.ini
C:\WINDOWS\system32\opryaokh.ini
C:\WINDOWS\system32\qominkvv.dll
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX27.tmp
C:\WINDOWS\system32\RCX28.tmp
C:\WINDOWS\system32\RCX2B.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX31.tmp
C:\WINDOWS\system32\RCX32.tmp
C:\WINDOWS\system32\RCX33.tmp
C:\WINDOWS\system32\RCX34.tmp
C:\WINDOWS\system32\RCX35.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\RCX38.tmp
C:\WINDOWS\system32\RCX39.tmp
C:\WINDOWS\system32\RCX3A.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX3C.tmp
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\RCX3F.tmp
C:\WINDOWS\system32\RCX4.tmp
C:\WINDOWS\system32\RCX40.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX42.tmp
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\RCX44.tmp
C:\WINDOWS\system32\RCX45.tmp
C:\WINDOWS\system32\RCX46.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\RCX48.tmp
C:\WINDOWS\system32\RCX49.tmp
C:\WINDOWS\system32\RCX4A.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX4D.tmp
C:\WINDOWS\system32\RCX4E.tmp
C:\WINDOWS\system32\RCX4F.tmp
C:\WINDOWS\system32\RCX5.tmp
C:\WINDOWS\system32\RCX50.tmp
C:\WINDOWS\system32\RCX51.tmp
C:\WINDOWS\system32\RCX52.tmp
C:\WINDOWS\system32\RCX53.tmp
C:\WINDOWS\system32\RCX54.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX56.tmp
C:\WINDOWS\system32\RCX57.tmp
C:\WINDOWS\system32\RCX58.tmp
C:\WINDOWS\system32\RCX59.tmp
C:\WINDOWS\system32\RCX5A.tmp
C:\WINDOWS\system32\RCX5B.tmp
C:\WINDOWS\system32\RCX5C.tmp
C:\WINDOWS\system32\RCX5D.tmp
C:\WINDOWS\system32\RCX5E.tmp
C:\WINDOWS\system32\RCX5F.tmp
C:\WINDOWS\system32\RCX60.tmp
C:\WINDOWS\system32\RCX61.tmp
C:\WINDOWS\system32\RCX62.tmp
C:\WINDOWS\system32\RCX63.tmp
C:\WINDOWS\system32\RCX64.tmp
C:\WINDOWS\system32\RCX65.tmp
C:\WINDOWS\system32\sfwhagtc.dll
C:\WINDOWS\system32\uikgfrcj.dll
C:\WINDOWS\system32\urcoobkr.ini
C:\WINDOWS\system32\vdnefvra.ini
C:\WINDOWS\system32\vkqfiqpk.ini
C:\WINDOWS\system32\wtssvcc32.exe
C:\WINDOWS\system32\xjlfcodc.ini
C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ
C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ\asappsrv.dll
C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ\command.exe
C:\WINDOWS\UGVhcmxsaXRhIENyYXdvcmQ\o3p1wAUPurl1KHhVsrxSwAk.vbs

.
((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-03 20:08 . 2008-03-03 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 18:47 . 2008-03-07 15:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 18:47 . 2008-03-03 18:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-02 13:03 . 2008-03-02 13:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-02 13:03 . 2008-03-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-02-16 15:54 . 2008-02-16 15:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Go Go Gourmet
2008-02-16 15:53 . 2008-02-18 19:44 <DIR> d-------- C:\Program Files\MSN Games

.

pearllita · Mar 8, 2008

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 15:38 --------- d-----w C:\Program Files\Browser MOUSE
2008-03-08 15:30 --------- d-----w C:\Program Files\Winamp
2008-03-08 15:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-08 15:30 --------- d-----w C:\Program Files\QuickTime
2008-03-08 15:29 --------- d-----w C:\Program Files\Dell AIO Printer A940
2008-03-02 17:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kodak
2008-03-01 16:10 --------- d-----w C:\Program Files\Yahoo!
2008-02-27 14:37 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-23 03:03 --------- d--h--w C:\Documents and Settings\Owner.DARLENE\Application Data\Move Networks
2008-01-27 04:06 --------- d-----w C:\Documents and Settings\Owner.DARLENE\Application Data\Yahoo!
2008-01-17 03:18 --------- d-----w C:\Program Files\Blubster
2008-01-17 02:23 --------- d-----w C:\Program Files\WarRock
2008-01-17 02:22 --------- d-----w C:\Program Files\SopCast
2008-01-17 01:53 --------- d-----w C:\Program Files\Google
2008-01-17 01:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 01:51 --------- d-----w C:\Program Files\ArcSoft
2008-01-17 00:58 --------- d-----w C:\Program Files\Maxis
2007-06-16 23:51 59,856 -c--a-w C:\Documents and Settings\Owner.DARLENE\Application Data\GDIPFONTCACHEV1.DAT
2006-03-29 22:46 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-06-04 15:12 55,244 -c-ha-w C:\Documents and Settings\Owner.DARLENE\Application Data\ptads.bin
2004-08-25 20:08 154,010 ----a-w C:\Program Files\install.exe
2004-06-13 15:09 449 ----a-w C:\Documents and Settings\Owner.DARLENE\UpdateReg.reg
.

Code:

<pre>
----a-w           657,408 2008-03-08 15:01:47  C:\Program Files\QuickTime\qttask  .exe
----a-w           657,408 2008-03-08 01:24:58  C:\Program Files\QuickTime\qttask .exe
</pre>

------- Sigcheck -------

4b446fb004dcf499fa4e3a7f33f99c23 C:\WINDOWS\explorer.exe
----a-w 1,004,544 2002-09-03 17:05:32 C:\WINDOWS\explorer.exe
----a-w 1,032,192 2004-08-04 07:56:49 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
----a-w 1,032,192 2004-08-04 07:56:49 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\explorer.exe
------w 1,004,544 2002-09-03 17:05:32 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Dinst"=" " []
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser MOUSE\mouse32a.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [ ]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2008-01-07 07:37 86102]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-14 06:30 36352]
"PC Pitstop Optimize2 Reminder"="C:\Program Files\PCPitstop\Optimize2\Reminder.exe" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
--a------ 2008-01-07 07:37 86102 C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-02-10 21:32 473920 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-08 09:01 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-04-19 10:06 102400 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\WINDOWS\\Explorer.EXE"= C:\\WINDOWS\\explorer.exe

S2 Ca504av;Dual Mode Digital Camera(Video);C:\WINDOWS\System32\Drivers\Ca504av.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\System32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 USBCamera;Dual Mode Digital Camera(Still);C:\WINDOWS\System32\Drivers\Bulk504.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 17:55:06 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\System32\rundll32.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 09:46:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 56320 bytes executable
C:\WINDOWS\system32\comctl32.dll:_rc_db_sec_obj 203264 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-03-08 9:52:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 15:52:10
ComboFix2.txt 2008-03-07 20:35:47
.
2008-03-07 23:04:33 --- E O F ---

pearllita · Mar 8, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:21 AM, on 3/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\pearllita.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://agoga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {691A317B-85E9-666F-4CCC-5FC46C7DFB1C} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Clorox/Coupons.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://sympatico.zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC005DA7-13DB-440C-B90A-667CD9C225B7}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8555 bytes

Shaba · Mar 8, 2008

Hi

You may need to re-install some startup programs as restore step wasn't complete.

Does SpySweeper also have antivirus?

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
----a-w           657,408 2008-03-08 15:01:47  C:\Program Files\QuickTime\qttask  .exe
----a-w           657,408 2008-03-08 01:24:58  C:\Program Files\QuickTime\qttask .exe

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

pearllita · Mar 8, 2008

Startup seems to running normal.
Spysweeper is not actually installed on our computer, but we seem unable to get rid of the icon.

We do not normally use the Internet Explorer Browser, but access the internet through sbcglobal (AT&T) (our provider). There is an anti-spy device installed through our provider. We DID have Norton anti-virus installed through our browser as well. Back in December or January, it was down for a couple of weeks while doing updates. As you can imagine, this is when our computer started acting "funny". When their service was supposed to be back up, we could no longer access it. It said that it was not found on the computer. When we try to re-install it, it says there's not enough memory on the computer. :buried:

Here are the logs you requested. Thank you so much for your help.

ComboFix 08-03-07.1 - Owner 2008-03-08 10:55:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.55 [GMT -6:00]
Running from: C:\Documents and Settings\Owner.DARLENE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.DARLENE\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
----a-w 657,408 2008-03-08 15:01:47 C:\Program Files\QuickTime\qttask .exe
.

((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-03 20:08 . 2008-03-03 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-03 18:47 . 2008-03-07 15:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 18:47 . 2008-03-03 18:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-02 13:03 . 2008-03-02 13:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-02 13:03 . 2008-03-02 13:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-02-16 15:54 . 2008-02-16 15:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Go Go Gourmet
2008-02-16 15:53 . 2008-02-18 19:44 <DIR> d-------- C:\Program Files\MSN Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 15:38 --------- d-----w C:\Program Files\Browser MOUSE
2008-03-08 15:30 --------- d-----w C:\Program Files\Winamp
2008-03-08 15:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-08 15:30 --------- d-----w C:\Program Files\QuickTime
2008-03-08 15:29 --------- d-----w C:\Program Files\Dell AIO Printer A940
2008-03-02 17:58 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kodak
2008-03-01 16:10 --------- d-----w C:\Program Files\Yahoo!
2008-02-27 14:37 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-02-23 03:03 --------- d--h--w C:\Documents and Settings\Owner.DARLENE\Application Data\Move Networks
2008-01-27 04:06 --------- d-----w C:\Documents and Settings\Owner.DARLENE\Application Data\Yahoo!
2008-01-17 03:18 --------- d-----w C:\Program Files\Blubster
2008-01-17 02:23 --------- d-----w C:\Program Files\WarRock
2008-01-17 02:22 --------- d-----w C:\Program Files\SopCast
2008-01-17 01:53 --------- d-----w C:\Program Files\Google
2008-01-17 01:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 01:51 --------- d-----w C:\Program Files\ArcSoft
2008-01-17 00:58 --------- d-----w C:\Program Files\Maxis
2007-06-16 23:51 59,856 -c--a-w C:\Documents and Settings\Owner.DARLENE\Application Data\GDIPFONTCACHEV1.DAT
2006-03-29 22:46 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-06-04 15:12 55,244 -c-ha-w C:\Documents and Settings\Owner.DARLENE\Application Data\ptads.bin
2004-08-25 20:08 154,010 ----a-w C:\Program Files\install.exe
2004-07-17 18:39 409,280 -c--a-w C:\WINDOWS\Fonts\SETCC1.tmp
2004-07-17 16:39 127,596 -c--a-w C:\WINDOWS\Fonts\SET7FE.tmp
2004-06-13 15:09 449 ----a-w C:\Documents and Settings\Owner.DARLENE\UpdateReg.reg
.

Code:

<pre>
----a-w           657,408 2008-03-08 15:01:47  C:\Program Files\QuickTime\qttask  .exe
----a-w           657,408 2008-03-08 01:24:58  C:\Program Files\QuickTime\qttask .exe
</pre>

------- Sigcheck -------

4b446fb004dcf499fa4e3a7f33f99c23 C:\WINDOWS\explorer.exe
----a-w 1,004,544 2002-09-03 17:05:32 C:\WINDOWS\explorer.exe
----a-w 1,032,192 2004-08-04 07:56:49 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
----a-w 1,032,192 2004-08-04 07:56:49 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\explorer.exe
------w 1,004,544 2002-09-03 17:05:32 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Dinst"=" " []
"FLMOFFICE4DMOUSE"="C:\Program Files\Browser MOUSE\mouse32a.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [ ]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2008-01-07 07:37 86102]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-14 06:30 36352]
"PC Pitstop Optimize2 Reminder"="C:\Program Files\PCPitstop\Optimize2\Reminder.exe" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
--a------ 2008-01-07 07:37 86102 C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-02-10 21:32 473920 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-08 09:01 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-04-19 10:06 102400 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\WINDOWS\\Explorer.EXE"= C:\\WINDOWS\\explorer.exe

S2 Ca504av;Dual Mode Digital Camera(Video);C:\WINDOWS\System32\Drivers\Ca504av.sys []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\System32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 USBCamera;Dual Mode Digital Camera(Still);C:\WINDOWS\System32\Drivers\Bulk504.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-02 17:55:06 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\System32\rundll32.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 11:09:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\comctl32.dll:_rc_db_5.1.2600 56320 bytes executable
C:\WINDOWS\system32\comctl32.dll:_rc_db_sec_obj 203264 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-03-08 11:16:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 17:15:50
ComboFix2.txt 2008-03-08 15:52:27
ComboFix3.txt 2008-03-07 20:35:47
.
2008-03-07 23:04:33 --- E O F ---

pearllita · Mar 8, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:06 AM, on 3/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\pearllita.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://agoga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {691A317B-85E9-666F-4CCC-5FC46C7DFB1C} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Clorox/Coupons.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://sympatico.zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC005DA7-13DB-440C-B90A-667CD9C225B7}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8555 bytes

Shaba · Mar 8, 2008

Hi

Looks like no success.

First install one antivirus from below:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that:

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
```
Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Post:

- a fresh HijackThis log
- otmoveit2 report

pearllita · Mar 8, 2008

I downloaded and installed Avast. I am in the process of registering it. I will wait for your green light before running it to "fix" anything.

Here is the OTMoveIt report:
C:\Program Files\QuickTime\qttask .exe moved successfully.
C:\Program Files\QuickTime\qttask .exe moved successfully.

OTMoveIt2 v1.0.20 log created on 03082008_140934

Here is a fresh HJT report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:16 PM, on 3/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Alwil Software\Avast4\ashAvast.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\pearllita.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://agoga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {691A317B-85E9-666F-4CCC-5FC46C7DFB1C} - http://85.255.115.229/1/gdnUS1440.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Clorox/Coupons.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://sympatico.zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC005DA7-13DB-440C-B90A-667CD9C225B7}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9428 bytes

Shaba · Mar 9, 2008

Hi

Looks nice

Open HijackThis, click do a system scan only and checkmark these:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {691A317B-85E9-666F-4CCC-5FC46C7DFB1C} - http://85.255.115.229/1/gdnUS1440.exe

Close all windows including browser and press fix checked.

Reboot.

Scan with avast! and save report.

Post:

- a fresh HijackThis log
- avast! report

pearllita · Mar 9, 2008

Just prior to my viewing your last post, Avast popped up saying virus found. My husband clicked "move to chest" as recommended by Avast. I don't know if that makes a difference or not, but here is the information on the virus found.

C:\SystemVolumeInformation\_restore{6CAF9125-183F-4DF7-9994
Malware name: VBS:Malware-gen
Malware type: virus/worm
VPS version 080309-0,03/09/2008

Here is the Avast scan report:
(I could not figure out how to copy/paste or save this report, so am just typing information in)
Name of file: C:\Documents and Settings\Owner.DARLENE\ApplicationData\Microsoft\Windows\wexrl.exe
Result:Infection: Win32:Trat-D [Drp]

new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:33 PM, on 3/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\pearllita.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://agoga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dinst]
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize2 Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Yahoo! Dots - http://download2.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Clorox/Coupons.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://sympatico.zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/cnma/default/ct.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC005DA7-13DB-440C-B90A-667CD9C225B7}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8852 bytes

Command Service, Virtumonde, various other problems...please help!

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member