Solved Keyboard freezing & other issues - HJT log

[Resolved] Keyboard freezing & other issues - HJT log

Hello all. I am having several issues with my computer, as you can see, my name should be 2qwk4u but apparently my keyboard was freezing at the time. Ive searched around and tried to find my way on my own. So far I have downloaded HJT and ran a scan that I will post at the bottom. Ive also downloaded and am currently scanning with Malwarebytes, both downloads per Geri's advice to others. Is there anything else I should download to my arsenal to save my laptop from a format?


Thanks in advance...(and admins....seriously...2qwk4u if at all possible )

Here is my hjt scan result...


Index % of PCs with item Code Data
1 0.3% O16 {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
2 0.0% O16 {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
3 0.0% O16 {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
4 0.0% O16 {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185019444906
5 0.0% O18 text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
6 0.0% O2 {08ec5ce9-6de0-8879-31a4-acb95b7110f7} - {7f0117b5-9bca-4a13-9788-0ed69ec5ce80} - C:\WINDOWS\system32\jgunwmcr.dll
7 0.0% O2 (no name) - {8D1CA7BD-8A08-4FB0-8502-219D3BF088B0} - C:\WINDOWS\system32\vtUlLDtr.dll (file missing)
8 0.0% O2 (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\fccDtsRj.dll
9 0.0% O2 (no name) - {D21E50F6-0FE2-4F38-A850-DD9C0F61D270} - C:\WINDOWS\system32\hgGVMFvt.dll (file missing)
10 0.0% O2 (no name) - {E62BBA2E-5D06-4C99-B375-AC3DD23E44CE} - C:\WINDOWS\system32\ddcBRJDv.dll (file missing)
11 0.0% O2 StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
12 0.0% O20 fccDtsRj - C:\WINDOWS\SYSTEM32\fccDtsRj.dll
13 0.7% O23 AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
14 0.7% O23 AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
15 0.5% O23 AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
16 0.1% O23 DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
17 0.1% O23 Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
18 0.0% O24 (no name) - C:\Program Files\MSN Gaming Zone\rtenehd.html
19 0.5% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
20 0.4% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
21 0.4% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
22 0.4% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
23 0.3% O4 [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
24 0.0% O4 [08a2b7a5] rundll32.exe "C:\WINDOWS\system32\sorktswn.dll ",b
25 0.1% O7 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
26 4.3% O9 Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
27 4.2% O9 Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
28 0.7% O9 Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
29 0.0% O9 PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
30 0.0% O9 UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
31 0.0% O9 Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
32 0.0% O9 (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
33 0.0% O9 @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
34 8.3% P01 C:\WINDOWS\Explorer.EXE
35 8.1% P01 C:\WINDOWS\system32\svchost.exe
36 8.1% P01 C:\WINDOWS\system32\lsass.exe
37 8.1% P01 C:\WINDOWS\system32\winlogon.exe
38 8.1% P01 C:\WINDOWS\system32\services.exe
39 8.1% P01 C:\WINDOWS\System32\smss.exe
40 7.8% P01 C:\WINDOWS\system32\spoolsv.exe
41 5.6% P01 C:\WINDOWS\system32\ctfmon.exe
42 3.2% P01 C:\Program Files\Internet Explorer\iexplore.exe
43 2.1% P01 C:\WINDOWS\system32\rundll32.exe
44 1.4% P01 C:\Program Files\Messenger\msmsgs.exe
45 1.0% P01 C:\WINDOWS\system32\wscntfy.exe
46 0.8% P01 C:\Program Files\Windows Defender\MSASCui.exe
47 0.8% P01 C:\Program Files\Windows Defender\MsMpEng.exe
48 0.7% P01 C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
49 0.7% P01 C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
50 0.5% P01 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
51 0.5% P01 C:\Windows\ehome\ehtray.exe
52 0.5% P01 C:\Windows\ehome\ehmsas.exe
53 0.4% P01 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
54 0.2% P01 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
55 0.2% P01 C:\WINDOWS\System32\bcmwltry.exe
56 0.2% P01 C:\WINDOWS\System32\WLTRYSVC.EXE
57 0.1% P01 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
58 0.1% P01 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
59 0.1% P01 C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
60 0.0% P01 C:\Program Files\NetWaiting\netWaiting.exe
61 0.0% P01 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
62 0.0% P01 C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
63 0.0% P01 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
64 0.0% P01 C:\Program Files\QdrModule\QdrModule16.exe
65 0.0% P01 C:\Program Files\QdrPack\QdrPack16.exe
66 0.0% P01 C:\DOCUME~1\Bill\LOCALS~1\Temp\KQNm.exe
67 0.0% P01 C:\Documents and Settings\Bill\Local Settings\Temp\.ttC5F.tmp
68 0.0% P01 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
69 0.0% P01 C:\Program Files\JavaCore\JavaCore.exe
70 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
71 0.0% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
72 0.3% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
73 0.2% R1 HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
74 0.1% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
75 0.0% R1 HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
76 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
77 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
78 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
79 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
80 0.4% R3 Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Explanation of the codes

R - Registry, StartPage/SearchPage changes


R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be

F - IniFiles, autoloading entries


F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry

N - Netscape/Mozilla StartPage/SearchPage changes


N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla

O - Other, several sections which represent:


O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components




and the mbam results....


Malwarebytes' Anti-Malware 1.12
Database version: 777

Scan type: Quick Scan
Objects scanned: 57282
Time elapsed: 25 minute(s), 25 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 2
Registry Keys Infected: 36
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 19
Files Infected: 92

Memory Processes Infected:
c:\program files\JavaCore\JavaCore.exe (Trojan.Insider) -> Unloaded process successfully.
C:\Program Files\QdrModule\QdrModule16.exe (Adware.ISM) -> Unloaded process successfully.
C:\Program Files\QdrPack\QdrPack16.exe (Adware.ISM) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\sorktswn.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\fccDtsRj.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d21e50f6-0fe2-4f38-a850-dd9c0f61d270} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d21e50f6-0fe2-4f38-a850-dd9c0f61d270} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.band (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.band.1 (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.bho (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndaero6.bho.1 (Adware.SearchAid) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{5c9da244-a571-4fe7-ab8c-ca47703c686b} (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccdtsrj (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndAero6.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\kernelexe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08a2b7a5 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c7bbc1fa-e415-4926-9a47-9ab58d0b3bc8} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)



Ok, i have to restart the computer....ill be back


Thanks

Bill

 

thanks for the name change......

Ok, I followed thru with the instructions that Geri offered someone else. Ive restarted my computer, and rescanned with hjt. here are the results:

% of PCs with item Code Data
1 0.3% O16 {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
2 0.0% O16 {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
3 0.0% O16 {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
4 0.0% O16 {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185019444906
5 0.0% O18 text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
6 0.0% O2 {08ec5ce9-6de0-8879-31a4-acb95b7110f7} - {7f0117b5-9bca-4a13-9788-0ed69ec5ce80} - C:\WINDOWS\system32\jgunwmcr.dll
7 0.0% O2 (no name) - {8D1CA7BD-8A08-4FB0-8502-219D3BF088B0} - C:\WINDOWS\system32\vtUlLDtr.dll (file missing)
8 0.0% O2 (no name) - {E62BBA2E-5D06-4C99-B375-AC3DD23E44CE} - C:\WINDOWS\system32\ddcBRJDv.dll (file missing)
9 0.8% O23 Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
10 0.7% O23 AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
11 0.7% O23 AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
12 0.5% O23 AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
13 0.1% O23 DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
14 0.1% O23 Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
15 0.0% O24 (no name) - C:\Program Files\MSN Gaming Zone\rtenehd.html
16 5.3% O4 [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
17 1.4% O4 [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
18 0.7% O4 [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
19 0.7% O4 Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
20 0.6% O4 [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
21 0.5% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
22 0.4% O4 [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
23 0.4% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
24 0.4% O4 [ehTray] C:\WINDOWS\ehome\ehtray.exe
25 0.4% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
26 0.4% O4 [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
27 0.3% O4 Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
28 0.2% O4 [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
29 0.2% O4 [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
30 0.1% O4 [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
31 0.0% O4 [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
32 0.0% O4 [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
33 0.0% O4 [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
34 0.0% O4 [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
35 0.0% O4 [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
36 0.0% O4 [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
37 0.0% O4 [08a2b7a5] rundll32.exe "C:\WINDOWS\system32\sorktswn.dll ",b
38 0.0% O4 [BM0b918439] Rundll32.exe "C:\WINDOWS\system32\sdoouaan.dll ",s
39 0.0% O4 [ctfmona] C:\WINDOWS\system32\ctfmona.exe
40 0.0% O4 [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
41 0.0% O4 [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
42 0.0% O4 [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
43 4.3% O9 Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
44 4.2% O9 Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
45 0.7% O9 Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
46 0.0% O9 PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
47 0.0% O9 UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
48 0.0% O9 Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
49 0.0% O9 (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
50 0.0% O9 @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
51 8.3% P01 C:\WINDOWS\Explorer.EXE
52 8.1% P01 C:\WINDOWS\system32\svchost.exe
53 8.1% P01 C:\WINDOWS\system32\lsass.exe
54 8.1% P01 C:\WINDOWS\system32\winlogon.exe
55 8.1% P01 C:\WINDOWS\system32\services.exe
56 8.1% P01 C:\WINDOWS\System32\smss.exe
57 7.8% P01 C:\WINDOWS\system32\spoolsv.exe
58 5.6% P01 C:\WINDOWS\system32\ctfmon.exe
59 1.0% P01 C:\WINDOWS\system32\wscntfy.exe
60 0.8% P01 C:\Program Files\Windows Defender\MsMpEng.exe
61 0.7% P01 C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
62 0.7% P01 C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
63 0.5% P01 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
64 0.4% P01 C:\WINDOWS\system32\msiexec.exe
65 0.2% P01 C:\WINDOWS\System32\bcmwltry.exe
66 0.2% P01 C:\WINDOWS\System32\WLTRYSVC.EXE
67 0.0% P01 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
68 0.0% P01 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
69 0.0% R0 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
70 0.0% R0 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
71 0.3% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
72 0.2% R1 HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
73 0.1% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
74 0.0% R1 HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
75 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
76 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
77 0.0% R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
78 0.0% R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
79 0.4% R3 Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Explanation of the codes

R - Registry, StartPage/SearchPage changes


R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be

F - IniFiles, autoloading entries


F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry

N - Netscape/Mozilla StartPage/SearchPage changes


N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla

O - Other, several sections which represent:


O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components

mb is still running the second quick scan.

-Bill

 

Ok. Ive rescanned with with HJT and mbam. It says that I my computer is clean. However, it has a "windows installer" box that wont cancel, and wont run. Any ideas about that?

 

Welcome to WindowsBBS 2qwk4u

Don't do any more fixing based on what has been recommended to others. Each infection and PC can be very different and therefore might need treated differently.

I've never seen a HijackThis log with that format, so I'm very curious as to exactly what steps you take in creating it.

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

I think I was posting the wrong thing. When I ran it the second time, it opened a notepad window and had different information. I was c.c. and p'ing the wrong thing I think. I will load that program that you suggested and post the results tomorrow. Thank you for your advice. The only thing I downloaded and ran were the HJT and MBAM. I will let you know what dss.exe tells me tomorrow.


-Bill

 

Here is the results of my HJT scan.

What all can I check it "FIX"

Thanks

-Bill

 

I ran dss.exe however it locks up when its checking the registry, and wont finish. I have my firewall turned off. It seems to run fine until it gets to the registry part. Ive made 3 attempts.....


also...control alt del doesnt work. it says that it is disabled by the administrator.....How can I re enable it?

 

Your reply above suggests you posted a HijackThis log, but I don't see one.

Provided dss.exe is on the Desktop, please do the following. Copy the command below, click Start>Run and paste it in, then hit enter.

"%userprofile%\Desktop\dss.exe" /config

The dss interface should open. Click Check All then Uncheck All.
Select everything in the left column (Main log section) except Registry Dump.
Click scan and post the resulting log.

Now, re-open dss in the same manner and check only Registry Dump, then click scan.
Post that log as well.

 

dss.exe.....without dump...

Deckard's System Scanner v20071014.68
Run by Bill on 2008-05-24 23:23:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
6: 2008-05-24 14:26:56 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-05-22 16:24:11 UTC - RP5 - Software Distribution Service 3.0
4: 2008-05-22 16:23:21 UTC - RP4 - Removed Windows Defender
3: 2008-05-22 16:22:35 UTC - RP3 - Software Distribution Service 3.0
2: 2008-05-14 20:14:50 UTC - RP2 - Windows Defender Checkpoint


-- First Restore Point --
1: 2008-05-14 20:05:54 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bill.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:28 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bill\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bill.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {08ec5ce9-6de0-8879-31a4-acb95b7110f7} - {7f0117b5-9bca-4a13-9788-0ed69ec5ce80} - C:\WINDOWS\system32\jgunwmcr.dll
O2 - BHO: (no name) - {8D1CA7BD-8A08-4FB0-8502-219D3BF088B0} - C:\WINDOWS\system32\vtUlLDtr.dll (file missing)
O2 - BHO: (no name) - {E62BBA2E-5D06-4C99-B375-AC3DD23E44CE} - C:\WINDOWS\system32\ddcBRJDv.dll (file missing)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185019444906
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtenehd.html

--
End of file - 6169 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 MarvinBus (Pinnacle Marvin Bus) - c:\windows\system32\drivers\marvinbus.sys <Not Verified; Pinnacle Systems GmbH; Pinnacle Marvin Discrete>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 sysrest.sys - c:\windows\system32\sysrest.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\11D381414A4FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\11D381414A4FC000
Service: NIC1394


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 2596)
2007-12-27 18:27:06 20480 -----n--- C:\Program Files\RcvSystem\httpdchk.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-05-24 03:30:00 400 --a------ C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
2006-05-24 20:35:25 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-22 13:09:27 0 d-------- C:\Documents and Settings\Bill\Application Data\Comodo
2008-05-22 13:09:25 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-22 13:09:24 0 d-------- C:\Program Files\COMODO
2008-05-22 10:48:15 0 d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-05-22 10:47:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 10:47:32 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 08:26:48 2560 --a------ C:\WINDOWS\system32\vacuxlyc.exe
2008-05-22 08:26:46 99952 --a------ C:\WINDOWS\system32\jgunwmcr.dll
2008-05-21 08:30:00 2560 --a------ C:\WINDOWS\system32\dklwxhrt.exe
2008-05-21 08:20:53 100000 --a------ C:\WINDOWS\system32\ormvuofd.dll
2008-05-21 07:21:43 100000 --a------ C:\WINDOWS\system32\xqmmeclb.dll
2008-05-19 20:53:19 99856 --a------ C:\WINDOWS\system32\afgxiiru.dll
2008-05-19 20:38:54 90160 --a------ C:\WINDOWS\system32\nxcfufmj.dll
2008-05-19 07:49:44 98928 --a------ C:\WINDOWS\system32\bhuercmh.dll
2008-05-18 20:25:43 90272 --a------ C:\WINDOWS\system32\rnpqhkcu.dll
2008-05-18 08:17:46 98880 --a------ C:\WINDOWS\system32\odaexytd.dll
2008-05-17 20:24:46 90224 --a------ C:\WINDOWS\system32\kivqtnwm.dll
2008-05-16 19:13:38 98896 --a------ C:\WINDOWS\system32\fjipmqro.dll
2008-05-16 19:08:25 90240 --a------ C:\WINDOWS\system32\oqxxvhwb.dll
2008-05-16 19:07:36 893177 --ahs---- C:\WINDOWS\system32\vDJRBcdd.ini2
2008-05-14 16:40:31 98928 --a------ C:\WINDOWS\system32\wtitwgcq.dll
2008-05-14 16:38:11 90208 --a------ C:\WINDOWS\system32\tgdgfxml.dll
2008-05-14 16:35:12 98928 --a------ C:\WINDOWS\system32\ltyxwxit.dll
2008-05-14 16:35:00 90208 --a------ C:\WINDOWS\system32\mobcjhwc.dll
2008-05-14 15:56:46 98928 --a------ C:\WINDOWS\system32\ouocxiow.dll
2008-05-14 12:48:14 90208 --a------ C:\WINDOWS\system32\dnfivrsj.dll
2008-05-14 12:47:26 2992 --a------ C:\WINDOWS\system32\stehgfxb.dll
2008-05-14 12:45:22 90272 --a------ C:\WINDOWS\system32\iovndbma.dll
2008-05-14 07:48:56 99008 --a------ C:\WINDOWS\system32\xvlphfwu.dll
2008-05-11 17:58:27 1203972 --ahs---- C:\WINDOWS\system32\rtDLlUtv.ini2
2008-05-11 09:41:50 0 d-------- C:\Program Files\Lavasoft
2008-05-11 09:41:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 09:00:19 3932160 --a------ C:\Documents and Settings\Bill\ntuser.dat
2008-05-11 08:54:55 0 d-------- C:\WINDOWS\system32\dFrnx06


-- Find3M Report ---------------------------------------------------------------

2008-05-24 10:19:41 0 d-------- C:\Program Files\LogWorks2
2008-05-22 12:23:28 0 d-------- C:\Program Files\Windows Defender
2008-05-22 12:06:58 0 d-------- C:\Documents and Settings\Bill\Application Data\AVG7
2008-05-22 11:03:01 0 d-------- C:\Program Files\Trend Micro
2008-05-19 21:28:35 3556 --a------ C:\Documents and Settings\Bill\Application Data\wklnhst.dat
2008-05-11 10:00:27 0 d-------- C:\Program Files\Common Files
2008-04-02 21:24:55 0 d-------- C:\Program Files\Samsung
2008-03-26 07:48:06 0 d-------- C:\Program Files\RcvSystem


-- End of Deckard's System Scanner: finished at 2008-05-24 23:26:15 ------------

 

just the dump....


Deckard's System Scanner v20071014.68
Run by Bill on 2008-05-24 23:29:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.



-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f0117b5-9bca-4a13-9788-0ed69ec5ce80}]
05/22/2008 08:26 AM 99952 --a------ C:\WINDOWS\system32\jgunwmcr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D1CA7BD-8A08-4FB0-8502-219D3BF088B0}]
C:\WINDOWS\system32\vtUlLDtr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E62BBA2E-5D06-4C99-B375-AC3DD23E44CE}]
C:\WINDOWS\system32\ddcBRJDv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [05/23/2008 10:45 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=1 (0x1)
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtenehd.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\ddcBRJDv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bill\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
"C:\Program Files\QdrModule\QdrModule15.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
"C:\Program Files\QdrModule\QdrModule16.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16]
"C:\Program Files\QdrPack\QdrPack16.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysrest32.exe]
C:\WINDOWS\system32\sysrest32.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-05-24 23:30:53 -------

 

Lets start with fixing the broken file associations.

Highlight and copy the bolded command below.

"%userprofile%\desktop\dss.exe" /daft

• Click Start>Run and paste the command in, then hit enter.
• An interface of Deckards file association fix will open.
• Click Scan.
• Check the box next to the following entries, then click Fix.
  • .reg
  • .scr
• Exit when complete.

Now, download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


To properly create a HijackThis log, select 'Do a system scan and save log file' from the main menu upon opening, or if doing a scan only, select Save log when the scan is complete. Either way, the log to be posted will open once it has been saved.

 

HJT log after running combofix exe. It told me where the log would be after notepad popped up, but the computer was frozen and I cant find it. Im gonna run it again, then Ill post up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:39 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {8D1CA7BD-8A08-4FB0-8502-219D3BF088B0} - C:\WINDOWS\system32\vtUlLDtr.dll (file missing)
O2 - BHO: (no name) - {E62BBA2E-5D06-4C99-B375-AC3DD23E44CE} - C:\WINDOWS\system32\ddcBRJDv.dll (file missing)
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185019444906
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5589 bytes

 

and at last...the combofix log.... You guys are flippin awesome, but i feel like a blind squirrel....lol

Here ya go.

ComboFix 08-05-24.1 - Bill 2008-05-25 8:45:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.637 [GMT -4:00]
Running from: C:\Documents and Settings\Bill\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bill\err.log
C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\system32\wnstssv32.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 10:25 . 2008-05-24 10:25 <DIR> d-------- C:\Deckard
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Program Files\COMODO
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Comodo
2008-05-22 13:09 . 2008-05-22 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-22 13:09 . 2008-05-23 22:47 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-22 13:09 . 2008-05-23 22:47 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-22 13:09 . 2008-05-23 22:47 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-22 10:48 . 2008-05-22 10:48 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-05-22 10:47 . 2008-05-22 10:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 10:47 . 2008-05-22 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 10:47 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 10:47 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-21 08:20 . 2008-05-21 08:20 100,000 --a------ C:\WINDOWS\system32\ormvuofd.dll
2008-05-21 07:21 . 2008-05-21 07:21 100,000 --a------ C:\WINDOWS\system32\xqmmeclb.dll
2008-05-14 12:47 . 2008-05-14 12:47 2,992 --a------ C:\WINDOWS\system32\stehgfxb.dll
2008-05-11 09:41 . 2008-05-11 09:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-11 09:41 . 2008-05-11 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 08:55 . 2008-05-11 08:56 1,906 --a------ C:\WINDOWS\index.html
2008-05-11 08:54 . 2008-05-11 08:55 <DIR> d-------- C:\WINDOWS\system32\dFrnx06

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 14:19 --------- d-----w C:\Program Files\LogWorks2
2008-05-22 16:23 --------- d-----w C:\Program Files\Windows Defender
2008-05-22 16:06 --------- d-----w C:\Documents and Settings\Bill\Application Data\AVG7
2008-05-22 15:03 --------- d-----w C:\Program Files\Trend Micro
2008-05-20 01:28 3,556 ----a-w C:\Documents and Settings\Bill\Application Data\wklnhst.dat
2008-04-03 01:24 --------- d-----w C:\Program Files\Samsung
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-26 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 12:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-26 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-09-01 22:24 0 ---ha-w C:\Documents and Settings\Kelli\hpothb07.dat
2007-09-01 22:23 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2007-08-06 18:51 34 ----a-w C:\Documents and Settings\All Users\Application Data\amlistx.dat
2007-08-06 18:51 0 ----a-w C:\Documents and Settings\Bill\Application Data\amopn.dat
2007-06-25 23:38 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2007-06-23 11:15 4 ----a-w C:\Documents and Settings\All Users\Application Data\amsrv.dat
2007-06-21 23:38 178 ---ha-w C:\Documents and Settings\Kelli\Application Data\hpothb07.dat
2007-06-21 23:38 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-05-30 00:33 126 ----a-w C:\Documents and Settings\Kelli\Application Data\wklnhst.dat
2006-12-02 17:50 88 --sha-r C:\WINDOWS\system32\B37DD7F4FB.sys
2008-01-30 14:24 104 --sha-r C:\WINDOWS\system32\FBF4D77DB3.sys
2008-01-30 14:24 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 8.30.07.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 12:25:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 12:43:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D1CA7BD-8A08-4FB0-8502-219D3BF088B0}]
C:\WINDOWS\system32\vtUlLDtr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E62BBA2E-5D06-4C99-B375-AC3DD23E44CE}]
C:\WINDOWS\system32\ddcBRJDv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-23 22:45 1575680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-26 08:23 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG "= Pvmjpg30.dll
"VIDC.PIM1 "= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bill\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-18 13:55 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 00:23 90112 C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 15:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
C:\Program Files\QdrModule\QdrModule15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
C:\Program Files\QdrModule\QdrModule16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16]
C:\Program Files\QdrPack\QdrPack16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-18 17:58 98304 C:\Program Files\QuickTime\bak\bak\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-06-20 15:30 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysrest32.exe]
C:\WINDOWS\system32\sysrest32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe "=
"C:\\WINDOWS\\system32\\mmc.exe "=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 22:47]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 22:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 07:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job "
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2006-05-25 00:35:25 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 08:47:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-05-25 8:49:25
ComboFix-quarantined-files.txt 2008-05-25 12:48:55
ComboFix2.txt 2008-05-25 12:30:24

Pre-Run: 12,855,820,288 bytes free
Post-Run: 12,851,400,704 bytes free

184 --- E O F --- 2008-05-22 16:28:22

 

Before we go any further, please post the contents of the following 2 logs.

C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt



Then, download FindAWF
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, awf.txt will open. Please post it's contents here.

 

2007-04-17 13:52 320 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\43759352412.CPX.vir
2007-04-18 13:52 126464 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\4375935241.CPX.vir
2007-04-19 12:52 27888 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\43759352431.CPX.vir
2007-04-19 13:52 418 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\43759352421.CPX.vir
2007-04-20 13:52 7165 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\43759352451.CPX.vir
2007-04-26 00:30 29184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir
2007-08-16 21:56 0 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Bill\err.log.vir
2007-10-25 13:46 142 --a------ C:\Qoobox\Quarantine\C\Program Files\MSN Gaming Zone\rtenehd.html.vir
2007-11-04 11:49 933 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winpfz32.sys.vir
2007-12-27 18:27 20480 --a------ C:\Qoobox\Quarantine\C\Program Files\RcvSystem\httpdchk.dll.vir
2008-01-06 19:20 2 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wnstssv32.exe.vir
2008-03-18 21:27 4095 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Bill\Local Settings\Temporary Internet Files\CPV.stt.vir
2008-05-14 07:48 99008 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xvlphfwu.dll.vir
2008-05-14 12:45 90272 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\iovndbma.dll.vir
2008-05-14 12:48 90208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dnfivrsj.dll.vir
2008-05-14 15:56 98928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ouocxiow.dll.vir
2008-05-14 16:35 90208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mobcjhwc.dll.vir
2008-05-14 16:35 98928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ltyxwxit.dll.vir
2008-05-14 16:38 1555564 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kagdbqwy.ini.vir
2008-05-14 16:38 90208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tgdgfxml.dll.vir
2008-05-14 16:40 98928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wtitwgcq.dll.vir
2008-05-15 08:13 1203972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rtDLlUtv.ini2.vir
2008-05-15 08:16 1203972 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rtDLlUtv.ini.vir
2008-05-16 19:08 90240 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\oqxxvhwb.dll.vir
2008-05-16 19:13 98896 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fjipmqro.dll.vir
2008-05-17 20:24 90224 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kivqtnwm.dll.vir
2008-05-18 08:17 98880 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\odaexytd.dll.vir
2008-05-18 20:25 90272 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\rnpqhkcu.dll.vir
2008-05-19 07:49 98928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bhuercmh.dll.vir
2008-05-19 20:38 90160 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\nxcfufmj.dll.vir
2008-05-19 20:53 99856 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\afgxiiru.dll.vir
2008-05-21 08:30 2560 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dklwxhrt.exe.vir
2008-05-21 11:08 2493 --a------ C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2008-05-22 08:20 22 --a------ C:\Qoobox\Quarantine\C\WINDOWS\pskt.ini.vir
2008-05-22 08:23 109835 --a------ C:\Qoobox\Quarantine\C\WINDOWS\BM0b918439.xml.vir
2008-05-22 08:26 2560 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vacuxlyc.exe.vir
2008-05-22 08:26 99952 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jgunwmcr.dll.vir
2008-05-22 11:25 893177 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vDJRBcdd.ini2.vir
2008-05-22 11:26 893497 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vDJRBcdd.ini.vir
2008-05-25 08:02 777 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\43759352477.CPX.vir
2008-05-25 08:22 2188 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_sysrest.sys.reg.dat
2008-05-25 08:22 862 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_NETWORK_MONITOR.reg.dat
2008-05-25 08:23 96466 --a------ C:\Qoobox\Quarantine\catchme2008-05-25_ 82350.95.zip
2008-05-25 08:47 1418 --a------ C:\Qoobox\Quarantine\catchme.log



and number 2:


ComboFix 08-05-24.1 - Bill 2008-05-25 8:19:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.585 [GMT -4:00]
Running from: C:\Documents and Settings\Bill\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bill\My Documents\MBOLS~1
C:\Documents and Settings\Bill\My Documents\SMANTE~1
C:\Program Files\dobe~1
C:\Program Files\MSN Gaming Zone\rtenehd.html
C:\Program Files\pppatc~1
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\Temp\fse
C:\Temp\tmpvc14
C:\WINDOWS\BM0b918439.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\fnts~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\4375935241.CPX
C:\WINDOWS\system32\43759352412.CPX
C:\WINDOWS\system32\43759352421.CPX
C:\WINDOWS\system32\43759352431.CPX
C:\WINDOWS\system32\43759352451.CPX
C:\WINDOWS\system32\43759352477.CPX
C:\WINDOWS\system32\afgxiiru.dll
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\bhuercmh.dll
C:\WINDOWS\system32\dklwxhrt.exe
C:\WINDOWS\system32\dnfivrsj.dll
C:\WINDOWS\system32\fjipmqro.dll
C:\WINDOWS\system32\iovndbma.dll
C:\WINDOWS\system32\jgunwmcr.dll
C:\WINDOWS\system32\kagdbqwy.ini
C:\WINDOWS\system32\kivqtnwm.dll
C:\WINDOWS\system32\ltyxwxit.dll
C:\WINDOWS\system32\mobcjhwc.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nxcfufmj.dll
C:\WINDOWS\system32\odaexytd.dll
C:\WINDOWS\system32\oqxxvhwb.dll
C:\WINDOWS\system32\ouocxiow.dll
C:\WINDOWS\system32\rnpqhkcu.dll
C:\WINDOWS\system32\rtDLlUtv.ini
C:\WINDOWS\system32\rtDLlUtv.ini2
C:\WINDOWS\system32\tgdgfxml.dll
C:\WINDOWS\system32\vacuxlyc.exe
C:\WINDOWS\system32\vDJRBcdd.ini
C:\WINDOWS\system32\vDJRBcdd.ini2
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wtitwgcq.dll
C:\WINDOWS\system32\xvlphfwu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-24 10:25 . 2008-05-24 10:25 <DIR> d-------- C:\Deckard
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Program Files\COMODO
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Comodo
2008-05-22 13:09 . 2008-05-22 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-22 13:09 . 2008-05-23 22:47 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-22 13:09 . 2008-05-23 22:47 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-22 13:09 . 2008-05-23 22:47 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-22 10:48 . 2008-05-22 10:48 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-05-22 10:47 . 2008-05-22 10:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 10:47 . 2008-05-22 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 10:47 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 10:47 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-21 08:20 . 2008-05-21 08:20 100,000 --a------ C:\WINDOWS\system32\ormvuofd.dll
2008-05-21 07:21 . 2008-05-21 07:21 100,000 --a------ C:\WINDOWS\system32\xqmmeclb.dll
2008-05-14 12:47 . 2008-05-14 12:47 2,992 --a------ C:\WINDOWS\system32\stehgfxb.dll
2008-05-11 09:41 . 2008-05-11 09:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-11 09:41 . 2008-05-11 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 08:55 . 2008-05-11 08:56 1,906 --a------ C:\WINDOWS\index.html
2008-05-11 08:54 . 2008-05-11 08:55 <DIR> d-------- C:\WINDOWS\system32\dFrnx06

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 14:19 --------- d-----w C:\Program Files\LogWorks2
2008-05-22 16:23 --------- d-----w C:\Program Files\Windows Defender
2008-05-22 16:06 --------- d-----w C:\Documents and Settings\Bill\Application Data\AVG7
2008-05-22 15:03 --------- d-----w C:\Program Files\Trend Micro
2008-05-20 01:28 3,556 ----a-w C:\Documents and Settings\Bill\Application Data\wklnhst.dat
2008-04-03 01:24 --------- d-----w C:\Program Files\Samsung
2008-03-26 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 12:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-26 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-01 22:24 0 ---ha-w C:\Documents and Settings\Kelli\hpothb07.dat
2007-09-01 22:23 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2007-08-06 18:51 34 ----a-w C:\Documents and Settings\All Users\Application Data\amlistx.dat
2007-08-06 18:51 0 ----a-w C:\Documents and Settings\Bill\Application Data\amopn.dat
2007-06-25 23:38 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2007-06-23 11:15 4 ----a-w C:\Documents and Settings\All Users\Application Data\amsrv.dat
2007-06-21 23:38 178 ---ha-w C:\Documents and Settings\Kelli\Application Data\hpothb07.dat
2007-06-21 23:38 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-05-30 00:33 126 ----a-w C:\Documents and Settings\Kelli\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7f0117b5-9bca-4a13-9788-0ed69ec5ce80}]
C:\WINDOWS\system32\jgunwmcr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D1CA7BD-8A08-4FB0-8502-219D3BF088B0}]
C:\WINDOWS\system32\vtUlLDtr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E62BBA2E-5D06-4C99-B375-AC3DD23E44CE}]
C:\WINDOWS\system32\ddcBRJDv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-23 22:45 1575680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-26 08:23 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtenehd.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "= C:\WINDOWS\system32\guard32.dll
"LoadAppInit_DLLs "=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG "= Pvmjpg30.dll
"VIDC.PIM1 "= pclepim1.dll
"midi2 "= 4375935241.CPX

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bill\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-18 13:55 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 00:23 90112 C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 15:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
C:\Program Files\QdrModule\QdrModule15.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
C:\Program Files\QdrModule\QdrModule16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16]
C:\Program Files\QdrPack\QdrPack16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-18 17:58 98304 C:\Program Files\QuickTime\bak\bak\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-06-20 15:30 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysrest32.exe]
C:\WINDOWS\system32\sysrest32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe "=
"C:\\WINDOWS\\system32\\mmc.exe "=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 22:47]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 22:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 07:30:00 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job "
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
"2006-05-25 00:35:25 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 08:26:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-05-25 8:30:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 12:30:19

Pre-Run: 12,335,886,336 bytes free
Post-Run: 12,851,826,688 bytes free

232 --- E O F --- 2008-05-22 16:28:22

 

the awf report



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 05/25/2008
The current time is: 11:24:13.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 08:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

12/13/2005 05:41 PM 77,824 hkcmd.exe
12/13/2005 05:45 PM 118,784 igfxpers.exe
12/13/2005 05:44 PM 98,304 igfxtray.exe
12/19/2005 09:08 AM 1,347,584 WLTRAY.exe
4 File(s) 1,642,496 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

05/18/2006 05:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

11/29/2005 12:56 PM 761,947 SynTPEnh.exe
1 File(s) 761,947 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe "
77824 Dec 13 2005 "C:\drivers\video\onboard\hkcmd.exe "
77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe "
118784 Dec 13 2005 "C:\drivers\video\onboard\igfxpers.exe "
118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe "
98304 Dec 13 2005 "C:\drivers\video\onboard\igfxtray.exe "
98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe "
1347584 Dec 19 2005 "C:\WINDOWS\system32\bak\WLTRAY.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe "
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe "
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe "


end of report

 

You have an active AWF infection that has replaced legitmate files on your system with rogue copies. Lets get them restored and see if we can kill off the infection. Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Highlight and copy the bolded list of files to be restored from below, all quotes included.


"C:\Program Files\QuickTime\bak\bak\qttask.exe "
"C:\Program Files\Windows Defender\bak\MSASCui.exe "
"C:\WINDOWS\system32\bak\hkcmd.exe "
"C:\WINDOWS\system32\bak\igfxpers.exe "
"C:\WINDOWS\system32\bak\igfxtray.exe "
"C:\WINDOWS\system32\bak\WLTRAY.exe "
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe "
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe "




Double-click the FindAWF icon once again.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file will open called: files.txt
Click below the line and paste the list of files to be restored.

Next, close files.txt and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here, then Reboot to allow ATF Cleaner to finish removing temps files that were in use.

 

I see traces of ErrorSmart, which is reported as adware. If it's listed in Add/Remove programs, I recommend you uninstall it then delete the C:\Program Files\ErrorSmart folder.


Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\ormvuofd.dll
C:\WINDOWS\system32\xqmmeclb.dll
C:\WINDOWS\system32\stehgfxb.dll
C:\WINDOWS\index.html
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
Folder::
C:\WINDOWS\system32\dFrnx06
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D1CA7BD-8A08-4FB0-8502-219D3BF088B0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E62BBA2E-5D06-4C99-B375-AC3DD23E44CE}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule15]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysrest32.exe]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Ok, Here is the new log, then Ill go to the next step...

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 05/25/2008
The current time is: 16:08:03.39


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/18/2006 05:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 08:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

12/13/2005 05:41 PM 77,824 hkcmd.exe
12/13/2005 05:45 PM 118,784 igfxpers.exe
12/13/2005 05:44 PM 98,304 igfxtray.exe
12/19/2005 09:08 AM 1,347,584 WLTRAY.exe
4 File(s) 1,642,496 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

05/18/2006 05:58 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

11/29/2005 12:56 PM 761,947 SynTPEnh.exe
1 File(s) 761,947 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 May 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe "
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe "
77824 Dec 13 2005 "C:\WINDOWS\system32\hkcmd.exe "
77824 Dec 13 2005 "C:\drivers\video\onboard\hkcmd.exe "
77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe "
118784 Dec 13 2005 "C:\WINDOWS\system32\igfxpers.exe "
118784 Dec 13 2005 "C:\drivers\video\onboard\igfxpers.exe "
118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe "
98304 Dec 13 2005 "C:\WINDOWS\system32\igfxtray.exe "
98304 Dec 13 2005 "C:\drivers\video\onboard\igfxtray.exe "
98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe "
1347584 Dec 19 2005 "C:\WINDOWS\system32\WLTRAY.exe "
1347584 Dec 19 2005 "C:\WINDOWS\system32\bak\WLTRAY.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
98304 May 18 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
761947 Nov 29 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe "
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe "
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe "
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe "


end of report

 

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.641 [GMT -4:00]
Running from: C:\Documents and Settings\Bill\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bill\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\index.html
C:\WINDOWS\system32\ormvuofd.dll
C:\WINDOWS\system32\stehgfxb.dll
C:\WINDOWS\system32\xqmmeclb.dll
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\index.html
C:\WINDOWS\system32\dFrnx06
C:\WINDOWS\system32\ormvuofd.dll
C:\WINDOWS\system32\stehgfxb.dll
C:\WINDOWS\system32\xqmmeclb.dll
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 16:08 . 2005-12-19 09:08 1,347,584 --a------ C:\WINDOWS\system32\WLTRAY.exe
2008-05-25 16:08 . 2005-12-13 17:45 118,784 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-05-25 16:08 . 2005-12-13 17:44 98,304 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-05-25 16:08 . 2005-12-13 17:41 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-05-24 10:25 . 2008-05-24 10:25 <DIR> d-------- C:\Deckard
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Program Files\COMODO
2008-05-22 13:09 . 2008-05-22 13:09 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Comodo
2008-05-22 13:09 . 2008-05-22 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-22 13:09 . 2008-05-23 22:47 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-22 13:09 . 2008-05-23 22:47 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-22 13:09 . 2008-05-23 22:47 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-22 10:48 . 2008-05-22 10:48 <DIR> d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-05-22 10:47 . 2008-05-22 10:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 10:47 . 2008-05-22 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 10:47 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 10:47 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-11 09:41 . 2008-05-11 09:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-11 09:41 . 2008-05-11 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 20:08 --------- d-----w C:\Program Files\Windows Defender
2008-05-24 14:19 --------- d-----w C:\Program Files\LogWorks2
2008-05-22 16:06 --------- d-----w C:\Documents and Settings\Bill\Application Data\AVG7
2008-05-22 15:03 --------- d-----w C:\Program Files\Trend Micro
2008-05-20 01:28 3,556 ----a-w C:\Documents and Settings\Bill\Application Data\wklnhst.dat
2008-04-03 01:24 --------- d-----w C:\Program Files\Samsung
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-26 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-26 12:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-26 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-09-01 22:24 0 ---ha-w C:\Documents and Settings\Kelli\hpothb07.dat
2007-09-01 22:23 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2007-08-06 18:51 34 ----a-w C:\Documents and Settings\All Users\Application Data\amlistx.dat
2007-08-06 18:51 0 ----a-w C:\Documents and Settings\Bill\Application Data\amopn.dat
2007-06-25 23:38 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2007-06-23 11:15 4 ----a-w C:\Documents and Settings\All Users\Application Data\amsrv.dat
2007-06-21 23:38 178 ---ha-w C:\Documents and Settings\Kelli\Application Data\hpothb07.dat
2007-06-21 23:38 0 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-05-30 00:33 126 ----a-w C:\Documents and Settings\Kelli\Application Data\wklnhst.dat
2006-12-02 17:50 88 --sha-r C:\WINDOWS\system32\B37DD7F4FB.sys
2008-01-30 14:24 104 --sha-r C:\WINDOWS\system32\FBF4D77DB3.sys
2008-01-30 14:24 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 8.30.07.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 12:25:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 20:17:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-23 22:45 1575680]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run "= "C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-26 08:23 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG "= Pvmjpg30.dll
"VIDC.PIM1 "= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bill\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-04-18 13:55 579584 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-07 00:23 90112 C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 15:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-06-20 15:30 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe "=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe "=
"C:\\WINDOWS\\system32\\mmc.exe "=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 22:47]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 22:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-05-25 00:35:25 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 16:26:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-05-25 16:28:24
ComboFix-quarantined-files.txt 2008-05-25 20:28:04
ComboFix2.txt 2008-05-25 12:49:25
ComboFix3.txt 2008-05-25 12:30:24

Pre-Run: 12,832,432,128 bytes free
Post-Run: 12,821,839,872 bytes free

175 --- E O F --- 2008-05-22 16:28:22